From 2a3ca40278325dd342ff1bcb4e95438548917320 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Tue, 15 Jul 2025 16:36:07 -0300 Subject: [PATCH 01/13] docs: update ephemeral credentials usage in 25.2 --- modules/manage/partials/authentication.adoc | 31 +++++++++++++++++-- .../pages/properties/broker-properties.adoc | 14 +++++++-- .../upgrade/partials/incompat-changes.adoc | 2 ++ 3 files changed, 42 insertions(+), 5 deletions(-) diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index 7c7f6be15..c68347fa5 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -657,10 +657,17 @@ endif::[] Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. For the Kafka username and password, Redpanda uses ephemeral credentials internal to the cluster. Ephemeral credentials are regular SCRAM credentials, but they're only stored in memory and are lost when a broker restarts. When the Schema Registry or HTTP Proxy start up, they broadcast an ephemeral credential to other brokers over the internal RPC. If authentication fails to a particular broker, new ephemeral credentials are sent to that broker, and the service reconnects. +[IMPORTANT] +==== +*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will fail to connect to the Kafka API. + +This change does not affect Schema Registry, which continues to use ephemeral credentials. +==== + Schema Registry and HTTP Proxy support only the SASL/SCRAM mechanism. ifndef::env-kubernetes[] -You can override the ephemeral credentials and manually configure Schema Registry and HTTP Proxy to connect to Redpanda with SASL. This approach is particularly useful when you want to apply specific access control through ACLs for the Schema Registry and HTTP Proxy users. +Starting in Redpanda 25.2, you must manually configure HTTP Proxy to connect to Redpanda with SASL when HTTP Proxy API listeners use `authentication_method: none`. For Schema Registry, you can override the ephemeral credentials and manually configure Schema Registry to connect to Redpanda with SASL. This approach is particularly useful when you want to apply specific access control through ACLs for the Schema Registry and HTTP Proxy users. . xref:manage:security/authorization/index.adoc[Create appropriate ACLs] for the Schema Registry and HTTP Proxy users to define and restrict their access rights within the Redpanda cluster. @@ -698,7 +705,22 @@ schema_registry_client: sasl_mechanism: SCRAM-SHA-256 ---- + -For HTTP Proxy: +For HTTP Proxy (required when `authentication_method: none` starting in Redpanda 25.2): ++ +[,yaml] +---- +pandaproxy_client: + brokers: + - address: 127.0.0.1 + port: 9092 + scram_username: + scram_password: + sasl_mechanism: SCRAM-SHA-256 +---- ++ +When HTTP Proxy API listeners use `authentication_method: none`, the HTTP Proxy client uses these credentials to authenticate with the Kafka API. The user specified in `scram_username` must have appropriate permissions to access the required Kafka resources. ++ +If TLS is enabled for the Kafka API, additional configuration is required: + [,yaml] ---- @@ -1757,6 +1779,11 @@ For all available endpoints, see xref:api:ROOT:pandaproxy-schema-registry.adoc[] To disable authentication for a listener, set `authentication_method` to `none`: +[IMPORTANT] +==== +*Breaking change in Redpanda 25.2:* When HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Configure the `pandaproxy_client` properties: `scram_username`, `scram_password`, and `sasl_mechanism`. For more information, see xref:reference:properties/broker-properties.adoc#scram_username[HTTP Proxy Client properties]. +==== + ifdef::env-kubernetes[] [tabs] ====== diff --git a/modules/reference/pages/properties/broker-properties.adoc b/modules/reference/pages/properties/broker-properties.adoc index 9a64c1c10..727049967 100644 --- a/modules/reference/pages/properties/broker-properties.adoc +++ b/modules/reference/pages/properties/broker-properties.adoc @@ -778,7 +778,11 @@ Delay (in milliseconds) for initial retry backoff. === sasl_mechanism -The SASL mechanism to use when connecting. +The SASL mechanism to use when the HTTP Proxy client connects to the Kafka API. These credentials are used when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API. + +Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy listeners use `authentication_method: none`, you must configure these SASL properties for HTTP Proxy to authenticate with the Kafka API. + +For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. *Visibility:* `user` @@ -790,7 +794,9 @@ The SASL mechanism to use when connecting. === scram_password -Password to use for SCRAM authentication mechanisms. +Password to use for SCRAM authentication mechanisms when the HTTP Proxy client connects to the Kafka API. This property is required when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API. + +Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You must configure this property if your HTTP Proxy listeners use `authentication_method: none`. *Visibility:* `user` @@ -802,7 +808,9 @@ Password to use for SCRAM authentication mechanisms. === scram_username -Username to use for SCRAM authentication mechanisms. +Username to use for SCRAM authentication mechanisms when the HTTP Proxy client connects to the Kafka API. This property is required when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API. + +Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You must configure this property if your HTTP Proxy listeners use `authentication_method: none`. *Visibility:* `user` diff --git a/modules/upgrade/partials/incompat-changes.adoc b/modules/upgrade/partials/incompat-changes.adoc index f28d230a1..de6d36e7c 100644 --- a/modules/upgrade/partials/incompat-changes.adoc +++ b/modules/upgrade/partials/incompat-changes.adoc @@ -1,5 +1,7 @@ === Review incompatible changes +* Starting in version 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will fail to connect to the Kafka API. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. + * Redpanda Console v3.0.0 introduces breaking changes. If you are using Redpanda Console v2.x, xref:migrate:console-v3.adoc[review the migration guide] to address breaking changes before upgrading Redpanda Console. * Starting in version 24.2, when managing configuration properties using the AlterConfigs API directly, Redpanda resets all unspecified values to the default values. This aligns more closely with the behavior in Apache Kafka. There is no change if you're managing your configuration with tools like `rpk`, Redpanda Console, Kubernetes, Helm, or Terraform. From 0eb3704957029c600c337454b0eef2431b1c50ba Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Tue, 15 Jul 2025 17:11:24 -0300 Subject: [PATCH 02/13] update with guidance to activate security --- .../pages/release-notes/redpanda.adoc | 23 +++++++++++++++++++ modules/manage/partials/authentication.adoc | 6 +++-- .../upgrade/partials/incompat-changes.adoc | 2 +- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index c4c26c14e..a23a975bd 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -18,6 +18,29 @@ The Redpanda Admin API now includes new health probes to help you ensure safe br * xref:manage:cluster-maintenance/rolling-restart.adoc[] * xref:upgrade:rolling-upgrade.adoc[] +== HTTP Proxy authentication changes + +[IMPORTANT] +==== +**Breaking change**: Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. +==== + +HTTP Proxy previously used automatically generated ephemeral credentials to authenticate with the Kafka API when the HTTP Proxy listeners had `authentication_method: none`. These ephemeral credentials are now removed to improve security and simplify the authentication model. + +Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. + +Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. + +**Action required**: Configure the following HTTP Proxy client properties in your `redpanda.yaml` configuration: + +- xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`]: Username for SASL/SCRAM authentication +- xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`]: Password for SASL/SCRAM authentication +- xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]: SASL mechanism (typically `SCRAM-SHA-256` or `SCRAM-SHA-512`) + +For detailed configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. + +**Note**: This change does not affect Schema Registry, which continues to use ephemeral credentials. + == Redpanda Console v3.0.0 The Redpanda Console v3.0.0 release includes the following updates: diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index c68347fa5..9c567b7e1 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -659,7 +659,9 @@ Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. For the K [IMPORTANT] ==== -*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will fail to connect to the Kafka API. +*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy attempts unauthenticated connections. + +Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. This change does not affect Schema Registry, which continues to use ephemeral credentials. ==== @@ -1781,7 +1783,7 @@ To disable authentication for a listener, set `authentication_method` to `none`: [IMPORTANT] ==== -*Breaking change in Redpanda 25.2:* When HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Configure the `pandaproxy_client` properties: `scram_username`, `scram_password`, and `sasl_mechanism`. For more information, see xref:reference:properties/broker-properties.adoc#scram_username[HTTP Proxy Client properties]. +*Breaking change in Redpanda 25.2:* When HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Configure the `pandaproxy_client` properties: `scram_username`, `scram_password`, and `sasl_mechanism`. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends configuring authentication for HTTP Proxy. For more information, see xref:reference:properties/broker-properties.adoc#scram_username[HTTP Proxy Client properties]. ==== ifdef::env-kubernetes[] diff --git a/modules/upgrade/partials/incompat-changes.adoc b/modules/upgrade/partials/incompat-changes.adoc index de6d36e7c..dcdd41ea4 100644 --- a/modules/upgrade/partials/incompat-changes.adoc +++ b/modules/upgrade/partials/incompat-changes.adoc @@ -1,6 +1,6 @@ === Review incompatible changes -* Starting in version 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will fail to connect to the Kafka API. