Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KIP-554: Add Broker-side SCRAM Config API #1917

Merged
merged 1 commit into from
May 6, 2021

Conversation

arkady-emelyanov
Copy link
Contributor

@arkady-emelyanov arkady-emelyanov commented Apr 21, 2021

Hey!

Kafka 2.7 it out. Which means KIP-554 has been merged into main branch 🎉

This PR closes #1803 issue (when Kafka 2.7 is used, of course).

One thing I'm not sure about: I have divided AlterScramUserCredentials API call into two: DeleteUserScramCredentials and UpsertUserScramCredentials. I personally think this brings more cleaner interface. But, if goal is 1:1 API match, AlterUserScramCredentials could be exposed.

Protocol links:

Local environment for testing purposes (PLAINTEXT listener on 9092, and SASL_PLAINTEXT listener on 9093):
docker-compose.yaml

version: '3'

services:
  zoo:
    image: zookeeper:3.6.2
    hostname: zoo1
    restart: unless-stopped
    environment:
      ZOO_MY_ID: 1
      ZOO_SERVERS: server.1=0.0.0.0:2888:3888;2181

  kafka:
    image: wurstmeister/kafka:2.13-2.7.0
    hostname: kafka1
    restart: unless-stopped
    ports:
      - "9092:9092"
      - "9093:9093"
    environment:
      KAFKA_BROKER_ID: 1
      KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
      KAFKA_ZOOKEEPER_CONNECT: zoo:2181
      KAFKA_LISTENERS: INT://:9092,EXT://:9093
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INT:PLAINTEXT,EXT:SASL_PLAINTEXT
      KAFKA_ADVERTISED_LISTENERS: INT://127.0.0.1:9092,EXT://127.0.0.1:9093
      KAFKA_INTER_BROKER_LISTENER_NAME: INT
      KAFKA_SASL_ENABLED_MECHANISMS: "SCRAM-SHA-256,SCRAM-SHA-512"
      KAFKA_SUPER_USERS: "User:ANONYMOUS;User:admin"
      KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/jaas.conf"
    volumes:
      - ./docker-compose.jaas.conf:/etc/jaas.conf
    depends_on:
      - zoo

JAAS configuration file:
docker-compose.jaas.conf

ext.KafkaServer {
  org.apache.kafka.common.security.scram.ScramLoginModule required;
};

Sample application:
main.go

package main

import (
	"fmt"
	"github.com/Shopify/sarama"
)

/*
After running main.go, check it out:

(this command will not work)
kafkacat \
-X security.protocol=SASL_PLAINTEXT \
-X sasl.mechanisms=SCRAM-SHA-256 \
-X sasl.username='bob' \
-X sasl.password='bob-secret' \
-b 127.0.0.1:9093 \
-L

(this command will succeed):
kafkacat \
-X security.protocol=SASL_PLAINTEXT \
-X sasl.mechanisms=SCRAM-SHA-512 \
-X sasl.username='bob' \
-X sasl.password='bob-secret' \
-b 127.0.0.1:9093 \
-L


 */
func main() {
	cluster := []string{"127.0.0.1:9092"}
	config := sarama.NewConfig()
	config.Version = sarama.V2_7_0_0

	adm, err := sarama.NewClusterAdmin(cluster, config)
	if err != nil {
		panic(err)
	}

	// upsert two mechanisms: SCRAM_MECHANISM_SHA_256 and SCRAM_MECHANISM_SHA_512
	upsertList, err := adm.UpsertUserScramCredentials([]sarama.AlterUserScramCredentialsUpsert{
		{
			Name:       "bob",
			Mechanism:  sarama.SCRAM_MECHANISM_SHA_256,
			Iterations: 8192,
			Salt:       []byte("hello world"),
			Password:   []byte("bob-secret"),
		},
		{
			Name:       "bob",
			Mechanism:  sarama.SCRAM_MECHANISM_SHA_512,
			Iterations: 8192,
			Salt:       []byte("hello world"),
			Password:   []byte("bob-secret"),
		},
	})
	if err != nil {
		panic(err)
	}
	fmt.Println("> Upsert")
	for _, a := range upsertList {
		fmt.Println(a.User)
	}

	// delete mechanism: SCRAM_MECHANISM_SHA_256
	deleteList, err := adm.DeleteUserScramCredentials([]sarama.AlterUserScramCredentialsDelete{
		{
			Name: "bob",
			Mechanism:  sarama.SCRAM_MECHANISM_SHA_256,
		},
	})
	fmt.Println("> Delete")
	for _, a := range deleteList {
		fmt.Println(a.User)
	}


	describeList, err := adm.DescribeUserScramCredentials(nil)
	if err != nil {
		panic(err)
	}

	fmt.Println("> Describe")
	for _, d := range describeList {
		fmt.Println("User:", d.User)
		for _, c := range d.CredentialInfos {
			fmt.Println("Allowed SCRAM mechanism:", c.Mechanism, c.Iterations)
		}
		fmt.Println("")
	}
}

@arkady-emelyanov arkady-emelyanov requested a review from bai as a code owner April 21, 2021 21:06
@ghost ghost added the cla-needed label Apr 21, 2021
@arkady-emelyanov arkady-emelyanov changed the title KIP: 554 KIP-554: Add Broker-side SCRAM Config API Apr 21, 2021
@ghost ghost removed the cla-needed label Apr 21, 2021
@bai bai requested a review from dnwe April 29, 2021 09:23
@dnwe dnwe force-pushed the kip-554-scram-config-api branch from a96ffec to ff98e50 Compare May 5, 2021 22:33
Copy link
Collaborator

@dnwe dnwe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for this! The changes look good to me and great job including instructions to test the changes locally with a stood up kafka ⭐

@dnwe dnwe merged commit 8dbbfb5 into IBM:master May 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

How could I create a new scram user by sarama?
2 participants