terraform-provider-kafka icon indicating copy to clipboard operation
terraform-provider-kafka copied to clipboard

Published 20 hours ago verified publisher icon Mongey

Enable the GSSAPI SASL mechanism for kerberos-based authentication

Open hideyk opened this issue 1 year ago • 0 comments

Overview There are a multitude of ways to connect to Kafka brokers; while this provider currently supports authenticating with sasl_mechanism=plain/scram-sha512/scram-sha256, for security reasons some production Kafka brokers only enable authenticating with GSSAPI (full details here), thus the provider doesn't work for these Kafka clusters.

Looking at the IBM Sarama library, it already supports the GSSAPI SASL mechanism along with tuning GSSAPI-specific configurations (code snippet here), so it'll take some work but we won't have to reinvent the wheel.

Expected Behaviour Apart from existing kafka authentication methods, the provider should allow authenticating using GSSAPI for Kerberos too. Authenticating should support using a kerberos keytab as well.

Example

provider "kafka" {
  bootstrap_servers = ["localhost:9092"]
  sasl_mechanism    = "GSSAPI"
  gssapi_keytab_path = string
  gssapi_username     = string
  gssapi_realm            = string
  gssapi_kerberos_config_path = string
  gssapi_disable_pafx_fast = bool
}

What to update Within kafka/provider.go, add a couple of new fields to the provider definition and allow "GSSAPI" as an additional saslMechanism switch-case:

  • gssapi_keytab_path (string)
  • gssapi_username (string)
  • gssapi_realm (string)
  • gssapi_kerberos_config_path (string)
  • gssapi_disable_pafx_fast (bool)

Within kafka/config.go, add an additional switch-case for "GSSAPI" saslMechanism and configure the following for the sarama.Client class instance:

kafkaConfig.Net.SASL.Mechanism = sarama.SASLMechanism(sarama.SASLTypeGSSAPI)
kafkaConfig.Net.SASL.GSSAPI.AuthType = sarama.KRB5_KEYTAB_AUTH
kafkaConfig.Net.SASL.GSSAPI.KeyTabPath = c.GSSAPIConfig.KeytabPath
kafkaConfig.Net.SASL.GSSAPI.Username = c.GSSAPIConfig.Username
kafkaConfig.Net.SASL.GSSAPI.ServiceName = c.GSSAPIConfig.ServiceName
kafkaConfig.Net.SASL.GSSAPI.Realm = c.GSSAPIConfig.Realm
kafkaConfig.Net.SASL.GSSAPI.KerberosConfigPath = c.GSSAPIConfig.KerberosConfigPath
kafkaConfig.Net.SASL.GSSAPI.DisablePAFXFAST = c.GSSAPIConfig.DisablePAFXFAST

hideyk avatar Jan 30 '24 06:01 hideyk