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. +* Starting in version 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends configuring authentication for HTTP Proxy. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. * Redpanda Console v3.0.0 introduces breaking changes. If you are using Redpanda Console v2.x, xref:migrate:console-v3.adoc[review the migration guide] to address breaking changes before upgrading Redpanda Console. From f9a78834d9a7f6dea0d0b3f6fc3d97d0b1585ede Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Tue, 15 Jul 2025 17:53:17 -0300 Subject: [PATCH 03/13] remove note about ephemeral creds in SR --- modules/get-started/pages/release-notes/redpanda.adoc | 2 -- modules/manage/partials/authentication.adoc | 1 - 2 files changed, 3 deletions(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index a23a975bd..e73dc4955 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -39,8 +39,6 @@ Redpanda Data recommends configuring authentication for HTTP Proxy to ensure sec For detailed configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. -**Note**: This change does not affect Schema Registry, which continues to use ephemeral credentials. - == Redpanda Console v3.0.0 The Redpanda Console v3.0.0 release includes the following updates: diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index 9c567b7e1..e3294f014 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -663,7 +663,6 @@ Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. For the K Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. -This change does not affect Schema Registry, which continues to use ephemeral credentials. ==== Schema Registry and HTTP Proxy support only the SASL/SCRAM mechanism. From c198f6a72a71248098b1a1493e60caffa36625e4 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Tue, 15 Jul 2025 17:53:27 -0300 Subject: [PATCH 04/13] address review comment --- modules/get-started/pages/release-notes/redpanda.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index e73dc4955..141d1c865 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -31,7 +31,7 @@ Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticate Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. -**Action required**: Configure the following HTTP Proxy client properties in your `redpanda.yaml` configuration: +If you need to maintain the current HTTP Proxy functionality while transitioning to authenticated clients, configure the following HTTP Proxy client properties in your `redpanda.yaml` configuration: - xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`]: Username for SASL/SCRAM authentication - xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`]: Password for SASL/SCRAM authentication From 2e0d279ad874d054cfb89ce988a9e6644f8be8fd Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Wed, 16 Jul 2025 14:41:30 -0300 Subject: [PATCH 05/13] Update modules/get-started/pages/release-notes/redpanda.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/get-started/pages/release-notes/redpanda.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index 141d1c865..73178cde6 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -25,7 +25,7 @@ The Redpanda Admin API now includes new health probes to help you ensure safe br **Breaking change**: Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. ==== -HTTP Proxy previously used automatically generated ephemeral credentials to authenticate with the Kafka API when the HTTP Proxy listeners had `authentication_method: none`. These ephemeral credentials are now removed to improve security and simplify the authentication model. +HTTP Proxy previously used automatically-generated ephemeral credentials to authenticate with the Kafka API when the HTTP Proxy listeners specified `authentication_method: none`. To improve security and simplify the authentication model, ephemeral credentials are no longer available. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. From f3cfe14e4d4d25b94e0b150fe7a7076952edfd17 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Wed, 16 Jul 2025 15:21:54 -0300 Subject: [PATCH 06/13] Update modules/get-started/pages/release-notes/redpanda.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/get-started/pages/release-notes/redpanda.