Overview
There are a multitude of ways to connect to Kafka brokers; while this provider currently supports authenticating with sasl_mechanism=plain/scram-sha512/scram-sha256, for security reasons some production Kafka brokers only enable authenticating with GSSAPI (full details here), thus the provider doesn't work for these Kafka clusters.
Looking at the IBM Sarama library, it already supports the GSSAPI SASL mechanism along with tuning GSSAPI-specific configurations (code snippet here), so it'll take some work but we won't have to reinvent the wheel.
Expected Behaviour
Apart from existing kafka authentication methods, the provider should allow authenticating using GSSAPI for Kerberos too. Authenticating should support using a kerberos keytab as well.
What to update
Within kafka/provider.go, add a couple of new fields to the provider definition and allow "GSSAPI" as an additional saslMechanism switch-case:
gssapi_keytab_path (string)
gssapi_username (string)
gssapi_realm (string)
gssapi_kerberos_config_path (string)
gssapi_disable_pafx_fast (bool)
Within kafka/config.go, add an additional switch-case for "GSSAPI" saslMechanism and configure the following for the sarama.Client class instance:
Overview There are a multitude of ways to connect to Kafka brokers; while this provider currently supports authenticating with
sasl_mechanism=plain/scram-sha512/scram-sha256, for security reasons some production Kafka brokers only enable authenticating withGSSAPI(full details here), thus the provider doesn't work for these Kafka clusters.Looking at the IBM Sarama library, it already supports the
GSSAPISASL mechanism along with tuning GSSAPI-specific configurations (code snippet here), so it'll take some work but we won't have to reinvent the wheel.Expected Behaviour Apart from existing kafka authentication methods, the provider should allow authenticating using GSSAPI for Kerberos too. Authenticating should support using a kerberos keytab as well.
Example
What to update Within
kafka/provider.go, add a couple of new fields to the provider definition and allow "GSSAPI" as an additionalsaslMechanismswitch-case:Within
kafka/config.go, add an additional switch-case for "GSSAPI"saslMechanismand configure the following for the sarama.Client class instance: