WIP - Adding scram authentication for kafka #2110
Conversation
TheDavidKruse
changed the title
pkg/kafka/auth/scram.go
Outdated
| saramaConfig.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &SCRAMClient{HashGeneratorFcn: SHA256} } | ||
| saramaConfig.Net.SASL.Mechanism = sarama.SASLMechanism(sarama.SASLTypeSCRAMSHA256) | ||
| } else { | ||
| errors.Errorf("invalid SHA algorithm '%s': can be either 'sha256' or 'sha512'", config.algorithm) |
There was a problem hiding this comment.
missing return? and consequently, missing unit test for it?
There was a problem hiding this comment.
I added a unit test with instantiating the scramConfig itself but adding initFromViper test soon if I can get it working.
TheDavidKruse
force-pushed
the
kafka-scram
branch
from
8b2ef89
to
17b5348
Compare
Codecov Report
@@ Coverage Diff @@
## master #2110 +/- ##
==========================================
+ Coverage 95.73% 96.14% +0.40%
==========================================
Files 216 219 +3
Lines 9599 10585 +986
==========================================
+ Hits 9190 10177 +987
- Misses 336 351 +15
+ Partials 73 57 -16
Continue to review full report at Codecov.
|
pkg/kafka/auth/scram.go
Outdated
|
|
||
| "github.com/Shopify/sarama" | ||
| "github.com/pkg/errors" | ||
| SCRAM "github.com/xdg/scram" |
There was a problem hiding this comment.
Package name should be in lower-case. There's no need to rename it.
There was a problem hiding this comment.
"scram" is being used in the config file as a string constant for the AuthenticationConfig, I would need to change the constant name or change the name of the import of the package.
There was a problem hiding this comment.
but it's in a different file, why is it a problem?
There was a problem hiding this comment.
I believe because the constant is package scoped and so it conflicts with the standard import name of "scram". Would something like "scrampkg" be better?
There was a problem hiding this comment.
I believe that scrampkg may be better to define that it's a package, or something like xdgscram as it's the name of the import of the package github.com/xdg/scram.
I feel as though scrumclient or scramclient would be confusing as there's a struct named scramClient and scrum just seems mispelled. Those are my thoughts about those.
pkg/kafka/auth/scram.go
Outdated
| type SCRAMClient struct { | ||
| *SCRAM.Client | ||
| *SCRAM.ClientConversation | ||
| SCRAM.HashGeneratorFcn |
There was a problem hiding this comment.
Is there any need for embedding these? If not, it's better to give them private field names, because otherwise all their methods are leaking into the scramClient API.
There was a problem hiding this comment.
Afaik they're based in the interface for the sarama config to begin using Scram and need to be embedded for the Begin, Step and Done. Let me check and I'll reply to this comment.
There was a problem hiding this comment.
please make sure that all commits are signed (see https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md#missing-sign-offs)
Signed-off-by: david kruse <[email protected]>
TheDavidKruse
force-pushed
the
kafka-scram
branch
from
4101e43
to
bc9e1b1
Compare
Signed-off-by: david kruse <[email protected]>
go.mod
Outdated
| @@ -52,7 +52,7 @@ require ( | |||
| github.com/opentracing/opentracing-go v1.1.0 | |||
| github.com/pelletier/go-toml v1.6.0 // indirect | |||
| github.com/pierrec/lz4 v2.4.1+incompatible // indirect | |||
| github.com/pkg/errors v0.9.1 // indirect | |||
| github.com/pkg/errors v0.9.1 | |||
There was a problem hiding this comment.
you still have places where errors pkg is introduced, that's why it's moving to direct dependency. Please use fmt.Errorf
Signed-off-by: david kruse <[email protected]>
|
Please make sure to run |
|
What's the status of this PR, other than the conflicts? |
Signed-off-by: Yuri Shkuro <[email protected]>
There was a problem hiding this comment.
Is this related to the similar PR from OpenTelemetry Collector? open-telemetry/opentelemetry-collector#2322
| @@ -49,6 +49,14 @@ const ( | |||
|
|
|||
| defaultPlainTextUserName = "" | |||
| defaultPlainTextPassword = "" | |||
|
|
|||
| // Scram configuration options | |||
There was a problem hiding this comment.
Not a huge fan of the convention, but Go rules state that acronyms should be all in caps, so, SCRAM everywhere in the next few lines.
| flagSet.String( | ||
| configPrefix+scramPrefix+suffixScramUserName, | ||
| "", | ||
| "Scram username used to authenticate with the client") |
| Algorithm string `mapstructure:"algorithm"` | ||
| } | ||
|
|
||
| // SetSCRAMConfiguration ... |
|
|
||
| var mechanism sarama.SASLMechanism | ||
|
|
||
| switch config.Algorithm { |
There was a problem hiding this comment.
Matter of taste I guess, but I think the version from this PR more readable: open-telemetry/opentelemetry-collector#2322
| return nil | ||
| } | ||
|
|
||
| type scramClient struct { |
There was a problem hiding this comment.
Same comment I had in the similar PR from OpenTelemetry: you should probably do a type assert here, ensuring that this is a sarama.SCRAMClient
| }, authCfg.SCRAM) | ||
| } | ||
|
|
||
| // testing Begin, Step, and Done require a network connection to test, |
There was a problem hiding this comment.
Is it hard to mock this?
Co-authored by Zenobius Selvadhason [email protected]
Signed-off-by: david kruse [email protected]
Which problem is this PR solving?
Short description of the changes
This is a near drop-in from the sarama scram configuration they listed in their examples.