Add "mechanism" in output.kafka to support SCRAM-SHA-512 and SCRAM-SHA-256 #12867
Conversation
… and SCRAM-SHA-256 mechanism.
How to use it:
```
output.kafka:
codec.format:
string: '%{[@timestamp]} %{[message]}'
hosts: ["localhost:9092"]
topic: 'mytopic'
partition.round_robin:
reachable_only: false
required_acks: 1
compression: gzip
max_message_bytes: 1000000
username: user
password: pass
mechanism: SCRAM-SHA-512
```
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
libbeat/outputs/kafka/config.go
Outdated
| return | ||
| } | ||
|
|
||
| func (x *XDGSCRAMClient) Done() bool { |
There was a problem hiding this comment.
exported method XDGSCRAMClient.Done should have comment or be unexported
libbeat/outputs/kafka/config.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func (x *XDGSCRAMClient) Step(challenge string) (response string, err error) { |
There was a problem hiding this comment.
exported method XDGSCRAMClient.Step should have comment or be unexported
libbeat/outputs/kafka/config.go
Outdated
| scram.HashGeneratorFcn | ||
| } | ||
|
|
||
| func (x *XDGSCRAMClient) Begin(userName, password, authzID string) (err error) { |
There was a problem hiding this comment.
exported method XDGSCRAMClient.Begin should have comment or be unexported
libbeat/outputs/kafka/config.go
Outdated
| var SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() } | ||
| var SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() } | ||
|
|
||
| type XDGSCRAMClient struct { |
There was a problem hiding this comment.
exported type XDGSCRAMClient should have comment or be unexported
libbeat/outputs/kafka/config.go
Outdated
| ) | ||
|
|
||
| var SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() } | ||
| var SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() } |
There was a problem hiding this comment.
exported var SHA512 should have comment or be unexported
libbeat/outputs/kafka/config.go
Outdated
| ) | ||
|
|
||
| var SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() } |
There was a problem hiding this comment.
exported var SHA256 should have comment or be unexported
|
@zvictorino thanks for opening this PR! Tests are failing because there is a missing package, you will need to add it with |
|
let's name the setting The setting will also need some docs. Almost all symbols are private to the package, don't export them. |
libbeat/outputs/kafka/config.go
Outdated
| @@ -58,6 +89,7 @@ type kafkaConfig struct { | |||
| Username string `config:"username"` | |||
| Password string `config:"password"` | |||
| Codec codec.Config `config:"codec"` | |||
| Mechanism string `config:"mechanism"` | |||
There was a problem hiding this comment.
this calls for an enum like type (over string):
type saslMechanism string
const (
saslTypePlaintext = sarama.SASLTypePlaintext
...
)
func (m *saslMechanism) Unpack(in string) error {
in = strings.ToUpper(in) // try not to force users to use all upper case
switch in {
case saslTypePlaintext, ...:
*m = saslMechanism(in)
default:
return fmt.Errorf("not valid mechanism '%v', only supported with PLAIN|SCRAM-SHA-512|SCRAM-SHA-256", in)
}
return nil
}
The unpack method will be called by (*Config).Unpack. If it fails the full config name and the config file the setting comes from will be reported.
There is another 'string' comparison in order to fill in the sarama SASL settings. Having magic strings in different places is a good way to introduce Bugs (future developer might have typo when adding another mechanism). Better use an enum and use contanstants (compiler will complain if there is a typo). By having our own type we can also do this (optional):
func (m saslMechanism) configureSarama(... <other input>?, config *sarama.Config) error {
switch m {
case saslScramSHA256:
...
case sasl<type>:
...
default:
panic(<we shouldn't get here, assuming no developer messed up>)
}
}
|
Hi @zvictorino, we have found your signature in our records, but it seems like you have signed with a different e-mail than the one used in your Git commit. Can you please add both of these e-mails into your Github profile (they can be hidden), so we can match your e-mails to your Github profile? |
Move some codes to separate file.
| return nil | ||
| } | ||
|
|
||
| func (x *XDGSCRAMClient) Step(challenge string) (response string, err error) { |
There was a problem hiding this comment.
exported method XDGSCRAMClient.Step should have comment or be unexported
| scram.HashGeneratorFcn | ||
| } | ||
|
|
||
| func (x *XDGSCRAMClient) Begin(userName, password, authzID string) (err error) { |
There was a problem hiding this comment.
exported method XDGSCRAMClient.Begin should have comment or be unexported
| var SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() } | ||
| var SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() } | ||
|
|
||
| type XDGSCRAMClient struct { |
There was a problem hiding this comment.
exported type XDGSCRAMClient should have comment or be unexported
| ) | ||
|
|
||
| var SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() } | ||
| var SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() } |
There was a problem hiding this comment.
exported var SHA512 should have comment or be unexported
| "github.com/xdg/scram" | ||
| ) | ||
|
|
||
| var SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() } |
There was a problem hiding this comment.
exported var SHA256 should have comment or be unexported
| @@ -0,0 +1,37 @@ | |||
| // https://github.com/Shopify/sarama/blob/master/examples/sasl_scram_client/scram_client.go | |||
There was a problem hiding this comment.
package comment should be of the form "Package kafka ..."
|
Hello @zvictorino this is a really nice addition, its there anything we could help to move it forward with you? |
|
jenkins, test this |
|
can anyone merge this pull request plz ? |
|
@zvictorino there is a merge conflict, could you please update the branch with master? Thanks! |
jsoriano
added
the
Team:Services
|
💚 CLA has been signed |
Update code to master
|
ok to test |
|
jenkins, test this again please |
|
Code LGTM, but there would be some pending things. We would need a changelog entry, docs for the new options, and some tests. @zvictorino let me know if you can continue with this, if not I am ok with merging this as is and create an issue with some follow up tasks. Thanks! |
There was a problem hiding this comment.
Merging this as is by now, but not backporting to 7.x, I will create an issue for follow ups. Thanks @zvictorino!
|
Follow up issue for this: #16723 |
…A-256 (elastic#12867) (cherry picked from commit e935b26)
(cherry picked from commit 87ff5c0)
jsoriano
added
v7.11.0
test-plan
New config key
mechanismwas introduced.How to use it: