Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose kerberos fast negotiation configuration #1466

Merged
merged 2 commits into from
May 22, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions gssapi_kerberos.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type GSSAPIConfig struct {
Username string
Password string
Realm string
DisablePAFXFAST bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm seeing some test for this API here sarama/kerberos_client_test.go, might worth to add a test that includes DisablePAFXFAST

}

type GSSAPIKerberosAuth struct {
Expand Down
15 changes: 5 additions & 10 deletions kerberos_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,9 @@ func (c *KerberosGoKrb5Client) CName() types.PrincipalName {
return c.Credentials.CName()
}

/*
*
* Create kerberos client used to obtain TGT and TGS tokens
* used gokrb5 library, which is a pure go kerberos client with
* some GSS-API capabilities, and SPNEGO support. Kafka does not use SPNEGO
* it uses pure Kerberos 5 solution (RFC-4121 and RFC-4120).
*
*/
// NewKerberosClient creates kerberos client used to obtain TGT and TGS tokens.
// It uses pure go Kerberos 5 solution (RFC-4121 and RFC-4120).
// uses gokrb5 library underlying which is a pure go kerberos client with some GSS-API capabilities.
func NewKerberosClient(config *GSSAPIConfig) (KerberosClient, error) {
cfg, err := krb5config.Load(config.KerberosConfigPath)
if err != nil {
Expand All @@ -42,10 +37,10 @@ func createClient(config *GSSAPIConfig, cfg *krb5config.Config) (KerberosClient,
if err != nil {
return nil, err
}
client = krb5client.NewClientWithKeytab(config.Username, config.Realm, kt, cfg)
client = krb5client.NewClientWithKeytab(config.Username, config.Realm, kt, cfg, krb5client.DisablePAFXFAST(config.DisablePAFXFAST))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and now that you're modifying this file, could you please update the NewKerberosClient func comment to make it go friendly

image

Copy link
Contributor Author

@rubenvp8510 rubenvp8510 Aug 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I'll do! I'm new using golang, so thanks for pointing me to the conventions.

} else {
client = krb5client.NewClientWithPassword(config.Username,
config.Realm, config.Password, cfg)
config.Realm, config.Password, cfg, krb5client.DisablePAFXFAST(config.DisablePAFXFAST))
}
return &KerberosGoKrb5Client{*client}, nil
}
24 changes: 24 additions & 0 deletions kerberos_client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,27 @@ func TestCreateWithKeyTab(t *testing.T) {
t.Errorf("Expected error:%s, got:%s.", err, expectedErr)
}
}

func TestCreateWithDisablePAFXFAST(t *testing.T) {
kerberosConfig, err := krbcfg.NewConfigFromString(testdata.TEST_KRB5CONF)
if err != nil {
t.Fatal(err)
}
// Expect to try to create a client with keytab and fails with "o such file or directory" error
expectedErr := errors.New("open nonexist.keytab: no such file or directory")
clientConfig := NewConfig()
clientConfig.Net.SASL.Mechanism = SASLTypeGSSAPI
clientConfig.Net.SASL.Enable = true
clientConfig.Net.SASL.GSSAPI.ServiceName = "kafka"
clientConfig.Net.SASL.GSSAPI.Realm = "EXAMPLE.COM"
clientConfig.Net.SASL.GSSAPI.Username = "client"
clientConfig.Net.SASL.GSSAPI.AuthType = KRB5_KEYTAB_AUTH
clientConfig.Net.SASL.GSSAPI.KeyTabPath = "nonexist.keytab"
clientConfig.Net.SASL.GSSAPI.KerberosConfigPath = "/etc/krb5.conf"
clientConfig.Net.SASL.GSSAPI.DisablePAFXFAST = true

_, err = createClient(&clientConfig.Net.SASL.GSSAPI, kerberosConfig)
if err.Error() != expectedErr.Error() {
t.Errorf("Expected error:%s, got:%s.", err, expectedErr)
}
}