Add authentication support to kafka

Signed-off-by: Pavol Loffay <ploffay@redhat.com>
jpkrohling · Sep 16, 2020 · 9994700 · 9994700
1 parent 471c4a6
commit 9994700
Show file tree

Hide file tree

Showing 17 changed files with 308 additions and 4 deletions.
diff --git a/exporter/kafkaexporter/README.md b/exporter/kafkaexporter/README.md
@@ -14,6 +14,23 @@ The following settings can be optionally configured:
   - `otlp_proto`: the payload is serialized to `ExportTraceServiceRequest`.
   - `jaeger_proto`: the payload is serialized to a single Jaeger proto `Span`.
   - `jaeger_json`: the payload is serialized to a single Jaeger JSON Span using `jsonpb`.
+- `authentication`
+  - `type` (default = none): The authentication type. Supported types are `plain_text`, `tls`, `kerberos`.
+  - `plain_text`
+    - `username`: The username to use.
+    - `password`: The password to use
+  - `tls`
+    - `ca_file` path to the CA cert. For a client this verifies the server certificate. Should
+      only be used if `insecure` is set to true.
+    - `cert_file` path to the TLS cert to use for TLS required connections. Should
+      only be used if `insecure` is set to true.
+    - `key_file` path to the TLS key to use for TLS required connections. Should
+      only be used if `insecure` is set to true.
+    - `insecure`  (default = false): Disable verifying the server's certificate chain and host 
+      name (`InsecureSkipVerify` in the tls config)
+    - `server_name_override`: ServerName indicates the name of the server requested by the client
+      in order to support virtual hosting.
+>>>>>>> Add authentication support to kafka
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. 
                                     When disabled the client does not make the initial request to broker at the startup.