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index 73178cde6..8bf4c6c8b 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -27,9 +27,9 @@ The Redpanda Admin API now includes new health probes to help you ensure safe br HTTP Proxy previously used automatically-generated ephemeral credentials to authenticate with the Kafka API when the HTTP Proxy listeners specified `authentication_method: none`. To improve security and simplify the authentication model, ephemeral credentials are no longer available. -Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. +Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. + -Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. If you need to maintain the current HTTP Proxy functionality while transitioning to authenticated clients, configure the following HTTP Proxy client properties in your `redpanda.yaml` configuration: From 31edeb2e3c09cd9719cbd3b4d38f5879c4a26ee0 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Wed, 16 Jul 2025 15:28:53 -0300 Subject: [PATCH 07/13] adjust recommendation --- modules/get-started/pages/release-notes/redpanda.adoc | 4 +--- modules/manage/partials/authentication.adoc | 4 ++-- modules/upgrade/partials/incompat-changes.adoc | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index 8bf4c6c8b..fae17b48f 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -27,9 +27,7 @@ The Redpanda Admin API now includes new health probes to help you ensure safe br HTTP Proxy previously used automatically-generated ephemeral credentials to authenticate with the Kafka API when the HTTP Proxy listeners specified `authentication_method: none`. To improve security and simplify the authentication model, ephemeral credentials are no longer available. -Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. - - +Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. If you need to maintain the current HTTP Proxy functionality while transitioning to authenticated clients, configure the following HTTP Proxy client properties in your `redpanda.yaml` configuration: diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index e3294f014..c106c98c5 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -661,7 +661,7 @@ Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. For the K ==== *Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy attempts unauthenticated connections. -Redpanda Data recommends configuring authentication for HTTP Proxy to ensure secure communication with the Kafka API. +Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. ==== @@ -1782,7 +1782,7 @@ To disable authentication for a listener, set `authentication_method` to `none`: [IMPORTANT] ==== -*Breaking change in Redpanda 25.2:* When HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Configure the `pandaproxy_client` properties: `scram_username`, `scram_password`, and `sasl_mechanism`. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends configuring authentication for HTTP Proxy. For more information, see xref:reference:properties/broker-properties.adoc#scram_username[HTTP Proxy Client properties]. +*Breaking change in Redpanda 25.2:* When HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Configure the `pandaproxy_client` properties: `scram_username`, `scram_password`, and `sasl_mechanism`. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. For more information, see xref:reference:properties/broker-properties.adoc#scram_username[HTTP Proxy Client properties]. ==== ifdef::env-kubernetes[] diff --git a/modules/upgrade/partials/incompat-changes.adoc b/modules/upgrade/partials/incompat-changes.adoc index dcdd41ea4..e4f38bd24 100644 --- a/modules/upgrade/partials/incompat-changes.adoc +++ b/modules/upgrade/partials/incompat-changes.adoc @@ -1,6 +1,6 @@ === Review incompatible changes -* Starting in version 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends configuring authentication for HTTP Proxy. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. +* Starting in version 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. * Redpanda Console v3.0.0 introduces breaking changes. If you are using Redpanda Console v2.x, xref:migrate:console-v3.adoc[review the migration guide] to address breaking changes before upgrading Redpanda Console. From e5a07f1ec8476d94a54efac6d4ae02453bc5485d Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Thu, 17 Jul 2025 18:11:58 -0300 Subject: [PATCH 08/13] review comments --- modules/get-started/pages/release-notes/redpanda.adoc | 6 +----- modules/manage/partials/authentication.adoc | 11 ++++------- .../reference/pages/properties/broker-properties.adoc | 2 +- ...y-ephemeral-credentials-breaking-change-short.adoc | 1 + ...p-proxy-ephemeral-credentials-breaking-change.adoc | 1 + modules/upgrade/partials/incompat-changes.adoc | 2 +- 6 files changed, 9 insertions(+), 14 deletions(-) create mode 100644 modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc create mode 100644 modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index fae17b48f..0ae96cf38 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -22,21 +22,17 @@ The Redpanda Admin API now includes new health probes to help you ensure safe br [IMPORTANT] ==== -**Breaking change**: Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] ==== HTTP Proxy previously used automatically-generated ephemeral credentials to authenticate with the Kafka API when the HTTP Proxy listeners specified `authentication_method: none`. To improve security and simplify the authentication model, ephemeral credentials are no longer available. -Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. - If you need to maintain the current HTTP Proxy functionality while transitioning to authenticated clients, configure