Closed blezoray closed 2 years ago
Hey @blezoray,
You need to import the constant at the top:
// import kafka extension and constants
import { Writer, Reader, Connection, SASL_SCRAM_SHA512, TLS_1_2 } from "k6/x/kafka";
I'll close this ticket, but feel free to re-open it if you have other questions.
With this import, it's better:
import { Writer, Reader, Connection, SASL_PLAIN, SASL_SCRAM_SHA512, TLS_1_2 } from "k6/x/kafka"; // import kafka extension
Thanks
Now, I'm trying to test a listerner with SASL over TLS. I configure the tlsConfig.serverCaPem with the path of my CA file.
// TLS config is optional
const tlsConfig = {
// Enable/disable TLS (default: false)
enableTls: true,
// Skip TLS verification if the certificate is invalid or self-signed (default: false)
insecureSkipTlsVerify: false,
// Possible values:
// TLS_1_0
// TLS_1_1
// TLS_1_2 (default)
// TLS_1_3
minVersion: TLS_1_2,
// Only needed if you have a custom or self-signed certificate and keys
// clientCertPem: "/k6-scripts/benchuser.user.crt",
// clientKeyPem: "/k6-scripts/benchuser.user.key",
serverCaPem: "/k6-scripts/benchuser.ca.crt",
};
But I have this error:
ERRO[0001] Cannot process TLS config error="File not found: , OriginalError: %!w(*fs.PathError=&{stat 2})"
ERRO[0001] Cannot process TLS config error="File not found: , OriginalError: %!w(*fs.PathError=&{stat 2})"
ERRO[0001] Cannot process TLS config error="File not found: , OriginalError: %!w(*fs.PathError=&{stat 2})"
ERRO[0001] Failed to create dialer., OriginalError: %!w(*fmt.wrapError=&{could not successfully authenticate to my-cluster-kafka-bootstrap.diod-mpms-kafka-test.svc:9093 with SASL: SASL handshake failed: EOF 0xc0015d8e00}) error="Failed to create dialer., OriginalError: %!w(*fmt.wrapError=&{could not successfully authenticate to my-cluster-kafka-bootstrap.diod-mpms-kafka-test.svc:9093 with SASL: SASL handshake failed: EOF 0xc0015d8e00})"
ERRO[0001] Failed to create dialer., OriginalError: %!w(*fmt.wrapError=&{could not successfully authenticate to my-cluster-kafka-bootstrap.diod-mpms-kafka-test.svc:9093 with SASL: SASL handshake failed: EOF 0xc0015d8e00})
at file:///tmp/k6-sasl-tls.js:84:19(124) hint="script exception"
It seems to open 3 files ???
It works fine when I remove the serverCaPem and I set insecureSkipTlsVerify to true.
Any reason ?
@blezoray
You need to provide all three files to be able to test over TLS. Also, if you pass insecureSkipTlsVerify
, it'll completely bypass validation.
But if my listerner does SASL authentication over TLS, I have only the CA. With CA, user cert & key, it is TLS authentication and not SASL authentication.
@blezoray What do you mean? Can you elaborate?
I suppose @oscar067 has managed to make SASL/SSL auth work.
Here, you have an explanation of the difference between TLS 1 way and TLS 2 way. https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/
In your case, when you do SASL over TLS, you establish a TLS 1way session to the server and then SASL challenges the client to be authenticated with its user/password.
When you do TLS 2 ways, your client is authenticated inside the TLS session with its private key/cert and the server doesn't need to do SASL challenge.
Is it clear ?
Hi
I was able to make work the SSL TLS 2 way, as @mostafa describe, but is true I did not tried SASL over TLS
export const writerCommsHub = new Writer({
// WriterConfig object
brokers: bootstrap,
topic: kafkaTopic,
tls: {
enableTls: true,
insecureSkipTlsVerify: false,
clientCertPem: "/certs/cert.pem",
clientKeyPem: "/certs/server.key",
serverCaPem: "/certs/Corporate_Root_CA_G3_.cer",
},
});
@oscar067 Thanks for letting us know. @blezoray Then this is something I need to investigate more.
Hi @mostafa , I found this video which explains the difference between TLS and SASL over TLS. https://www.youtube.com/watch?v=_PmEs8xEz8g
Rgds.
@blezoray Awesome! Thanks for the pointer.
I'll try to see if I can fix it. In the meantime, I'd be happy to see contributions. SASL and TLS are handled in the auth.go
file.
@blezoray Created #169 to fix this issue.
@blezoray Fixed in #170. Feel free to reopen the issue if it problem persists.
Hi,
Sorry for the delay to answer. I tested SASL auth, SASL auth over TLS, and TLS auth. All works fine. Thanks a lot.
Rgds.
Hello,
I'm testing your test_sasl_auth.js script with a SCRAM_SHA512 user.
But I have this error:
I use your docker image: mostafamoradian/xk6-kafka:latest
Any explanation ?
The script:
Rgds.