Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Authentication #109

Closed
abraithwaite opened this issue Jul 6, 2018 · 4 comments
Closed

Support Authentication #109

abraithwaite opened this issue Jul 6, 2018 · 4 comments
Labels
enhancement help wanted

Comments

@abraithwaite
Copy link
Contributor

Kafka supports this. It would be nice to support it in our client as well.

https://kafka.apache.org/documentation/#security_overview
@abraithwaite abraithwaite mentioned this issue Jul 6, 2018
Closed
@achille-roussel
Copy link
Contributor

We already support TLS encryption, but we haven’t implemented anything regarding authentication.

@abraithwaite abraithwaite changed the title Support Authentication and Encryption with SSL Support Authentication Jul 6, 2018
@annanay25 annanay25 mentioned this issue Jul 19, 2018
Closed
9 tasks
@mxk1235
Copy link

mxk1235 commented Aug 28, 2018

SASL/Kerberos would be great. you'll likely need to take gokrb5 dependency.

@russorat russorat mentioned this issue Aug 31, 2018
Closed
@chlunde chlunde mentioned this issue Oct 31, 2018
Closed
@achille-roussel
Copy link
Contributor

@mxk1235 regarding the external dependency, we've tried to isolate those in sub-packages of kafka-go to keep the top-level package dependency-free. I'd assume we'd want to do the same in this case by abstracting the authentication mechanism behind an interface and having the kerebros implementation in a sub-package.

stevevls pushed a commit that referenced this issue Feb 27, 2019
@chlunde
Add SASL support (#109)
0d236e9 
Add support for SASL authentication by allowing the user to set the
SASLClient field on the kafka.Dialer struct.

The user must provide its own implementation of kafka.SASLClient because
there is currently no SASL library for Go with support for all the
implementations Kafka supports, and this will allow kafka-go to support
more SASL mechanisms without changing the core library.

The tests have been updated to test PLAIN authentication against a live
server.  The implementation has also been tested using SCRAM-SHA-256
and SCRAM-SHA-512, against 0.11.0.3 and 2.0.1.

This commit introduces four new calls agains kafka, which will only be
used if SASLClient is set:

 - ApiVersionsRequest v1
 - SaslHandshakeRequest v0 and v1
 - SaslAuthenticateRequestV0
 - Raw SASL packets

For more information about the authentication sequence, please see
https://kafka.apache.org/protocol#sasl_handshake

TODO: For Kerberos and SCRAM-SHA-256-PLUS support the interface methods
for kafka.SASLClient might need to be extended.

Example using github.com/xdg/scram to implement SCRAM-SHA-512:

    import (
            "context"
            "crypto/sha512"
            "hash"
            "log"

            kafka "github.com/segmentio/kafka-go"
            "github.com/xdg/scram"
    )

    var SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() }

    type SCRAMClient struct {
            client *scram.ClientConversation
    }

    func (s *SCRAMClient) Mechanism() string { return "SCRAM-SHA-512" }

    func (s *SCRAMClient) Start(ctx context.Context) ([]byte, error) {
            str, err := s.client.Step("")
            return []byte(str), err
    }

    func (s *SCRAMClient) Next(ctx context.Context, challenge []byte) (bool, []byte, error) {
            str, err := s.client.Step(string(challenge))
            return s.client.Done(), []byte(str), err
    }

    func main() {
            scramClient, err := SHA512.NewClient("adminscram", "admin-secret", "")
            if err != nil {
                    log.Fatal(err)
            }

            r := kafka.NewReader(kafka.ReaderConfig{
                    Dialer: &kafka.Dialer{
                            SASLClient: func() kafka.SASLClient { return &SCRAMClient{scramClient.NewConversation()} },
                    },
                    Brokers: []string{"localhost:9094"},
                    Topic:   "test-writer-1",
            })
stevevls pushed a commit that referenced this issue Mar 1, 2019
@chlunde
WIP: Add SASL support (#109)
588bbf3 
Initial contribution that provides a skeleton for SASL support.

For more information about the authentication sequence, please see
https://kafka.apache.org/protocol#sasl_handshake
@stevevls
Copy link
Contributor

Just merged in #223 which adds general support for SASL as well as implementations for PLAIN and SCRAM mechanisms.

Also opened #237 and #238 as follow-ups to add additional SASL mechanisms.

@kernle32dll kernle32dll mentioned this issue Jan 28, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mxk1235 @stevevls @achille-roussel @abraithwaite