From 54b4528f3670ccbbed1dfa9485c8d896f3af2051 Mon Sep 17 00:00:00 2001 From: Thomas Newman Date: Wed, 31 Jul 2024 21:07:30 -0400 Subject: [PATCH 1/3] Documented Azure Entra authentication --- configuration/authentication/azure-entra.md | 54 +++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 configuration/authentication/azure-entra.md diff --git a/configuration/authentication/azure-entra.md b/configuration/authentication/azure-entra.md new file mode 100644 index 0000000..516b0a9 --- /dev/null +++ b/configuration/authentication/azure-entra.md @@ -0,0 +1,54 @@ +--- +description: How to configure Azure Entra Authentication +--- + +# Azure Entra + +## Overview +Kafbat UI comes with an OAuth Callback Handler for +[Azure Event Hubs for Kafka](https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/migrate-kafka-to-passwordless-connection?tabs=azure-portal%2Csign-in-azure-cli%2Cjava-kafka%2Capp-service%2Cassign-role-service-connector). + +The Callback Handler uses the +[Default Azure Credential](https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential) for authentication, +providing support for all commonly used Entra credentials. + +Pre-requisites: +1. An Event Hub Namespace in the standard, premium or dedicated tiers. +2. An Event Hub. +3. Entra Credentials for an Entra Identity with a role assignment allowing + sending to and receiving from Event Hub, such as Azure Event Hubs Data Owner. + +## Examples + +Please replace `` with the name of your Event Hub namespace. + +### Docker + +[Default Azure Credential](https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential) +for additional configuration required based on the credential type. + +```bash +docker run -p 8080:8080 \ + -e KAFKA_CLUSTERS_0_NAME=local \ + -e KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=.servicebus.windows.net:9093 \ + -e KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL \ + -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=OAUTHBEARER \ + -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_CLIENT_CALLBACK_HANDLER_CLASS=io.kafbat.ui.sasl.azure.entra.AzureEntraLoginCallbackHandler \ + -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG="org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;" \ + -d ghcr.io/kafbat/kafka-ui +``` + +### application.yaml +```yaml +kafka: + clusters: + - bootstrapServers:.servicebus.windows.net:9093 + name: local + properties: + security.protocol: SASL_SSL + sasl.mechanism: OAUTHBEARER + sasl.jaas.config: + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required; + sasl.client.callback.handler.class: io.kafbat.ui.sasl.azure.entra.AzureEntraLoginCallbackHandler + readOnly: false +``` \ No newline at end of file From d6a758c04bc98866abb857d182d3a67612df54fe Mon Sep 17 00:00:00 2001 From: Thomas Newman Date: Tue, 13 Aug 2024 07:35:12 -0400 Subject: [PATCH 2/3] Updated Entra documentation credential section --- configuration/authentication/azure-entra.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/configuration/authentication/azure-entra.md b/configuration/authentication/azure-entra.md index 516b0a9..f32faea 100644 --- a/configuration/authentication/azure-entra.md +++ b/configuration/authentication/azure-entra.md @@ -22,10 +22,15 @@ Pre-requisites: Please replace `` with the name of your Event Hub namespace. -### Docker +See [Default Azure Credential](https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential) +for additional configuration required based on the credential type. Any of the supported +credential types (Environment Variable, Managed Identity, Azure CLI, etc.) will work once +configured. + +As an example, after authenticating with the Azure CLI using `az login` Kafbat UI will +automatically authenticate with Event Hubs using CLI credentials. -[Default Azure Credential](https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential) -for additional configuration required based on the credential type. +### Docker ```bash docker run -p 8080:8080 \ From 6859f72a4174e7b820654565dff3c67e2b6685dd Mon Sep 17 00:00:00 2001 From: Thomas Newman Date: Tue, 13 Aug 2024 07:38:51 -0400 Subject: [PATCH 3/3] Updated Entra documentation credential section --- configuration/authentication/azure-entra.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/configuration/authentication/azure-entra.md b/configuration/authentication/azure-entra.md index f32faea..725bd93 100644 --- a/configuration/authentication/azure-entra.md +++ b/configuration/authentication/azure-entra.md @@ -22,13 +22,13 @@ Pre-requisites: Please replace `` with the name of your Event Hub namespace. +Prior to starting Kafbat UI, authenticate with Azure Entra using any of the supported +Azure Credential types (Environment Variable, Managed Identity, Azure CLI, etc.). See [Default Azure Credential](https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential) -for additional configuration required based on the credential type. Any of the supported -credential types (Environment Variable, Managed Identity, Azure CLI, etc.) will work once -configured. +for additional configuration required based on the credential type. As an example, after authenticating with the Azure CLI using `az login` Kafbat UI will -automatically authenticate with Event Hubs using CLI credentials. +automatically connect to Event Hubs using CLI credentials. ### Docker