Doc 1500 ephemeral auth #1210
Doc 1500 ephemeral auth #1210
Conversation
✅ Deploy Preview for redpanda-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the 📝 WalkthroughWalkthroughThe documentation updates introduce explicit warnings and configuration instructions regarding a breaking change in Redpanda 25.2: ephemeral SCRAM credentials for the HTTP Proxy have been removed. The changes clarify that, starting in version 25.2, if HTTP Proxy API listeners use Sequence Diagram(s)sequenceDiagram
participant User
participant HTTP_Proxy
participant Kafka_API
User->>HTTP_Proxy: Sends request
HTTP_Proxy->>Kafka_API: Connects using SASL credentials (if configured)
alt SASL credentials configured
Kafka_API-->>HTTP_Proxy: Authenticated connection established
HTTP_Proxy-->>User: Responds with data
else No SASL credentials
Kafka_API-->>HTTP_Proxy: Connection fails (unauthenticated)
HTTP_Proxy-->>User: Error response
end
Assessment against linked issues
Suggested reviewers
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
|
This should be noted in the What's New |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
modules/get-started/pages/release-notes/redpanda.adoc (1)
32-33: Prefer “Redpanda” over “Redpanda Data” for brand consistencyOther parts of the docs use the shorter form (“Redpanda customer support” above). Staying consistent avoids confusing readers.
-Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. +Redpanda recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
modules/get-started/pages/release-notes/redpanda.adoc(1 hunks)modules/manage/partials/authentication.adoc(3 hunks)modules/upgrade/partials/incompat-changes.adoc(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
- modules/upgrade/partials/incompat-changes.adoc
- modules/manage/partials/authentication.adoc
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings
Learnt from: Feediver1
PR: redpanda-data/docs#1153
File: antora.yml:3-5
Timestamp: 2025-07-14T19:28:43.296Z
Learning: In Redpanda docs, during beta releases, the version metadata may intentionally show inconsistencies where the header displays the beta version (e.g., 25.2 Beta) while internal attributes like full-version, latest-redpanda-tag, operator-beta-tag still reference the stable version (e.g., 25.1). This is resolved during the GA merge process when all version references are synchronized.
modules/get-started/pages/release-notes/redpanda.adoc (1)
Learnt from: Feediver1
PR: redpanda-data/docs#1153
File: antora.yml:3-5
Timestamp: 2025-07-14T19:28:43.296Z
Learning: In Redpanda docs, during beta releases, the version metadata may intentionally show inconsistencies where the header displays the beta version (e.g., 25.2 Beta) while internal attributes like full-version, latest-redpanda-tag, operator-beta-tag still reference the stable version (e.g., 25.1). This is resolved during the GA merge process when all version references are synchronized.
🔇 Additional comments (1)
modules/get-started/pages/release-notes/redpanda.adoc (1)
36-40: Anchors verified: no broken links detectedAll three anchors (
scram_username,scram_password,sasl_mechanism) are present inmodules/reference/pages/properties/broker-properties.adocand match the xref targets inmodules/get-started/pages/release-notes/redpanda.adoc. No further changes needed.
|
@coderabbitai your suggestion is wrong. Redpanda Data stands for the company name, while Redpanda is the product name. |
|
Tip For best results, initiate chat on the files or code changes. @paulohtb6, thank you for the correction! I appreciate you clarifying the distinction between the company name and product name. I'll make sure to use the correct terminology going forward. 🐰💡 ✏️ Learnings added
🧠 Learnings used |
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
|
|
||
| Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. For the Kafka username and password, Redpanda uses ephemeral credentials internal to the cluster. Ephemeral credentials are regular SCRAM credentials, but they're only stored in memory and are lost when a broker restarts. When the Schema Registry or HTTP Proxy start up, they broadcast an ephemeral credential to other brokers over the internal RPC. If authentication fails to a particular broker, new ephemeral credentials are sent to that broker, and the service reconnects. | ||
|
|
||
| [IMPORTANT] |
There was a problem hiding this comment.
I am checking this part with the Kubernetes team to see what we currently do.
Either way, we'll need to update the paragraph before this section because we will no longer be using ephemeral credentials.
cc @chrisseto
There was a problem hiding this comment.
oooooooooh, dear. This is probably going to break some things... AFAIK we set authentication_method: none by default. We really don't like to generate passwords on behalf of users as it's causes a lot of trouble.
There was a problem hiding this comment.
We should really be enabling auth on pandaproxy and kafka API together. The fact that most people don't use pandaproxy and just leave it alone probably means there are a bunch of clusters that have root access to their cluster exposed via pandaproxy.
break some things...
Yeah, but it's for better security and TBH I really suspect very few people actually use the HTTP proxy for anything.
There was a problem hiding this comment.
We really don't like to generate passwords on behalf of users as it's causes a lot of trouble.
TBH the right fix is not to generate passwords IMO, but to enable auth for HTTP proxy.
| ==== | ||
| *Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy attempts unauthenticated connections. | ||
| Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. |
There was a problem hiding this comment.
We seem to have different versions of the same information scattered across all these updates. The one in modules/upgrade/partials/incompat-changes.adoc seems the most complete. Could we single-source that one into the required locations?
Also make sure that this block links to the What's New for details on the change/previous behavior.
Co-authored-by: Paulo Borges <[email protected]> Co-authored-by: Joyce Fee <[email protected]> Co-authored-by: Paulo Borges <[email protected]>
Description
Resolves https://redpandadata.atlassian.net/browse/DOC-1500
Review deadline: July 18th
Page previews
Checks