Closed worms closed 5 years ago
everesio
commented
5 years ago Should be SCRAM be performed by clients i.e. pass through the proxy or initiated by the proxy i.e. hidden to the clients ? Both options are supported for PLAINTEXT.
Feel free to contribute.
worms
commented
5 years ago Our usecase would do plaintext to the proxy then scram over SSL/TLS out to the brokers.
I am looking at adding support now. I would like your input on how I am going about it.
Add new command line parameters to the server:
Server.Flags().StringVar(&c.Kafka.SASL.Method, "sasl-method", "PLAIN", "SASL method to use (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512")
Add a new struct called SASLSCRAMAuth. If the sasl method is SCRAM-SHA-* then use the new struct Customize the sendAndReceiveSASLAuth to handle the SCRAM workflow
Am I missing anything?
everesio
commented
5 years ago In general that's it. Additionally proxy/client.go sets the implementation, config/config.go validates the params. There is a SASL plugin mechanism I used for OAUTHBEARER but it doesn't have to be used for SCRAM. Just do what you think is reasonable ;-)
everesio
commented
5 years ago Thank you for your contribution! I have just merged you PR and vendored xdg/scram.
everesio
commented
5 years ago release version v0.1.3
We have been using the proxy with great success to date using both PLAINTEXT and SSL endpoints. We are now wanting to do SASL authentication with SCRAM (our hosting provider uses SCRAM256 rather than PLAIN).
As best I can tell kafka-proxy currently doesn't have support for this.
I believe I will need to add a *Auth struct in sasl_by_proxy.go to handle the SCRAM portion as well as providing some command line parameters.
Any chance someone has worked on this already and has some code sitting around? If not I will likely get started hacking away.