satand
commented
1 week ago Hi, is there news about this issue? I expected it to be a cosmetic change being the FAST negotiation flag already supported by the sarama client. Many thanks
Open jkyros opened 2 weeks ago
satand
commented
1 week ago Hi, is there news about this issue? I expected it to be a cosmetic change being the FAST negotiation flag already supported by the sarama client. Many thanks
Proposal
The sarama Kafka client we are using in the Kafka scaler actually does have a setting GSSAPIConfig.DisablePAFXFAST that can be used to disable kerberos/GSSAPI FAST negotiation and "fix" this, but the Kafka scaler doesn't currently have any plumbing to read that setting out of the auth config to configure it -- so a user can't use it because it's not exposed.
As such, the current state of affairs prevents users from using the Kafka scaler against against some configurations of KDCs -- like Active Directory -- that don't use FAST.
I'm proposing we add plumbing at least for the AuthConfig so we can expose this piece of client config as an authentication parameter so users can shut off FAST for their connections if they need to.
Use-Case
This would let us successfully use the Kafka scaler against KDCs that don't support FAST.
In a lot of cases the kerberos infrastructure was set up for other purposes and not just to auth our keda scaler, so modifying the KDC configuration itself is often out of reach of our users -- right now they just don't get to use kerberos with the kafka scaler. :sad
Is this a feature you are interested in implementing yourself?
Yes
Anything else?
( sarama uses gokrb5 under the hood, i.e. https://github.com/jcmturner/gokrb5/blob/master/v8/USAGE.md#active-directory-kdc-and-fast-negotiation. I was hoping for a "try and fallback" method but it doesn't look like there is one, it looks like all we get is "turn it off before you login plzkthx" )