[exporter/kafkaexporter] Add option to disable kerberos PA_FX_FAST

[swythan]

Description:

Adds a disable_fast_negotiation config option to the kafkareceiver, kafkametricsreceiver and kafkaexporter that allows PA_FX_FAST pre-authentication FAST negotiation to be disabled. This is required to allow auth using (some?) ActiveDirectory controllers.

See:
https://github.com/jcmturner/gokrb5/blob/master/USAGE.md#active-directory-kdc-and-fast-negotiation

I named the option to match a similar one in Vault.
https://developer.hashicorp.com/vault/docs/auth/kerberos#disable_fast_negotiation

Link to tracking Issue: #26345

Testing:
I've added a unit tetst to check that it is plumbed through to the sarama library, but I've not tested the built binary.

I'd appreciate any guidance there, as I'd have to get a collector docker image built with this change.

Documentation:
I've added the option to the relevant README files.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: swythan / name: James Chaldecott (d737fa6, b841628, 9567503, a2ee852, 9de8c2e, d616f31, 5356715)

[swythan]

A quick update on testing:

I managed to get this patched into a ~0.81 copy of the source, and deployed it in my company network. I'm pretty sure the config option is wired up properly and effective, but I'm now getting a different problem getting the connection working (unexpected EOF which isn't super-helpful).

I think this patch is still useful, but I don't yet know whether it's enough to authenticate fully with a Windows AD controller.

[mguggi]

For us, this PR would be very useful!

@bogdandrutu Is there any plan when this PR can be merged? In our environment, the kafkareceiver would only work if we can turn off the FAST negotiation.

[swythan]

@mguggi Have you tested this?

I'm trying to test in my environment, but I've not been able to get past my problem above. If you can verify it's working for you I'm sure that would help in getting it merged.

[mguggi]

@swythan Yes, I've tested your changes and they work in our environment.

I created a fork yesterday, from the main branch (~v0.86.0), and created a PR from the branch (swythan:26345_kafka_DisablePAFXFAST) of your fork. After applying the PR and building the binary, my configuration worked as desired.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[swythan]

@bogdandrutu Do you need anything from me to get this merged?

I suspect I'll not be able to get much further testing in my environment very soon, but @mguggi was able to test that it actually works and I don't think it's particularly complex or controversial.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[swythan]

This is still active. Waiting on @bogdandrutu

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[mguggi]

This is still active. Still waiting on @bogdandrutu

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[alexk82]

I'm also waiting for this PR to be merged.

Can I somehow support to get this merged?

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[swythan]

Looks like the code has been restructured in main. It shouldn't be too difficult to re-do this PR if there's any chance of it getting merged.

[mguggi]

@bogdandrutu, @pavolloffay or @dmitryax Are there any plans to fix this problem in upcoming releases?

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[github-actions]

Closed as inactive. Feel free to reopen if this PR is still being worked on.