the following HTTP Proxy client properties in your `redpanda.yaml` configuration: - xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`]: Username for SASL/SCRAM authentication - xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`]: Password for SASL/SCRAM authentication - xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]: SASL mechanism (typically `SCRAM-SHA-256` or `SCRAM-SHA-512`) -For detailed configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. - == Redpanda Console v3.0.0 The Redpanda Console v3.0.0 release includes the following updates: diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc index c106c98c5..12a8654e3 100644 --- a/modules/manage/partials/authentication.adoc +++ b/modules/manage/partials/authentication.adoc @@ -655,20 +655,17 @@ endif::[] [[schema-and-http-to-redpanda]] ===== Configure Schema Registry and HTTP Proxy to connect to Redpanda with SASL -Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. For the Kafka username and password, Redpanda uses ephemeral credentials internal to the cluster. Ephemeral credentials are regular SCRAM credentials, but they're only stored in memory and are lost when a broker restarts. When the Schema Registry or HTTP Proxy start up, they broadcast an ephemeral credential to other brokers over the internal RPC. If authentication fails to a particular broker, new ephemeral credentials are sent to that broker, and the service reconnects. +Schema Registry and HTTP Proxy connect to Redpanda over the Kafka API. [IMPORTANT] ==== -*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy attempts unauthenticated connections. - -Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. - +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] ==== Schema Registry and HTTP Proxy support only the SASL/SCRAM mechanism. ifndef::env-kubernetes[] -Starting in Redpanda 25.2, you must manually configure HTTP Proxy to connect to Redpanda with SASL when HTTP Proxy API listeners use `authentication_method: none`. For Schema Registry, you can override the ephemeral credentials and manually configure Schema Registry to connect to Redpanda with SASL. This approach is particularly useful when you want to apply specific access control through ACLs for the Schema Registry and HTTP Proxy users. +Starting in Redpanda 25.2, you must manually configure HTTP Proxy to connect to Redpanda with SASL when HTTP Proxy API listeners use `authentication_method: none`. You can also manually configure Schema Registry to connect to Redpanda with SASL. This approach is particularly useful when you want to apply specific access control through ACLs for the Schema Registry and HTTP Proxy users. . xref:manage:security/authorization/index.adoc[Create appropriate ACLs] for the Schema Registry and HTTP Proxy users to define and restrict their access rights within the Redpanda cluster. @@ -1782,7 +1779,7 @@ To disable authentication for a listener, set `authentication_method` to `none`: [IMPORTANT] ==== -*Breaking change in Redpanda 25.2:* When HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials for HTTP Proxy to authenticate with the Kafka API. Configure the `pandaproxy_client` properties: `scram_username`, `scram_password`, and `sasl_mechanism`. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. For more information, see xref:reference:properties/broker-properties.adoc#scram_username[HTTP Proxy Client properties]. +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] ==== ifdef::env-kubernetes[] diff --git a/modules/reference/pages/properties/broker-properties.adoc b/modules/reference/pages/properties/broker-properties.adoc index 727049967..a7b77edf5 100644 --- a/modules/reference/pages/properties/broker-properties.adoc +++ b/modules/reference/pages/properties/broker-properties.adoc @@ -780,7 +780,7 @@ Delay (in milliseconds) for initial retry backoff. The SASL mechanism to use when the HTTP Proxy client connects to the Kafka API. These credentials are used when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API. -Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy listeners use `authentication_method: none`, you must configure these SASL properties for HTTP Proxy to authenticate with the Kafka API. +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change-short.adoc[] For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. diff --git a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc new file mode 100644 index 000000000..197baa3d5 --- /dev/null +++ b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc @@ -0,0 +1 @@ +Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy listeners use `authentication_method: none`, you must configure these SASL properties for HTTP Proxy to authenticate with the Kafka API. diff --git a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc new file mode 100644 index 000000000..43635da25 --- /dev/null +++ b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc @@ -0,0 +1 @@ +*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. diff --git a/modules/upgrade/partials/incompat-changes.adoc b/modules/upgrade/partials/incompat-changes.adoc index e4f38bd24..902285e2f 100644 --- a/modules/upgrade/partials/incompat-changes.adoc +++ b/modules/upgrade/partials/incompat-changes.adoc @@ -1,6 +1,6 @@ === Review incompatible changes -* Starting in version 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. Without explicit SASL credentials configured, HTTP Proxy attempts unauthenticated connections to the Kafka API. