kafka-proxy icon indicating copy to clipboard operation
kafka-proxy copied to clipboard

Published 20 hours ago verified publisher icon grepplabs

Proxy initiated authentication with "dynamic" SASL credentials?

Open georgejdli opened this issue 4 years ago • 1 comments

Question:

I have a scenario where I would like kafka-proxy to initiate SASL PLAIN with a kafka broker using credentials passed in from the client.

Proposed flow:

  • client does mutual TLS with kafka-proxy
  • Client TLS cert would contain the SASL credentials embedded (Probably in the CNAME)
  • kafka-proxy would have a new flag to enable this passthrough route
  • kafka-proxy parses the credentials out of the client TLS cert and uses those to initiate SASL

Looking at the code I think the most relevant changes could be done in client.go ( I realize other parts of the code would need to be changed as well):

  • handleConn would parse the credentials from the x509 Certificate
    • create a new SASLPlainAuth struct from Client.saslAuthByProxy and copy the username/password extracted from the TLS cert
  • DialAndAuth and auth() would be modified to take in this "dynamic" SASLPlainAuth struct and call sendAndReceiveSASLAuth on that same struct to connect to the broker

Would you be open to supporting this pattern? If so we are more than happy to contribute the needed changes.

georgejdli avatar Jun 24 '20 23:06 georgejdli

Please free to contribute.

everesio avatar Jun 27 '20 19:06 everesio