search

grepplabs / kafka-proxy

Proxy connections to Kafka cluster. Connect through SOCKS Proxy, HTTP Proxy or to cluster running in Kubernetes.
Apache License 2.0
501 stars 87 forks source link

Allow user group membership check in ldap plugin #59

Closed everesio closed 4 years ago

everesio commented 4 years ago

configuration example 

build/kafka-proxy server \
            --bootstrap-server-mapping "localhost:19092,0.0.0.0:30001" \
            --bootstrap-server-mapping "localhost:29092,0.0.0.0:30002" \
            --bootstrap-server-mapping "localhost:39092,0.0.0.0:30003" \
            --debug-enable \
            --auth-local-enable  \
            --auth-local-command=build/auth-ldap  \
            --auth-local-param=--url=ldap://localhost:389  \
            --auth-local-param=--start-tls=false \
            --auth-local-param=--bind-dn=cn=admin,dc=example,dc=org  \
            --auth-local-param=--bind-passwd=admin  \
            --auth-local-param=--user-search-base=ou=people,dc=example,dc=org  \
            --auth-local-param=--user-filter="(&(objectClass=person)(uid=%u)(memberOf=cn=kafka-users,ou=realm-roles,dc=example,dc=org))"
everesio commented 4 years ago

@gustavomcarmo Please check it out. AFAIR you were interested in group membership check in the LDAP Plugin.

gustavomcarmo commented 4 years ago

Great! I'll give it a try asap and give you some feedback...

Thanks!

gustavomcarmo commented 4 years ago

Hi @everesio,

Just tested the new ldap filter feature and it works like a charm. You can check it out in the kafka-proxy-test project.

Great job! Ship it!

everesio commented 4 years ago

@gustavomcarmo Hi, thank you for feedback.

gustavomcarmo commented 4 years ago

Hi @everesio,

When is going to be released the new version of kafka-proxy with this feature?

Thanks!

gustavomcarmo commented 4 years ago

Hi @everesio,

Thanks for releasing the new version!

Just a question: would it be possible setting the LDAP admin credentials in the plugin configuration (--bind-dn and --bind-passwd) by using Kubernetes secrets?

Thanks!

everesio commented 4 years ago

Hi @gustavomcarmo Using secrets would mean reading from file. Are the env variables not secure enough for you use case ? e.g. Kubernetes sidecar container example (TLS_CLIENT_KEY_PASSWORD) ?

        - name: kafka-proxy
          image: grepplabs/kafka-proxy:latest
          args:
            - 'server'
            - '--log-format=json'
            - '--tls-client-key-password=$(TLS_CLIENT_KEY_PASSWORD)'
          env:
          - name: TLS_CLIENT_KEY_PASSWORD
            valueFrom:
              secretKeyRef:
                name: tls-client-key-password
                key: password
gustavomcarmo commented 4 years ago

Hi @everesio,

Yes, you're right. I can use environment variables.

Thanks!

everesio commented 4 years ago

Hi @gustavomcarmo FYI. From release v0.2.7, 2 docker images are built. e.g.

The second one contains precompiled plugins which are located in /opt/kafka-proxy/bin/ Please checkout the Docker images with precompiled plugins in the README.md