feat: kafka sasl auth #1186
feat: kafka sasl auth #1186
Conversation
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
pkg/apis/common/common.go
Outdated
| // SASLMechanism is the name of the enabled SASL mechanism. | ||
| // Possible values: OAUTHBEARER, PLAIN (defaults to PLAIN). | ||
| Mechanism string `json:"mechanism,omitempty" protobuf:"bytes,1,opt,name=mechanism"` | ||
| // Version is the SASL Protocol Version to use |
There was a problem hiding this comment.
Comments do not match the fields...
There was a problem hiding this comment.
Removed comments.
pkg/apis/common/common.go
Outdated
| User *corev1.SecretKeySelector `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"` | ||
| // Password for SASL/PLAIN authentication | ||
| Password *corev1.SecretKeySelector `json:"password,omitempty" protobuf:"bytes,3,opt,name=password"` | ||
| // authz id used for SASL/SCRAM authentication |
There was a problem hiding this comment.
Remove authz id. It wasn't supposed to be in there. Comments were lifted from the sarama library.
pkg/apis/common/validate.go
Outdated
|
|
||
| var mechanismSet, userSet, passwordSet bool | ||
|
|
||
| if saslConfig.Mechanism != "" { |
There was a problem hiding this comment.
Removed !="" check
pkg/apis/common/validate.go
Outdated
| } | ||
|
|
||
| if !mechanismSet { | ||
| return errors.New("invalid sasl config, please configure Mechanism. Possible values are `OAUTHBEARER`, `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512` and `GSSAPI`") |
There was a problem hiding this comment.
It says defaults to PLAIN above.
There was a problem hiding this comment.
Renamed error message to account for the only possible values.
pkg/apis/common/validate.go
Outdated
| passwordSet = true | ||
| } | ||
|
|
||
| if !userSet && !passwordSet { |
There was a problem hiding this comment.
This should have been an OR statement. Will fix.
sensors/triggers/kafka/kafka.go
Outdated
| @@ -63,6 +63,24 @@ func NewKafkaTrigger(sensor *v1alpha1.Sensor, trigger *v1alpha1.Trigger, kafkaPr | |||
| config.Version = version | |||
| } | |||
|
|
|||
| if kafkatrigger.SASL != nil { | |||
| config.Net.SASL.Enable = true | |||
| config.Net.SASL.Mechanism = sarama.SASLMechanism(kafkatrigger.SASL.Mechanism) | |||
There was a problem hiding this comment.
Checks whether the configuration is set. Enables SASL authentication if parameters are set in the YAML configs.
There was a problem hiding this comment.
Added additional validation for empty strings.
| @@ -461,28 +461,31 @@ type KafkaEventSource struct { | |||
| Topic string `json:"topic" protobuf:"bytes,3,opt,name=topic"` | |||
| // Backoff holds parameters applied to connection. | |||
| ConnectionBackoff *apicommon.Backoff `json:"connectionBackoff,omitempty" protobuf:"bytes,4,opt,name=connectionBackoff"` | |||
| // SASL configuration for the kafka client | |||
There was a problem hiding this comment.
BTW - we should keep the order of existing fields, otherwise it's a breaking change for proto files, we should reduce that kind of changes.
https://developers.google.com/protocol-buffers/docs/pythontutorial#extending-a-protocol-buffer
There was a problem hiding this comment.
Reverted the byte ordering and added the SASL configs to the end.
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
…passwordset logic. Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
pkg/apis/common/validate.go
Outdated
| return nil | ||
| } | ||
|
|
||
| var mechanismSet, userSet, passwordSet bool |
There was a problem hiding this comment.
Kind of verbose.
switch saslConfig.GetMechanism() {
case "PLAIN", xxxxxx:
default:
return errors.New("invalid sasl config. Possible xxxxxx")
}
if saslConfig.User == nil {
return errors.New("xxx")
}
if saslConfig.Password == nil {
return errors.New("xxx")
}
return nil
There was a problem hiding this comment.
Removed xxxSet flags. merged validating user and password into a single if statemetn.
pkg/apis/sensor/v1alpha1/types.go
Outdated
| @@ -499,20 +499,24 @@ type KafkaTrigger struct { | |||
| // Defaults to 500 milliseconds. | |||
| // +optional | |||
| FlushFrequency int32 `json:"flushFrequency,omitempty" protobuf:"varint,7,opt,name=flushFrequency"` | |||
| // SASL configuration for the kafka client | |||
There was a problem hiding this comment.
Same here, do not change the order.
There was a problem hiding this comment.
Reverted order.
eventsources/sources/kafka/start.go
Outdated
| if kafkaEventSource.SASL != nil { | ||
| config.Net.SASL.Enable = true | ||
|
|
||
| if kafkaEventSource.SASL.Mechanism == "" { |
There was a problem hiding this comment.
A function func (s SASLConfig) GetMechanism() would be helpful to save if..else everywhere.
There was a problem hiding this comment.
Refactored both sensor and event source kafka configs. Function GetMechanism() will by default, will set mechanism to "PLAINTEXT" unless otherwise specified.
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
pkg/apis/common/common.go
Outdated
| @@ -153,3 +167,13 @@ type Metadata struct { | |||
| Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,1,rep,name=annotations"` | |||
| Labels map[string]string `json:"labels,omitempty" protobuf:"bytes,2,rep,name=labels"` | |||
| } | |||
|
|
|||
| func (s SASLConfig) GetMechanism() sarama.SASLMechanism { | |||
There was a problem hiding this comment.
Overall everything looks good to me except this part.
- Returning
sarama.SASLMechanismmakesgithub.com/Shopify/saramaget introduced to the models, which is not good. Ideally the dependencies in models are either from native GoLang or k8s related. I prefer to return a string here. - Another reason is, since this struct is put in
common, it is intended to be used by not only Kafka. Assume it's going to be used by something else,sarma.SASLMechanismmight not be recognized by it. Also, I made a little research on SASL auth, it looks like the mechanism is not unified, different product has different support (PLAIN might be the one everyone supports). Correct me if I'm wrong.
There was a problem hiding this comment.
- Apologies for the oversight. Removed the type reference and refactored again to reflect on the actual sensor and eventsource.
- I'm basing the authentication mechanism on the available library which is Sarama. The other authentication mechanisms might be something to look into in the future, but "PLAIN" auth is a good place to start.
Signed-off-by: Joshua Jorel Lee <[email protected]>
Signed-off-by: Joshua Jorel Lee <[email protected]>
* feat: SASL Auth for Kafka Signed-off-by: Joshua Jorel Lee <[email protected]>
Checklist:
Test Cases:
Notes: