Add support for Authentication

[jmcristobal]

Allow to configure authentication method for the Kafka Connect cluster. I've done a quick test (clumpsy, I know) and works adding the ClientHeaderParam anotation at interface level. The values should be obtained from the configuration, obviously.

I'm not an expert in this REST Client library, and probably there is a better way to implement this solution.

Also, this is only covering BasicAuth and other authentication methods could be included as well.

If this is out of scope, don't hesitate to close this one ;)

/*
 *  Copyright 2021 The original authors
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package dev.morling.kccli.service;

import java.util.Base64;
import java.util.List;
import java.util.Map;

import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;

import org.eclipse.microprofile.rest.client.annotation.ClientHeaderParam;
import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;

@Path("/")
@RegisterRestClient
@ClientHeaderParam(name = "Authorization", value = "{getBasicAuth}")
public interface KafkaConnectApi {

    @GET
    KafkaConnectInfo getWorkerInfo();

    @GET
    @Path("/connector-plugins")
    List<ConnectorPlugin> getConnectorPlugins();

    @GET
    @Path("/connectors/")
    List<String> getConnectors();

    @POST
    @Path("/connectors/")
    ConnectorStatusInfo createConnector(String config);

    @GET
    @Path("/connectors/{name}")
    ConnectorInfo getConnector(@PathParam("name") String name);

    @POST
    @Path("/connectors/{name}/restart")
    void restartConnector(@PathParam("name") String name);

    @DELETE
    @Path("/connectors/{name}")
    void deleteConnector(@PathParam("name") String name);

    @GET
    @Path("/connectors/{name}/status")
    ConnectorStatusInfo getConnectorStatus(@PathParam("name") String name);

    @GET
    @Path("/connectors/{name}/topics")
    Map<String, TopicsInfo> getConnectorTopics(@PathParam("name") String name);

    @GET
    @Path("/connectors/{name}/config")
    Map<String, String> getConnectorConfig(@PathParam("name") String name);

    @PUT
    @Path("/connectors/{name}/config")
    ConnectorStatusInfo updateConnector(@PathParam("name") String name, String config);

    @POST
    @Path("/connectors/{name}/tasks/{id}/restart")
    ConnectorInfo restartTask(@PathParam("name") String name, @PathParam("id") String id);

    default String getBasicAuth() {
        return "Basic " +
                Base64.getEncoder().encodeToString("username:password".getBytes());
    }
}

[tonyfosterdev]

I would love to see this!

[gunnarmorling]

Same, same :) So far, no one has found the bandwidth for implementing it. It'd be a very valuable contribution.

[tonyfosterdev]

I'm taking this up as time permits. Fwiw, I'm not a Java dev, so will likely want someone more experienced to look it over closely. Sent from ProtonMail mobile

…

-------- Original Message --------

On Sep 4, 2021, 1:31 PM, Gunnar Morling wrote: Same, same :) So far, no one has found the bandwidth for implementing it. It'd be a very valuable contribution. — You are receiving this because you commented. Reply to this email directly, [view it on GitHub](#17 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AMHHZOTMDNFK23ZFS2N6AVTUAJJXFANCNFSM5APMFIAQ). Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub).

[gunnarmorling]

No worries, I'm sure we'll get it sorted out one way or another.

As a first step, I'm curious how a solution should look like. There's the concept of "contexts" in kcctl, which lets you switch between different named Kafka Connect environments, e.g. "local", "staging", "prod". Details of the contexts are stored in a file ~/.kcctl (KC URL, but also Kafka bootstrap servers for the upcoming offset display/reset feature).

Using this file for storing auth information per context would be an obvious choice, but of course there are security implications to consider. Ideally, the auth information should be stored encrypted, and decrypted upon usage. Which would be cumbersome to do for each usage, so doing something similar to SSH Agent may be interesting. It would be interesting to see how other CLI tools handle this sort of requirement.

[tonyfosterdev]

My naive first run at this is putting it in .kcctl in plain text, or possibly in files in a vendor folder. Quarkus has a CredentialManager we can build on, and that would make it easier to support many methods from there. Sent from ProtonMail mobile

…

-------- Original Message --------

On Sep 4, 2021, 2:50 PM, Gunnar Morling wrote: No worries, I'm sure we'll get it sorted out one way or another. As a first step, I'm curious how a solution should look like. There's the concept of "contexts" in kcctl, which lets you switch between different named Kafka Connect environments, e.g. "local", "staging", "prod". Details of the contexts are stored in a file ~/.kcctl (KC URL, but also Kafka bootstrap servers for the upcoming offset display/reset feature). Using this file for storing auth information per context would be an obvious choice, but of course there are security implications to consider. Ideally, the auth information should be stored encrypted, and decrypted upon usage. Which would be cumbersome to do for each usage, so doing something similar to SSH Agent may be interesting. It would be interesting to see how other CLI tools handle this sort of requirement. — You are receiving this because you commented. Reply to this email directly, [view it on GitHub](#17 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AMHHZOQ2G5A4D7D7A4IJ6RDUAJTATANCNFSM5APMFIAQ). Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub).

[tonyfosterdev]

I dug into how kubectl used basic auth. This page lays it out well: https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/cluster-administration/authenticate-across-clusters-kubeconfig/#example-kubeconfig-file

The credentials are stored plaintext. It may be nice, down the road, to use a cred store that is native to the OS, but that would require a few implementations.

[tonyfosterdev]

PR for this is here for review: #68

[tonyfosterdev]

@jmcristobal I believe you should be all set now. This PR is merged.

[gunnarmorling]

Indeed, thanks again. Will close this one.