diff --git a/exporter/kafkaexporter/authentication.go b/exporter/kafkaexporter/authentication.go
@@ -0,0 +1,74 @@
+// Copyright  The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kafkaexporter
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/Shopify/sarama"
+
+	"go.opentelemetry.io/collector/config/configtls"
+)
+
+// ConfigureAuthentication configures authentication in sarama.Config.
+func ConfigureAuthentication(config Authentication, saramaConfig *sarama.Config) error {
+	switch AuthType(strings.TrimSpace(string(config.Type))) {
+	case AuthTypeNone, "":
+		return nil
+	case AuthTypeTLS:
+		return configureTLS(config.TLS, saramaConfig)
+	case AuthTypeKerberos:
+		configureKerberos(config.Kerberos, saramaConfig)
+		return nil
+	case AuthTypePlaintext:
+		configurePlaintext(config.PlainText, saramaConfig)
+		return nil
+	default:
+		return fmt.Errorf("unknown/unsupported authentication method %v to kafka cluster", config.Type)
+	}
+}
+
+func configurePlaintext(config PlainTextConfig, saramaConfig *sarama.Config) {
+	saramaConfig.Net.SASL.Enable = true
+	saramaConfig.Net.SASL.User = config.Username
+	saramaConfig.Net.SASL.Password = config.Password
+}
+
+func configureTLS(config configtls.TLSClientSetting, saramaConfig *sarama.Config) error {
+	tlsConfig, err := config.LoadTLSConfig()
+	if err != nil {
+		return fmt.Errorf("error loading tls config: %w", err)
+	}
+	saramaConfig.Net.TLS.Enable = true
+	saramaConfig.Net.TLS.Config = tlsConfig
+	return nil
+}
+
+func configureKerberos(config KerberosConfig, saramaConfig *sarama.Config) {
+	saramaConfig.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaConfig.Net.SASL.Enable = true
+	if config.UseKeyTab {
+		saramaConfig.Net.SASL.GSSAPI.KeyTabPath = config.KeyTabPath
+		saramaConfig.Net.SASL.GSSAPI.AuthType = sarama.KRB5_KEYTAB_AUTH
+	} else {
+		saramaConfig.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+		saramaConfig.Net.SASL.GSSAPI.Password = config.Password
+	}
+	saramaConfig.Net.SASL.GSSAPI.KerberosConfigPath = config.ConfigPath
+	saramaConfig.Net.SASL.GSSAPI.Username = config.Username
+	saramaConfig.Net.SASL.GSSAPI.Realm = config.Realm
+	saramaConfig.Net.SASL.GSSAPI.ServiceName = config.ServiceName
+}
diff --git a/exporter/kafkaexporter/authentication_test.go b/exporter/kafkaexporter/authentication_test.go
@@ -0,0 +1,97 @@
+// Copyright  The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kafkaexporter
+
+import (
+	"testing"
+
+	"github.com/Shopify/sarama"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"go.opentelemetry.io/collector/config/configtls"
+)
+
+func TestAuthentication(t *testing.T) {
+	saramaPlaintext := &sarama.Config{}
+	saramaPlaintext.Net.SASL.Enable = true
+	saramaPlaintext.Net.SASL.User = "jdoe"
+	saramaPlaintext.Net.SASL.Password = "pass"
+
+	saramaTLSCfg := &sarama.Config{}
+	saramaTLSCfg.Net.TLS.Enable = true
+	tlsClient := configtls.TLSClientSetting{}
+	tlscfg, err := tlsClient.LoadTLSConfig()
+	require.NoError(t, err)
+	saramaTLSCfg.Net.TLS.Config = tlscfg
+
+	saramaKerberosCfg := &sarama.Config{}
+	saramaKerberosCfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaKerberosCfg.Net.SASL.Enable = true
+	saramaKerberosCfg.Net.SASL.GSSAPI.ServiceName = "foobar"
+	saramaKerberosCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+
+	saramaKerberosKeyTabCfg := &sarama.Config{}
+	saramaKerberosKeyTabCfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaKerberosKeyTabCfg.Net.SASL.Enable = true
+	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.KeyTabPath = "/path"
+	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_KEYTAB_AUTH
+
+	tests := []struct {
+		auth         Authentication
+		saramaConfig *sarama.Config
+		err          string
+	}{
+		{
+			auth: Authentication{Type: AuthType("foo")},
+			err:  "unknown/unsupported authentication method",
+		},
+		{
+			auth:         Authentication{Type: AuthTypePlaintext, PlainText: PlainTextConfig{Username: "jdoe", Password: "pass"}},
+			saramaConfig: saramaPlaintext,
+		},
+		{
+			auth:         Authentication{Type: AuthTypeTLS, TLS: configtls.TLSClientSetting{}},
+			saramaConfig: saramaTLSCfg,
+		},
+		{
+			auth: Authentication{Type: AuthTypeTLS, TLS: configtls.TLSClientSetting{
+				TLSSetting: configtls.TLSSetting{CAFile: "/doesnotexists"},
+			}},
+			saramaConfig: saramaTLSCfg,
+			err:          "failed to load TLS config",
+		},
+		{
+			auth:         Authentication{Type: AuthTypeKerberos, Kerberos: KerberosConfig{ServiceName: "foobar"}},
+			saramaConfig: saramaKerberosCfg,
+		},
+		{
+			auth:         Authentication{Type: AuthTypeKerberos, Kerberos: KerberosConfig{UseKeyTab: true, KeyTabPath: "/path"}},
+			saramaConfig: saramaKerberosKeyTabCfg,
+		},
+	}
+	for _, test := range tests {
+		t.Run(string(test.auth.Type), func(t *testing.T) {
+			config := &sarama.Config{}
+			err := ConfigureAuthentication(test.auth, config)
+			if test.err != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), test.err)
+			} else {
+				assert.Equal(t, test.saramaConfig, config)
+			}
+		})
+	}
+}
diff --git a/exporter/kafkaexporter/config.go b/exporter/kafkaexporter/config.go
@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"go.opentelemetry.io/collector/config/configmodels"
+	"go.opentelemetry.io/collector/config/configtls"
 	"go.opentelemetry.io/collector/exporter/exporterhelper"
 )
 
@@ -41,8 +42,47 @@ type Config struct {
 	// Client, and shared by the Producer/Consumer.
 	Metadata Metadata `mapstructure:"metadata"`
 
-	// TODO authentication
-	// TODO batch settings
+	// Authentication defines used authentication mechanism.
+	Authentication Authentication `mapstructure:"authentication"`
+}
+
+// AuthType defines authentication type
+type AuthType string
+
+const (
+	// No authentication
+	AuthTypeNone AuthType = "none"
+	// Plain text authentication
+	AuthTypePlaintext AuthType = "plain_text"
+	// TLS authentication
+	AuthTypeTLS AuthType = "tls"
+	// Kerberos authentication
+	AuthTypeKerberos AuthType = "kerberos"
+)
+
+// Authentication defines authentication.
+type Authentication struct {
+	Type      AuthType                   `mapstructure:"type"`
+	PlainText PlainTextConfig            `mapstructure:"plain_text"`
+	TLS       configtls.TLSClientSetting `mapstructure:"tls"`
+	Kerberos  KerberosConfig             `mapstructure:"kerberos"`
+}
+
+// PlainTextConfig defines plaintext authentication.
+type PlainTextConfig struct {
+	Username string `mapstructure:"username"`
+	Password string `mapstructure:"password"`
+}
+
+// KerberosConfig defines kereros configuration.
+type KerberosConfig struct {
+	ServiceName string `mapstructure:"service_name"`
+	Realm       string `mapstructure:"realm"`
+	UseKeyTab   bool   `mapstructure:"use_keytab"`
+	Username    string `mapstructure:"username"`
+	Password    string `mapstructure:"password" json:"-"`
+	ConfigPath  string `mapstructure:"config_file"`
+	KeyTabPath  string `mapstructure:"keytab_file"`
 }
 
 // Metadata defines configuration for retrieving metadata from the broker.

diff --git a/exporter/kafkaexporter/config_test.go b/exporter/kafkaexporter/config_test.go
@@ -61,6 +61,13 @@ func TestLoadConfig(t *testing.T) {
 		Topic:    "spans",
 		Encoding: "otlp_proto",
 		Brokers:  []string{"foo:123", "bar:456"},
+		Authentication: Authentication{
+			Type: "plain_text",
+			PlainText: PlainTextConfig{
+				Username: "jdoe",
+				Password: "pass",
+			},
+		},
 		Metadata: Metadata{
 			Full: false,
 			Retry: MetadataRetry{

diff --git a/exporter/kafkaexporter/factory.go b/exporter/kafkaexporter/factory.go
@@ -77,6 +77,9 @@ func createDefaultConfig() configmodels.Exporter {
 		Brokers:         []string{defaultBroker},
 		Topic:           defaultTopic,
 		Encoding:        defaultEncoding,
+		Authentication: Authentication{
+			Type: AuthTypeNone,
+		},
 		Metadata: Metadata{
 			Full: defaultMetadataFull,
 			Retry: MetadataRetry{

diff --git a/exporter/kafkaexporter/factory_test.go b/exporter/kafkaexporter/factory_test.go
@@ -32,6 +32,7 @@ func TestCreateDefaultConfig(t *testing.T) {
 	assert.NoError(t, configcheck.ValidateConfig(cfg))
 	assert.Equal(t, []string{defaultBroker}, cfg.Brokers)
 	assert.Equal(t, defaultTopic, cfg.Topic)
+	assert.Equal(t, AuthTypeNone, cfg.Authentication.Type)
 }
 
 func TestCreateTracesExporter(t *testing.T) {

diff --git a/exporter/kafkaexporter/kafka_exporter.go b/exporter/kafkaexporter/kafka_exporter.go
@@ -61,6 +61,9 @@ func newExporter(config Config, params component.ExporterCreateParams, marshalle
 		}
 		c.Version = version
 	}
+	if err := ConfigureAuthentication(config.Authentication, c); err != nil {
+		return nil, err
+	}
 	producer, err := sarama.NewSyncProducer(config.Brokers, c)
 	if err != nil {
 		return nil, err

diff --git a/exporter/kafkaexporter/kafka_exporter_test.go b/exporter/kafkaexporter/kafka_exporter_test.go
@@ -39,11 +39,26 @@ func TestNewExporter_err_version(t *testing.T) {
 
 func TestNewExporter_err_encoding(t *testing.T) {
 	c := Config{Encoding: "foo"}
-	exp, err := newExporter(c, component.ExporterCreateParams{}, map[string]Marshaller{})
+	exp, err := newExporter(c, component.ExporterCreateParams{}, defaultMarshallers())
 	assert.EqualError(t, err, errUnrecognizedEncoding.Error())
 	assert.Nil(t, exp)
 }
 
