-
Notifications
You must be signed in to change notification settings - Fork 753
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Authentication #109
Comments
We already support TLS encryption, but we haven’t implemented anything regarding authentication. |
SASL/Kerberos would be great. you'll likely need to take gokrb5 dependency. |
@mxk1235 regarding the external dependency, we've tried to isolate those in sub-packages of kafka-go to keep the top-level package dependency-free. I'd assume we'd want to do the same in this case by abstracting the authentication mechanism behind an interface and having the kerebros implementation in a sub-package. |
Add support for SASL authentication by allowing the user to set the SASLClient field on the kafka.Dialer struct. The user must provide its own implementation of kafka.SASLClient because there is currently no SASL library for Go with support for all the implementations Kafka supports, and this will allow kafka-go to support more SASL mechanisms without changing the core library. The tests have been updated to test PLAIN authentication against a live server. The implementation has also been tested using SCRAM-SHA-256 and SCRAM-SHA-512, against 0.11.0.3 and 2.0.1. This commit introduces four new calls agains kafka, which will only be used if SASLClient is set: - ApiVersionsRequest v1 - SaslHandshakeRequest v0 and v1 - SaslAuthenticateRequestV0 - Raw SASL packets For more information about the authentication sequence, please see https://kafka.apache.org/protocol#sasl_handshake TODO: For Kerberos and SCRAM-SHA-256-PLUS support the interface methods for kafka.SASLClient might need to be extended. Example using github.com/xdg/scram to implement SCRAM-SHA-512: import ( "context" "crypto/sha512" "hash" "log" kafka "github.com/segmentio/kafka-go" "github.com/xdg/scram" ) var SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() } type SCRAMClient struct { client *scram.ClientConversation } func (s *SCRAMClient) Mechanism() string { return "SCRAM-SHA-512" } func (s *SCRAMClient) Start(ctx context.Context) ([]byte, error) { str, err := s.client.Step("") return []byte(str), err } func (s *SCRAMClient) Next(ctx context.Context, challenge []byte) (bool, []byte, error) { str, err := s.client.Step(string(challenge)) return s.client.Done(), []byte(str), err } func main() { scramClient, err := SHA512.NewClient("adminscram", "admin-secret", "") if err != nil { log.Fatal(err) } r := kafka.NewReader(kafka.ReaderConfig{ Dialer: &kafka.Dialer{ SASLClient: func() kafka.SASLClient { return &SCRAMClient{scramClient.NewConversation()} }, }, Brokers: []string{"localhost:9094"}, Topic: "test-writer-1", })
Initial contribution that provides a skeleton for SASL support. For more information about the authentication sequence, please see https://kafka.apache.org/protocol#sasl_handshake
Kafka supports this. It would be nice to support it in our client as well.
https://kafka.apache.org/documentation/#security_overview
The text was updated successfully, but these errors were encountered: