Authentication using SASL

[dasch]

http://kafka.apache.org/documentation.html#security_sasl

[kzk]

@dasch
Hi, we're running the project called Fluentd (http://www.fluentd.org/), an open source data collector. Currently Fluentd's kafka plugin is contributed by community (https://github.com/htgc/fluent-plugin-kafka), but it uses Poseidon.

Apparently it doesn't work with v0.9, and we're exploring the possibility of rewriting it with ruby-kafka. One requirements we hear from Fluentd users are, they want Kerberos support to publish events to Kafka.

I just saw this ticket but are you now working on this right now? If not, are you open to merge the changes we'll make? I'm just curious how important this is for you at this point. cc/ @repeatedly

[dasch]

@kzk that sounds great! I'm not working on Kerberos support, so by all means go ahead :-)

If you need help we can set up a call – otherwise, a work-in-progress PR could be a good starting point.

[tmeinlschmidt]

@dasch I'm on adding SASL (kerberos) to ruby-kafka right now, as we need it. It seems to be working, so I'll create some pull request soon. Have to add support and tests for SASL_SSL then too.

[jpaskhay]

@tmeinlschmidt We are also in need of this feature for a project we're working on, so we'd be more than happy to help in whatever capacity possible. We were literally about to start doing this ourselves, so we are very thankful to have seen your comment :) We don't have a strong Ruby background on the team but willing to do what we can to help.

We are not currently using SSL, so we may not be able to assist much there, unfortunately.

[tmeinlschmidt]

Hey all, pushed some initial code for SASL/GSSAPI authentication. Working on adding some more tests and docs.

[dasch]

@tmeinlschmidt I think that code is being overly intrusive - can you make a change within the confines of the existing design?

Feel free to create a PR with design changes separately, although I won't promise that I'll merge it.

[tmeinlschmidt]

The problem is - SASL needs to send some kafka messages before any auth can be made. that's the reason I cut ConnectionOperation out from Connection class. Is there any specific part you want to change/rewrite?

[dasch]

@tmeinlschmidt can you start by opening a PR? That makes commenting a lot easier.

[tmeinlschmidt]

@dasch opened #334.

[fullbearded]

@dasch when support the SASL/PLAIN? our team will use kafka replace with redis recently. I find only your gem support SASL. if not, I think we will create a new branch for this functionality.

[tmeinlschmidt]

I would like to add PLAIN to SASL auth then as well.

[trthomps]

+1 for SASL/PLAIN

[theduderog]

+1 I need SASL/PLAIN support as well.

[dasch]

@tmeinlschmidt would you want to head this or should we let one of these enthusiasts give it a go?

[dasch]

Done!

[frencopei]

any update?now fluentd-plugin-kafa support sasl ? i saw your comments about ruby kafak. it just provides principal and keytab, not krb5.conf, how get kerberos server addr without krb5.conf?

[xidiandb]

any update?now fluentd-plugin-kafa support sasl ? i saw your comments about ruby kafak. it just provides principal and keytab, not krb5.conf, how get kerberos server addr without krb5.conf?

same question

[theduderog]

I think it was done here - #370