Add basic authentication to Kafka storage #1983
Conversation
…jaegertracing#1966 Signed-off-by: chandresh-pancholi <[email protected]>
chandresh-pancholi
requested review from
black-adder,
jpkrohling,
objectiser,
pavolloffay,
tiffon,
vprithvi and
yurishkuro
as code owners
Codecov Report
@@ Coverage Diff @@
## master #1983 +/- ##
==========================================
+ Coverage 96.94% 96.96% +0.01%
==========================================
Files 202 202
Lines 10068 10068
==========================================
+ Hits 9760 9762 +2
+ Misses 269 267 -2
Partials 39 39
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Hi Chandresh-Pancholi! I was very happy when I saw your pull request regarding kafka basic auth. I want to connect a Kafka enabled Azure Event Hub to jaeger-ingest and jaeger-collector. Unfortunatly there is currently no support for e.g. these properties:
sasl.mechanism=PLAIN
security.protocol=SASL_SSL
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="$ConnectionString"
password="{MY.EVENTHUBS.CONNECTION.STRING}";
Examples for Azure Event Hubs for Kafka connections: https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials
It would be nice if you could add that to your PR too cause this would enable a lot of people that are using Azure EH (kafka enabled) to connect jaeger to their solutions. Does it make sense for you?
| flagSet.String( | ||
| configPrefix+plainTextPrefix+suffixPlainTextUserName, | ||
| defaultPlainTextUserName, | ||
| "The plaintext Username for SASL/PLAIN authentication") |
There was a problem hiding this comment.
shouldn't we call it basic like in other flags?
There was a problem hiding this comment.
Kafka and Sarama always mentioned it as Plaintext. Shall I change it to basic?
I can replace "plainText" to "basicAuth"
There was a problem hiding this comment.
I'd keep it as plaintext to match Kafka documentation.
I never used Azure Event bus. Let me spend some time over the weekend. It would be great if you can create another issue specific to Azure Event bus. Let these changes go live for now. |
Hi chandresh-pancholi! Thanks for your quick response. As requested I created a separate issue for it: #1989. I also referenced this one here. Regards and Merry X-Mas :-) |
pkg/kafka/auth/options.go
Outdated
| @@ -99,6 +106,17 @@ func addTLSFlags(configPrefix string, flagSet *flag.FlagSet) { | |||
| "Path to the TLS Key for the Kafka connection") | |||
| } | |||
|
|
|||
| func addPlainTextFlag(configPrefix string, flagSet *flag.FlagSet) { | |||
There was a problem hiding this comment.
| func addPlainTextFlag(configPrefix string, flagSet *flag.FlagSet) { | |
| func addPlainTextFlags(configPrefix string, flagSet *flag.FlagSet) { |
| func setPlainTextConfiguration(config *PlainTextConfig, saramaConfig *sarama.Config) { | ||
| saramaConfig.Net.SASL.Enable = true | ||
| saramaConfig.Net.SASL.User = config.UserName | ||
| saramaConfig.Net.SASL.Password = config.Password |
There was a problem hiding this comment.
this doesn't track. Kafka docs https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_plain.html mention "plaintext" as an alternative to SASL "plain", but here we seem to make them the same.
There was a problem hiding this comment.
Please correct me if I understood it, You are trying to say rather than using "PlainText" we shall use "Plain".
There was a problem hiding this comment.
no, I am saying Kafka docs make clear distinction between those two methods, but in this code we seem to treat them as the same thing: calling it plaintext but using SASL structure to pass it. So which one is it?
There was a problem hiding this comment.
saramaconfig only has SASL struct. below is the code snippet.
// SASL based authentication with broker. While there are multiple SASL authentication methods
// the current implementation is limited to plaintext (SASL/PLAIN) authentication
SASL struct {
// Whether or not to use SASL authentication when connecting to the broker
// (defaults to false).
Enable bool
// SASLMechanism is the name of the enabled SASL mechanism.
// Possible values: OAUTHBEARER, PLAIN (defaults to PLAIN).
Mechanism SASLMechanism
// Whether or not to send the Kafka SASL handshake first if enabled
// (defaults to true). You should only set this to false if you're using
// a non-Kafka SASL proxy.
Handshake bool
//username and password for SASL/PLAIN or SASL/SCRAM authentication
User string
Password string
There was a problem hiding this comment.
well, then this is "plain", not "plaintext", because credentials are still sent over encrypted channel. From the docs:
PLAINversusPLAINTEXTDo not confuse the SASL mechanism PLAIN with no SSL encryption being called PLAINTEXT.
There was a problem hiding this comment.
From Confluent slack channel:
None of the SASL mechanisms encrypt wire data not even GSSAPI. You have to enable TLS for that.
There was a problem hiding this comment.
https://docs.confluent.io/current/kafka/authentication_ssl.html
By default, Apache Kafka® communicates in PLAINTEXT, which means that all data is sent in the clear. To encrypt communication, it is recommended to configure all the Confluent Platform components in your deployment to use SSL encryption.
pavolloffay
changed the title
Configure Jager Collector to work with Kafka With Basic Authentication
Resolves #1966
Signed-off-by: chandresh-pancholi [email protected]
Which problem is this PR solving?
Short description of the changes