+func TestNewExporter_err_auth_type(t *testing.T) {
+	c := Config{
+		ProtocolVersion: "2.0.0",
+		Authentication:  Authentication{Type: AuthType("foo")},
+		Encoding:        defaultEncoding,
+		Metadata: Metadata{
+			Full: false,
+		},
+	}
+	exp, err := newExporter(c, component.ExporterCreateParams{}, defaultMarshallers())
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unknown/unsupported authentication method")
+	assert.Nil(t, exp)
+}
+
 func TestTraceDataPusher(t *testing.T) {
 	c := sarama.NewConfig()
 	producer := mocks.NewSyncProducer(t, c)

diff --git a/exporter/kafkaexporter/testdata/config.yaml b/exporter/kafkaexporter/testdata/config.yaml
@@ -9,6 +9,11 @@ exporters:
       retry:
         max: 15
     timeout: 10s
+    authentication:
+      type: plain_text
+      plain_text:
+        username: jdoe
+        password: pass
     sending_queue:
       enabled: true
       num_consumers: 2

diff --git a/receiver/kafkareceiver/README.md b/receiver/kafkareceiver/README.md
@@ -17,6 +17,22 @@ The following settings can be optionally configured:
   - `zipkin_thrift`: the payload is deserialized into Zipkin Thrift spans.
 - `group_id` (default = otel-collector):  The consumer group that receiver will be consuming messages from
 - `client_id` (default = otel-collector): The consumer client ID that receiver will use
+- `authentication`
+  - `type` (default = none): The authentication type. Supported types are `plain_text`, `tls`, `kerberos`.
+  - `plain_text`
+    - `username`: The username to use.
+    - `password`: The password to use
+  - `tls`
+    - `ca_file` path to the CA cert. For a client this verifies the server certificate. Should
+      only be used if `insecure` is set to true.
+    - `cert_file` path to the TLS cert to use for TLS required connections. Should
+      only be used if `insecure` is set to true.
+    - `key_file` path to the TLS key to use for TLS required connections. Should
+      only be used if `insecure` is set to true.
+    - `insecure`  (default = false): Disable verifying the server's certificate chain and host 
+      name (`InsecureSkipVerify` in the tls config)
+    - `server_name_override`: ServerName indicates the name of the server requested by the client
+      in order to support virtual hosting.
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. 
            When disabled the client does not make the initial request to broker at the startup.

diff --git a/receiver/kafkareceiver/config.go b/receiver/kafkareceiver/config.go
@@ -39,5 +39,5 @@ type Config struct {
 	// Client, and shared by the Producer/Consumer.
 	Metadata kafkaexporter.Metadata `mapstructure:"metadata"`
 
-	// TODO authentication
+	Authentication kafkaexporter.Authentication `mapstructure:"authentication"`
 }
diff --git a/receiver/kafkareceiver/config_test.go b/receiver/kafkareceiver/config_test.go
@@ -25,6 +25,7 @@ import (
 	"go.opentelemetry.io/collector/component/componenttest"
 	"go.opentelemetry.io/collector/config/configmodels"
 	"go.opentelemetry.io/collector/config/configtest"
+	"go.opentelemetry.io/collector/config/configtls"
 	"go.opentelemetry.io/collector/exporter/kafkaexporter"
 )
 
@@ -49,6 +50,16 @@ func TestLoadConfig(t *testing.T) {
 		Brokers:  []string{"foo:123", "bar:456"},
 		ClientID: "otel-collector",
 		GroupID:  "otel-collector",
+		Authentication: kafkaexporter.Authentication{
+			Type: kafkaexporter.AuthTypeTLS,
+			TLS: configtls.TLSClientSetting{
+				TLSSetting: configtls.TLSSetting{
+					CAFile:   "ca.pem",
+					CertFile: "cert.pem",
+					KeyFile:  "key.pem",
+				},
+			},
+		},
 		Metadata: kafkaexporter.Metadata{
 			Full: true,
 			Retry: kafkaexporter.MetadataRetry{