[CORE-15278] Add password_set_at field to the ScramCredential proto message (Security Admin API V2)

[nguyen-andrew]

This change extends the internal scram_credential structure and admin API v2 to track when SCRAM passwords were last set. Existing credentials without timestamps are supported and will return the Unix epoch as the password_set_at when queried.

The admin API v2 /v1/security/scram_credentials endpoints now include a read-only password_set_at timestamp field in ScramCredential responses:

• CreateScramCredential - returns credential with password_set_at set to creation time
• UpdateScramCredential - returns credential with password_set_at updated to modification time
• GetScramCredential - returns credential with password_set_at (or the Unix epoch for old credentials)
• ListScramCredentials - returns credentials with password_set_at for each entry

The v1 admin API is unchanged and does not expose this field.

Resolves CORE-15278

Backports Required

• none - not a bug fix
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v24.3.x
• v24.2.x
• v24.1.x

Release Notes

Improvements

• SCRAM credentials now track password_set_at timestamps, exposed via admin API v2. This enables clients like the Kubernetes operator to verify credential state changes have propagated and perform accurate reconciliation.

[Copilot]

Pull request overview

This PR adds a password_set_at timestamp field to track when SCRAM credentials were created or last modified. The field is exposed through the admin API v2 as a read-only property, enabling clients to verify credential state changes and perform accurate reconciliation.

Changes:

• Extended the internal scram_credential structure to include an optional password_set_at timestamp field
• Updated admin API v2 proto definitions and generated Python bindings to expose the timestamp field
• Modified credential creation and conversion logic to populate timestamps (current time for new credentials, InfinitePast for legacy credentials without timestamps)
• Added comprehensive test coverage for timestamp behavior across creation, updates, propagation, and persistence

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
proto/redpanda/core/admin/v2/security.proto	Added password_set_at timestamp field to ScramCredential message
tests/rptest/clients/admin/proto/redpanda/core/admin/v2/security_pb2.py	Updated generated Python protobuf code with new timestamp field
tests/rptest/clients/admin/proto/redpanda/core/admin/v2/security_pb2.pyi	Updated Python type stubs for new timestamp field
src/v/security/scram_credential.h	Extended scram_credential class with optional password_set_at field and bumped serde version
src/v/security/scram_algorithm.h	Modified make_credentials to populate password_set_at with current timestamp
src/v/redpanda/admin/services/security.cc	Updated conversion function to set password_set_at from credential or InfinitePast for legacy credentials
tests/rptest/tests/scram_test.py	Added comprehensive test for password_set_at behavior including creation, updates, propagation, and persistence
src/v/security/tests/scram_algorithm_test.cc	Added test verifying make_credentials populates timestamp
src/v/security/tests/credential_store_test.cc	Added test for credential store handling of timestamps
src/v/redpanda/admin/services/tests/security_test.cc	Added tests verifying protobuf conversion handles timestamps correctly
src/v/security/tests/BUILD	Added model dependency for timestamp support in tests

[Copilot]

Hardcoded 1-second sleep can make tests unnecessarily slow and brittle. Consider using a minimal sleep (e.g., 0.01 seconds) combined with explicit timestamp capture before/after the update operation, or mock the timestamp for deterministic testing.

Suggested change

	# Sleep to ensure timestamp difference (at least 1 second)
	time.sleep(1)
	# Minimal sleep to allow timestamp to advance on coarse-grained clocks
	time.sleep(0.01)

[Copilot]

Using a magic number index (4) to access tuple elements is fragile and will break if the order of fields in serde_fields() changes. Consider using structured bindings with descriptive names or adding a named accessor method to scram_credential for setting password_set_at.

Suggested change

	auto& password_set_at = std::get<4>(security_cred.serde_fields());
	auto& [salt, server_key, stored_key, iterations, password_set_at]
	= security_cred.serde_fields();

[michael-redpanda]

agree with bot here

[nguyen-andrew]

Force push to fix unit test affected by the addition of the password_set_at.

[rockwotj]

I don't think you want infinite past, and this likely causes an error during serialization. You want absl::UnixEpoch

[rockwotj]

need to account for clock skew in CDT. Maybe let's just ensure it's within an hour or something of now?

[michael-redpanda]

I'm not sure we need a std::optional here, instead I think we can depend on the value being timestamp::missing() if it's not provided.

[michael-redpanda]

nit: YOu can probably just do the value comparison without having to check that it has a value.

[michael-redpanda]

The std::get<4> seems unstable to me... maybe expose a setter method?

[michael-redpanda]

Also I wonder if timestamp needs to be part of the comparison at all... I think we do do other cred comparison and I feel comparing the timestamp is unnecessary (especially say when we update/create a user).

[michael-redpanda]

agree with bot here

[michael-redpanda]

I see what you're testing here - maybe add an optional parameter to make_credentials to take in a timestamp and if provided, use it

[nguyen-andrew]

Oh good point, that'd would make things easier

[vbotbuildovich]

CI test results

test results on build#79335

test_class	test_method	test_arguments	test_kind	job_url	test_status	passed	reason	test_history
DataMigrationsApiTest	test_creating_and_listing_migrations	null	integration	https://buildkite.com/redpanda/redpanda/builds/79335#019bdcb0-90dd-4aed-b861-dad5ad2a1411	FLAKY	10/11	Test PASSES after retries.No significant increase in flaky rate(baseline=0.0000, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000)	https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=DataMigrationsApiTest&test_method=test_creating_and_listing_migrations
SimpleEndToEndTest	test_relaxed_acks	{"write_caching": false}	integration	https://buildkite.com/redpanda/redpanda/builds/79335#019bdcb0-90e6-42d9-819d-61c8695d0a52	FLAKY	10/11	Test PASSES after retries.No significant increase in flaky rate(baseline=0.0131, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000)	https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=SimpleEndToEndTest&test_method=test_relaxed_acks

test results on build#79419

test_class	test_method	test_arguments	test_kind	job_url	test_status	passed	reason	test_history
ScalingUpTest	test_fast_node_addition	null	integration	https://buildkite.com/redpanda/redpanda/builds/79419#019be198-7298-4881-8868-14aea3cca4e7	FLAKY	10/11	Test PASSES after retries.No significant increase in flaky rate(baseline=0.0279, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000)	https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=ScalingUpTest&test_method=test_fast_node_addition

[nguyen-andrew]

Force push to address PR comments:

• Adding timestamp::is_missing()
• Update scram_credential to remove std::optional from _password_set_at and rely on timestamp::missing()
• Update scram_credential equality operator to exclude password_set_at.
• Update security::scram_algorithm::make_credentials overloads to take a password_set_at parameter with a default value of model::timestamp::now(). This'll allow existing code using make_credentials to create credentials with timestamps automatically, but it also provides flexibility for callers (namely unit test code) to provide a specific timestamp as well.
• Update security Admin API v2 endpoint to use absl::UnixEpoch() if a scram credential's password_set_at is missing (instead of InfinitePast). Update proto comments accordingly.
• Updating tests to reflect the above changes. Updated test_scram_password_set_at_v2 ducktape test to remove potential flakiness due to possible clock skew.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.

[Copilot]

The comment states that equality excludes password_set_at because it's "metadata rather than part of the credential's identity." However, this design choice may not be obvious to future maintainers and could lead to subtle bugs. Consider expanding the documentation to explain the specific use cases where this behavior is desired (e.g., comparing credentials for authentication purposes) and explicitly warning about scenarios where timestamp comparison might be needed separately.

[Copilot]

The serde_fields() method includes _password_set_at for serialization, but _principal is explicitly excluded (as noted in the comment on line 78). This asymmetry between serialized fields and equality comparison could be confusing. Consider adding a comment explaining why _principal is excluded from serialization but included in equality, while _password_set_at is included in serialization but excluded from equality.

[Copilot]

The conversion logic maps missing timestamps to Unix epoch, which is consistent with the proto documentation. However, the choice of Unix epoch as the sentinel value for "unknown" is not documented here in the C++ code. Consider adding a brief comment explaining why Unix epoch was chosen over other options (e.g., setting the field to unset/null in protobuf) to help future maintainers understand this design decision.

[rockwotj]

LGTM, will let Mike do the final signoff