Add example for securely connecting to Kafka (and a potential bug?) #19
Comments
|
You should use this: https://github.com/apache/camel-kamelets/blob/main/kamelets/kafka-source.kamelet.yaml I'll update the example accordingly |
Hi @oscerd , thanks for replying so quickly! ...
- route:
id: "kafka-to-mq"
from:
uri: "kamelet:kafka-source"
parameters:
bootstrapServers: "{{kafka.bootstrapServers}}"
topic: "{{kafka.kafka-to-mq-topic}}"
saslMechanism: PLAIN
securityProtocol: SASL_SSL
user: "$ConnectionString"
password: "<PASSWORD>"
deserializeHeaders: true
...Like I said in the issue description: when inspecting the source of the kamelet, I'd say the only difference between the way the kamelet sets up the saslJaasConfig compared to the Camel core route that we've tried are the quotes (single quotes compared to double). It might be that Azure Event Hubs expects double quotes here; I'm not really sure why it matters what quote type is being used. |
|
The user needs to be just the username nothing more. It's already included in sala jaas config |
|
By the way I'll try to reproduce. It's weird to see $connection as username.. but if you externalize the properties it should work. I'll have a look |
|
@davsclaus I suppose the only problem is in relation to the '$' sign. |
Yes, the value of the user is exactly $ConnectionString. This can't be changed unfortunately, as it's dictated by Azure. |
We've placed the user credentials in an application.properties file; for the example route I've hardcoded it into the route so that it's simpler to show what the value would be (since it will always be $ConnectionString). |
It might be, but I think it's not only that but a combination of that and the single quotes that are being used in the saslJaasConfig; the kafka source kamelet uses single quotes, while saslJaasConfig would normally have double quotes, like in this example by Confluent. We've also used double quotes for saslJaasConfig in the Camel core Kafka source/sink and that is working as expected (despite the same $ConnectionString username). NOTE: Here's a stackoverflow post that I think is relevant here: https://stackoverflow.com/questions/64635940/camel-kafka-security-protocol-sasl-sasl-not-working |
|
Are you running this locally through some docker compose stuff? I would to try exactly the same |
the integration is running locally (not in docker, on Windows 10, with OpenJDK 19 installed), the "Kafka" cluster (Azure Event Hubs) is running on Azure, and IBM MQ is tested out both on the cloud and as a docker container (but MQ isn't relevant here since it fails long before getting to the MQ part). |
|
So is it this Its all YAML (you have to love it ... ;) So here it uses lined single quotes for that jaas config string If it needs to be changed to double quotes, then you need to change yaml to use single quoted wrapped, so something like: |
|
I think we could do that easily. So I'm going to do that on camel-kamelets |
1 similar comment
|
I think we could do that easily. So I'm going to do that on camel-kamelets |
|
Creating an example using all the configuration for having a local kafka with SASL_SSL and PLAIN is a bit more complex. |
|
With the current kamelet, then in the debugger I see this value set on the KafkaConfiguration instance |
|
So if Azure expects that username and password are using double quotes, then its likely a matter of changing this in the kamelet yaml file |
|
Yes, so we need to modify it |
|
With modified kamelet |
@davsclaus I think you're exactly right. |
|
This is how I changed the kamelet Camel takes care of the RAW automatic for kamelets |
|
You can even copy the existing kamelet yaml file and name it - And with jbang you can then tell it to look for kamelets in the current dir (or another folder) And in your route ( |
|
I'll update the Kamelet, I'll use it on event hubs and I'll create an example with that |
Thanks @oscerd and @davsclaus! |
|
Fixed in camel-kamelets through: apache/camel-kamelets#1476 Tested with Azure Event Hubs for Kafka |
|
Going to work on a good example for this. |
|
This should be fixed now. |
Hi, an example such as the Kafka to IBM MQ one, but for showing usage of security mechanisms would be much appreciated, as any production use case certainly requires something like SASL_PLAIN to be used.
We've attempted the exact integration I linked to, but through the "base" kafka source kamelet. The route we tried is (skipping irrelevant parts):
However, this doesn't work because, for some reason, authentication is failing. The stacktrace says nothing useful, as it seems like a standard error you'd get from wrong credentials being used.
One potential issue that's happening is incorrect parsing due to the '$' character at the start of the username, but basically the authentication process fails for some reason.
To make sure this is an issue with the kamelet, and not with our configuration, we've also tried out the Camel Core Kafka source from which this kamelet is based on, which then looks something like this:
This works as expected, but then the issue is that any custom header we have in Kafka won't be passed over to IBM MQ (but this is a separate issue that I won't get into in this context).
One thing we noticed, which might be the reason behind what's wrong is the fact that, in the case of the kamelet kafka source, the "compiled" (from the resolved uri) saslJaasConfig has single quotes around the username and password parts, but in the kafka source (the one which is working properly, aside from an issue with the headers), double quotes are used instead.
We've also tried to add an additional '$' in the username, in order to escape it (so "$$ConnectionString"), and trying wrapping the username in double quotes, but nothing works.
Used versions:
Additional notes:
The "Kafka" cluster we're attempting to connect to is actually an Azure Event Hubs namespace, but with Kafka enabled. This isn't relevant since the Camel Core Kafka source works with Event Hubs (since Event Hubs fully supports the Kafka Consumer/Producer API), but I'm mentioning it just in case (and to also explain the strange username).
The text was updated successfully, but these errors were encountered: