SASL SCRAM support

[worms]

We have been using the proxy with great success to date using both PLAINTEXT and SSL endpoints. We are now wanting to do SASL authentication with SCRAM (our hosting provider uses SCRAM256 rather than PLAIN).

As best I can tell kafka-proxy currently doesn't have support for this.

I believe I will need to add a *Auth struct in sasl_by_proxy.go to handle the SCRAM portion as well as providing some command line parameters.

Any chance someone has worked on this already and has some code sitting around? If not I will likely get started hacking away.

[everesio]

Should be SCRAM be performed by clients i.e. pass through the proxy or initiated by the proxy i.e. hidden to the clients ? Both options are supported for PLAINTEXT.

Feel free to contribute.

[worms]

Our usecase would do plaintext to the proxy then scram over SSL/TLS out to the brokers.

I am looking at adding support now. I would like your input on how I am going about it.

Add new command line parameters to the server:
Server.Flags().StringVar(&c.Kafka.SASL.Method, "sasl-method", "PLAIN", "SASL method to use (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512")

Add a new struct called SASLSCRAMAuth.
If the sasl method is SCRAM-SHA-* then use the new struct
Customize the sendAndReceiveSASLAuth to handle the SCRAM workflow

Am I missing anything?

[everesio]

In general that's it. Additionally proxy/client.go sets the implementation, config/config.go validates the params. There is a SASL plugin mechanism I used for OAUTHBEARER but it doesn't have to be used for SCRAM. Just do what you think is reasonable ;-)

[everesio]

Thank you for your contribution!
I have just merged you PR and vendored xdg/scram.

[everesio]

release version v0.1.3