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. +* include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] * Redpanda Console v3.0.0 introduces breaking changes. If you are using Redpanda Console v2.x, xref:migrate:console-v3.adoc[review the migration guide] to address breaking changes before upgrading Redpanda Console. From 20927493da7497a80831d45d5d01e7e12a3e2d47 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Thu, 17 Jul 2025 18:19:59 -0300 Subject: [PATCH 09/13] review comments --- .../http-proxy-ephemeral-credentials-breaking-change-short.adoc | 2 +- .../http-proxy-ephemeral-credentials-breaking-change.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc index 197baa3d5..bf031e8d1 100644 --- a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc +++ b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change-short.adoc @@ -1 +1 @@ -Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy listeners use `authentication_method: none`, you must configure these SASL properties for HTTP Proxy to authenticate with the Kafka API. +Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You must configure explicit SASL credentials if your HTTP Proxy listeners use `authentication_method: none`. diff --git a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc index 43635da25..b2c40d6a5 100644 --- a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc +++ b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc @@ -1 +1 @@ -*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. +*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. For configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. From 0e400808fa87b7e6231e0c26627318cc79b06a79 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Thu, 17 Jul 2025 19:22:09 -0300 Subject: [PATCH 10/13] fix rolling upgrade --- modules/upgrade/partials/incompat-changes.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/upgrade/partials/incompat-changes.adoc b/modules/upgrade/partials/incompat-changes.adoc index 902285e2f..c92553bd6 100644 --- a/modules/upgrade/partials/incompat-changes.adoc +++ b/modules/upgrade/partials/incompat-changes.adoc @@ -1,6 +1,6 @@ === Review incompatible changes -* include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] * Redpanda Console v3.0.0 introduces breaking changes. If you are using Redpanda Console v2.x, xref:migrate:console-v3.adoc[review the migration guide] to address breaking changes before upgrading Redpanda Console. From f019a529c8ab655a5aa6179c22f8298df155cc31 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Thu, 17 Jul 2025 19:22:58 -0300 Subject: [PATCH 11/13] split message --- .../http-proxy-ephemeral-credentials-breaking-change.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc index b2c40d6a5..37a12eca1 100644 --- a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc +++ b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc @@ -1 +1,5 @@ -*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. For configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. +*Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. + +Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. + +For configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. From fdb8a2cbd3cfc43b2914958e367b6da7f0ca5303 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Thu, 17 Jul 2025 19:39:45 -0300 Subject: [PATCH 12/13] relative links --- modules/get-started/pages/release-notes/redpanda.adoc | 1 + modules/manage/pages/security/authentication.adoc | 1 + ...tp-proxy-ephemeral-credentials-breaking-change.adoc | 10 +++++++++- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index 0ae96cf38..5054a03e5 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -1,6 +1,7 @@ = What's New in Redpanda :description: Summary of new features and updates in this Redpanda release. :page-aliases: get-started:whats-new-233.adoc, get-started:whats-new-241.adoc, get-started:whats-new.adoc +:page-http-proxy-whats-new: This topic includes new content added in version {page-component-version}. For a complete list of all product updates, see the https://github.com/redpanda-data/redpanda/releases/[Redpanda release notes^]. See also: diff --git a/modules/manage/pages/security/authentication.adoc b/modules/manage/pages/security/authentication.adoc index febab56d9..89c76fdd0 100644 --- a/modules/manage/pages/security/authentication.adoc +++ b/modules/manage/pages/security/authentication.adoc @@ -4,6 +4,7 @@ :page-aliases: security:authentication.adoc :page-toclevels: 3 :page-categories: Management, Security +:page-http-proxy-auth: include::manage:partial$authentication.adoc[] diff --git a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc index 37a12eca1..89a7289f9 100644 --- a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc +++ b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc @@ -1,5 +1,13 @@ *Breaking change in Redpanda 25.2:* Ephemeral credentials for HTTP Proxy are removed. If your HTTP Proxy API listeners use `authentication_method: none`, you must configure explicit SASL credentials (xref:reference:properties/broker-properties.adoc#scram_username[`scram_username`], xref:reference:properties/broker-properties.adoc#scram_password[`scram_password`], and xref:reference:properties/broker-properties.adoc#sasl_mechanism[`sasl_mechanism`]) for HTTP Proxy to authenticate with the Kafka API. Without these credentials, HTTP Proxy will attempt unauthenticated connections to the Kafka API. -Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. +Redpanda Data recommends enabling authentication on both HTTP Proxy and the Kafka API. +ifndef::page-http-proxy-auth[] For configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. +endif::[] + +ifdef::page-http-proxy-auth[] +ifndef::page-http-proxy-whats-new[] +For details about this breaking change, see xref:get-started:release-notes/redpanda.adoc#http-proxy-authentication-changes[HTTP Proxy authentication changes]. +endif::[] +endif::[] From cb4a1e7a71799d03a7c0ee9e541fcd83e0f52237 Mon Sep 17 00:00:00 2001 From: Paulo Borges Date: Fri, 18 Jul 2025 09:41:19 -0300 Subject: [PATCH 13/13] adjust key and message --- modules/get-started/pages/release-notes/redpanda.adoc | 2 +- modules/reference/pages/properties/broker-properties.adoc | 8 +++----- .../http-proxy-ephemeral-credentials-breaking-change.adoc | 6 ++---- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc index 5054a03e5..b22695bd6 100644 --- a/modules/get-started/pages/release-notes/redpanda.adoc +++ b/modules/get-started/pages/release-notes/redpanda.adoc @@ -1,7 +1,7 @@ = What's New in Redpanda :description: Summary of new features and updates in this Redpanda release. :page-aliases: get-started:whats-new-233.adoc, get-started:whats-new-241.adoc, get-started:whats-new.adoc -:page-http-proxy-whats-new: +:page-whats-new: This topic includes new content added in version {page-component-version}. For a complete list of all product updates, see the https://github.com/redpanda-data/redpanda/releases/[Redpanda release notes^]. See also: diff --git a/modules/reference/pages/properties/broker-properties.adoc b/modules/reference/pages/properties/broker-properties.adoc index a7b77edf5..5a086ff6e 100644 --- a/modules/reference/pages/properties/broker-properties.adoc +++ b/modules/reference/pages/properties/broker-properties.adoc @@ -780,9 +780,7 @@ Delay (in milliseconds) for initial retry backoff. The SASL mechanism to use when the HTTP Proxy client connects to the Kafka API. These credentials are used when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API. -include::shared:partial$http-proxy-ephemeral-credentials-breaking-change-short.adoc[] - -For more information, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] *Visibility:* `user` @@ -796,7 +794,7 @@ For more information, see xref:manage:security/authentication.adoc#schema-and-ht Password to use for SCRAM authentication mechanisms when the HTTP Proxy client connects to the Kafka API. This property is required when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API. -Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You must configure this property if your HTTP Proxy listeners use `authentication_method: none`. +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] *Visibility:* `user` @@ -810,7 +808,7 @@ Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You Username to use for SCRAM authentication mechanisms when the HTTP Proxy client connects to the Kafka API. This property is required when the HTTP Proxy API listener has `authentication_method: none` but the cluster requires authenticated access to the Kafka API. -Starting in Redpanda 25.2, ephemeral credentials for HTTP Proxy are removed. You must configure this property if your HTTP Proxy listeners use `authentication_method: none`. +include::shared:partial$http-proxy-ephemeral-credentials-breaking-change.adoc[] *Visibility:* `user` diff --git a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc index 89a7289f9..f6d3d98f5 100644 --- a/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc +++ b/modules/shared/partials/http-proxy-ephemeral-credentials-breaking-change.adoc @@ -6,8 +6,6 @@ ifndef::page-http-proxy-auth[] For configuration instructions, see xref:manage:security/authentication.adoc#schema-and-http-to-redpanda[Configure HTTP Proxy to connect to Redpanda with SASL]. endif::[] -ifdef::page-http-proxy-auth[] -ifndef::page-http-proxy-whats-new[] -For details about this breaking change, see xref:get-started:release-notes/redpanda.adoc#http-proxy-authentication-changes[HTTP Proxy authentication changes]. -endif::[] +ifndef::page-whats-new[] +For details about this breaking change, see xref:get-started:release-notes/redpanda.adoc#http-proxy-authentication-changes[What's new]. endif::[]