search

specmesh / specmesh-build

https://specmesh.io/
Apache License 2.0
13 stars 5 forks source link

Confluent Cloud api-key saasl config doc's and validation #339

Open navery-max opened 2 months ago

navery-max commented 2 months ago

Looks like the provisioner needs to be run using:

provisioner -config.properties=mypropertiesfile.properties

which is loaded here: https://github.com/specmesh/specmesh-build/blob/main/kafka/src/main/java/io/specmesh/kafka/Clients.java#L65

which will (via specmesh) execute the equivalent of below

Properties props = new Properties();
props.put("bootstrap.servers", "https://<cluster-id>.cc-<region>.confluent.cloud:9092");
props.put("security.protocol", "SASL_SSL");
props.put("sasl.mechanism", "PLAIN");
props.put("sasl.jaas.config", "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"<api-key>\" password=\"<api-secret>\";");
AdminClient adminClient = AdminClient.create(props);

// Create an ACL binding
AclBinding aclBinding = new AclBinding(
    new ResourcePattern(ResourceType.TOPIC, "mytopic", PatternType.LITERAL),
    new AccessControlEntry("User:alice", AclOperation.ALL, AclPermissionType.ALLOW)
);
t0ffel commented 2 months ago

Specmesh itself runs fine. Since we provide the appropriate kafka parameters with the correct sasl mechanism (PLAIN) and jaas config (which contains api key/api secret). The specmesh.yaml though doesn't know anything about the api key. it knows about the user-readable "username" (I was using service account name here) which is not the correct username and has no relation to the real kafka user names. kafka thinks that only api keys are usernames.

After specmesh run the specific user tries to write/read kafka and gets ACL exception. jaas config is correct(with api key/api secret), but the ACL says the user-readable "username" is allowed to do the operation(as was instructed in specmesh.yaml), which the real user is the api key.

Confluent api keys: https://docs.confluent.io/cloud/current/access-management/authenticate/api-keys/api-keys.html Api key ids as far as I understand are random strings and cannot be controlled - we cannot name kafka users. Api keys will differ per environment - we probably cannot put them into specmesh.yaml?