Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow user group membership check in ldap plugin #59

Merged
merged 1 commit into from
Aug 25, 2020
Merged

Allow user group membership check in ldap plugin #59

merged 1 commit into from
Aug 25, 2020

Conversation

everesio
Copy link
Contributor

@everesio everesio commented Aug 23, 2020
edited

configuration example

build/kafka-proxy server \
            --bootstrap-server-mapping "localhost:19092,0.0.0.0:30001" \
            --bootstrap-server-mapping "localhost:29092,0.0.0.0:30002" \
            --bootstrap-server-mapping "localhost:39092,0.0.0.0:30003" \
            --debug-enable \
            --auth-local-enable  \
            --auth-local-command=build/auth-ldap  \
            --auth-local-param=--url=ldap://localhost:389  \
            --auth-local-param=--start-tls=false \
            --auth-local-param=--bind-dn=cn=admin,dc=example,dc=org  \
            --auth-local-param=--bind-passwd=admin  \
            --auth-local-param=--user-search-base=ou=people,dc=example,dc=org  \
            --auth-local-param=--user-filter="(&(objectClass=person)(uid=%u)(memberOf=cn=kafka-users,ou=realm-roles,dc=example,dc=org))"

@everesio everesio mentioned this pull request Aug 23, 2020
Closed
@everesio
Copy link
Contributor Author

@gustavomcarmo Please check it out. AFAIR you were interested in group membership check in the LDAP Plugin.

@gustavomcarmo
Copy link

Great! I'll give it a try asap and give you some feedback...

Thanks!

@gustavomcarmo
Copy link

Hi @everesio,

Just tested the new ldap filter feature and it works like a charm. You can check it out in the kafka-proxy-test project.

Great job! Ship it!

@everesio everesio merged commit 88b2f57 into master Aug 25, 2020
@everesio
Copy link
Contributor Author

@gustavomcarmo
Hi, thank you for feedback.

@everesio everesio deleted the ldap-filter branch September 3, 2020 07:57
@gustavomcarmo
Copy link

Hi @everesio,

When is going to be released the new version of kafka-proxy with this feature?

Thanks!

@gustavomcarmo
Copy link

Hi @everesio,

Thanks for releasing the new version!

Just a question: would it be possible setting the LDAP admin credentials in the plugin configuration (--bind-dn and --bind-passwd) by using Kubernetes secrets?

Thanks!

@everesio
Copy link
Contributor Author

Hi @gustavomcarmo
Using secrets would mean reading from file.
Are the env variables not secure enough for you use case ?
e.g. Kubernetes sidecar container example (TLS_CLIENT_KEY_PASSWORD) ?

        - name: kafka-proxy
          image: grepplabs/kafka-proxy:latest
          args:
            - 'server'
            - '--log-format=json'
            - '--tls-client-key-password=$(TLS_CLIENT_KEY_PASSWORD)'
          env:
          - name: TLS_CLIENT_KEY_PASSWORD
            valueFrom:
              secretKeyRef:
                name: tls-client-key-password
                key: password

@gustavomcarmo
Copy link

Hi @everesio,

Yes, you're right. I can use environment variables.

Thanks!

@everesio
Copy link
Contributor Author

everesio commented Oct 6, 2020

Hi @gustavomcarmo
FYI. From release v0.2.7, 2 docker images are built.
e.g.

  • grepplabs/kafka-proxy:v0.2.7
  • grepplabs/kafka-proxy:v0.2.7-all

The second one contains precompiled plugins which are located in /opt/kafka-proxy/bin/
Please checkout the Docker images with precompiled plugins in the README.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@everesio @gustavomcarmo