SASL SCRAM support #465
SASL SCRAM support #465
Conversation
|
I'd rather keep adding parameters to the initializer – this was a deliberate design choice that may make the code a bit harder to follow, but would be simpler for most users of the library. |
| raise FailedScramAuthentication, 'Invalid server signature' if response['v'] != server_signature | ||
| rescue FailedScramAuthentication | ||
| raise | ||
| rescue => e |
There was a problem hiding this comment.
I'd like to avoid catch-all rescues.
|
I've changed the code to use new parameters in the initializer. I also put back the validation in SaslHandshakeRequest. |
README.md
Outdated
| ```ruby | ||
| kafka = Kafka.new( | ||
| sasl_scram_username: 'username', | ||
| sasl_scram_password: 'password, |
There was a problem hiding this comment.
Oh! Forgot to validate docs..
README.md
Outdated
| kafka = Kafka.new( | ||
| sasl_scram_username: 'username', | ||
| sasl_scram_password: 'password, | ||
| sasl_scram_mechanism: Kafka::SCRAM_SHA256, |
There was a problem hiding this comment.
I'd prefer a String name of the mechanism, e.g. "sha256", as that will make it a lot easier to integrate with config files and the like.
There was a problem hiding this comment.
Ok. I can change that. Do you prefer "sha256" over "SHA-256" (the current value of the constant)?
lib/kafka.rb
Outdated
| @@ -225,6 +225,15 @@ class OffsetCommitError < Error | |||
| class FetchError < Error | |||
| end | |||
|
|
|||
| class NoPartitionsAssignedError < Error | |||
| end | |||
There was a problem hiding this comment.
I have no idea... Maybe some merge i missed.
| @@ -3,7 +3,7 @@ class SaslGssapiAuthenticator | |||
| GSSAPI_IDENT = "GSSAPI" | |||
| GSSAPI_CONFIDENTIALITY = false | |||
|
|
|||
| def initialize(connection:, logger:, sasl_gssapi_principal:, sasl_gssapi_keytab:) | |||
| def initialize(conncetion:, logger:, sasl_gssapi_principal:, sasl_gssapi_keytab:) | |||
|
|
||
| begin | ||
| msg = first_message | ||
| log_debug "[scram] Sending client's first message: #{msg}" |
There was a problem hiding this comment.
There's currently no precedent for "tagging" log lines with e.g. [scram]. Could you instead do Sending first SCRAM client message? The same for the rest of the log lines.
|
Looking good! Let me know when you need another round of review. |
It must be possible to implement new sasl types without having to modify ruby-kafka. Made authenticator parameter name more generic (remove sasl_)
|
I've changed the mechanism configuration parameters to be 'sha256' and 'sha512'. |
| # | ||
| # @param sasl_scram_mechanism [String, nil] Scram mechanism ("sha256", "sha512") | ||
| # | ||
| # @param use_ssl [Booleanm false] Use SSL |
There was a problem hiding this comment.
Why add this parameter? The decision on whether to use SSL is already done here:
ruby-kafka/lib/kafka/client.rb
Lines 528 to 529 in a0e1d14
lib/kafka/client.rb
Outdated
|
|
||
| sasl_authenticator = SaslAuthenticator.new( | ||
| sasl_authenticator ||= SaslAuthenticator.new( |
spec/fake_server.rb
Outdated
| client_id = request_decoder.string | ||
| loop do | ||
| request_bytes = decoder.bytes | ||
| request_data = Kafka::Protocol::Decoder.new(StringIO.new(request_bytes)); |
There was a problem hiding this comment.
No reason for a semicolon here.
spec/fake_server.rb
Outdated
| api_key = request_data.int16 | ||
| _api_version = request_data.int16 | ||
| correlation_id = request_data.int32 | ||
| _client_id = request_data.string |
There was a problem hiding this comment.
No reason for underscores here.
spec/fake_server.rb
Outdated
| @authenticating = true | ||
| @auth_mechanism = message | ||
| case api_key | ||
| when 17 then |
There was a problem hiding this comment.
No reason to switch to a case statement here.
|
Thanks for the hard work! ❤️ |
|
@spuun I've released v0.5.1.beta1 with this functionality – would you be able to deploy and test that version? |
|
I've tested beta2 and it seems to work just fine! 👍 |
|
@spuun great, thanks! |
Added a SASL SCRAM authenticator.
Instead of adding even more parameters to Client constructor it's now possible to inject an authenticator. This makes it possible to create custom authenticators without modifing ruby-kafka. To make this possible the mechanism validation in SaslHandshakeRequest had to be removed. Possible authentication mechanism is validated by the broker so this shouldn't be needed anyway.
It's also possible to inject a SSL context to the Client constructor.