-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add basic authentication to Kafka storage #1983
Add basic authentication to Kafka storage #1983
Conversation
…jaegertracing#1966 Signed-off-by: chandresh-pancholi <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #1983 +/- ##
==========================================
+ Coverage 96.94% 96.96% +0.01%
==========================================
Files 202 202
Lines 10068 10068
==========================================
+ Hits 9760 9762 +2
+ Misses 269 267 -2
Partials 39 39
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Chandresh-Pancholi! I was very happy when I saw your pull request regarding kafka basic auth. I want to connect a Kafka enabled Azure Event Hub to jaeger-ingest and jaeger-collector. Unfortunatly there is currently no support for e.g. these properties:
sasl.mechanism=PLAIN
security.protocol=SASL_SSL
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="$ConnectionString"
password="{MY.EVENTHUBS.CONNECTION.STRING}";
Examples for Azure Event Hubs for Kafka connections: https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials
It would be nice if you could add that to your PR too cause this would enable a lot of people that are using Azure EH (kafka enabled) to connect jaeger to their solutions. Does it make sense for you?
flagSet.String( | ||
configPrefix+plainTextPrefix+suffixPlainTextUserName, | ||
defaultPlainTextUserName, | ||
"The plaintext Username for SASL/PLAIN authentication") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't we call it basic like in other flags?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kafka and Sarama always mentioned it as Plaintext. Shall I change it to basic?
I can replace "plainText" to "basicAuth"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd keep it as plaintext to match Kafka documentation.
I never used Azure Event bus. Let me spend some time over the weekend. It would be great if you can create another issue specific to Azure Event bus. Let these changes go live for now. |
Hi chandresh-pancholi! Thanks for your quick response. As requested I created a separate issue for it: #1989. I also referenced this one here. Regards and Merry X-Mas :-) |
pkg/kafka/auth/options.go
Outdated
@@ -99,6 +106,17 @@ func addTLSFlags(configPrefix string, flagSet *flag.FlagSet) { | |||
"Path to the TLS Key for the Kafka connection") | |||
} | |||
|
|||
func addPlainTextFlag(configPrefix string, flagSet *flag.FlagSet) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func addPlainTextFlag(configPrefix string, flagSet *flag.FlagSet) { | |
func addPlainTextFlags(configPrefix string, flagSet *flag.FlagSet) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
func setPlainTextConfiguration(config *PlainTextConfig, saramaConfig *sarama.Config) { | ||
saramaConfig.Net.SASL.Enable = true | ||
saramaConfig.Net.SASL.User = config.UserName | ||
saramaConfig.Net.SASL.Password = config.Password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this doesn't track. Kafka docs https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_plain.html mention "plaintext" as an alternative to SASL "plain", but here we seem to make them the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please correct me if I understood it, You are trying to say rather than using "PlainText" we shall use "Plain".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, I am saying Kafka docs make clear distinction between those two methods, but in this code we seem to treat them as the same thing: calling it plaintext but using SASL structure to pass it. So which one is it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
saramaconfig only has SASL struct. below is the code snippet.
// SASL based authentication with broker. While there are multiple SASL authentication methods
// the current implementation is limited to plaintext (SASL/PLAIN) authentication
SASL struct {
// Whether or not to use SASL authentication when connecting to the broker
// (defaults to false).
Enable bool
// SASLMechanism is the name of the enabled SASL mechanism.
// Possible values: OAUTHBEARER, PLAIN (defaults to PLAIN).
Mechanism SASLMechanism
// Whether or not to send the Kafka SASL handshake first if enabled
// (defaults to true). You should only set this to false if you're using
// a non-Kafka SASL proxy.
Handshake bool
//username and password for SASL/PLAIN or SASL/SCRAM authentication
User string
Password string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well, then this is "plain", not "plaintext", because credentials are still sent over encrypted channel. From the docs:
PLAIN
versusPLAINTEXT
Do not confuse the SASL mechanism PLAIN with no SSL encryption being called PLAINTEXT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From Confluent slack channel:
None of the SASL mechanisms encrypt wire data not even GSSAPI. You have to enable TLS for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://docs.confluent.io/current/kafka/authentication_ssl.html
By default, Apache Kafka® communicates in PLAINTEXT, which means that all data is sent in the clear. To encrypt communication, it is recommended to configure all the Confluent Platform components in your deployment to use SSL encryption.
Configure Jager Collector to work with Kafka With Basic Authentication
Resolves #1966
Signed-off-by: chandresh-pancholi [email protected]
Which problem is this PR solving?
Short description of the changes