feat: Kafka SASL OAUTH token refreshing #2834
Conversation
There was a problem hiding this comment.
@vlastahajek nice work! I know you plan to clean this up a bit more but here are some early comments nonetheless. ;-)
etc/kapacitor/kapacitor.conf
Outdated
| # sasl-oauth-service = "" | ||
| ## The client ID to use when authenticating with SASL/OAUTH. | ||
| # sasl-oauth-client-id = "" | ||
| ## The client secret to use when authenticating with SASL/OAUTH. | ||
| # sasl-oauth-client-secret = "" | ||
| ## The token URL to use when authenticating with SASL/OAUTH. | ||
| # sasl-oauth-token-url = "" |
There was a problem hiding this comment.
The sasl-oauth-service and sasl-oauth-token-url are somewhat redundant aren't they? Do we really want both or should we just use the URL and provide the URLs for common services in the config?
There was a problem hiding this comment.
Generally, the core implementation and feature set are done according to Telegraf to provide a similar user experience
Choosing service makes sense to distinguish auth0, azure and other and provides space for future extensions
There was a problem hiding this comment.
I know as I implemented this part in Telegraf. The big issue is that the two are redundant and you need to decide and document the behavior if both options are given and, in the worst case, contradict each other.
There was a problem hiding this comment.
The only contradiction I see, for now, is we don't need the token-url for azure.
I still don't understand how it would work if there were only one. The token-url?
- we need to check if the audience parameter is added for auth0
- If a user would like to use azuread, the token-url would be azuread?
- In case of azure we need to check tenant-id
There was a problem hiding this comment.
I'm not saying you have to remove it but then please make the use and redundancy clear in the option description! As it is now, people might be inclined to specify both the token-url and the service.
There was a problem hiding this comment.
Sure, the token-url param should be more contextually described
| "golang.org/x/oauth2" | ||
| "golang.org/x/oauth2/clientcredentials" | ||
|
|
||
| kafka "github.com/IBM/sarama" |
There was a problem hiding this comment.
Please remove the alias and just use
| kafka "github.com/IBM/sarama" | |
| "github.com/IBM/sarama" |
as everything else is confusing...
There was a problem hiding this comment.
This is very subjective. As the sarama is a Kafka client the alias makes it more clean. Also, the alias is already used in kafka/service.go
There was a problem hiding this comment.
Well I don't like this but it might be OK if kapacitor guys agree. Let me give you my reasons:
- You obfuscate the library used with an alias, making it harder for readers of the code to figure out what's going on.
- Your chosen alias is the same as the package name, this will cause additional confusion.
- You increase the PR size without any necessity.
But as I said, if that's how it is done in kapacitor I don't mind.
services/kafka/sasl.go
Outdated
| if k.SASLMechanism == "" { | ||
| return nil | ||
| } | ||
| switch k.SASLMechanism { |
There was a problem hiding this comment.
| if k.SASLMechanism == "" { | |
| return nil | |
| } | |
| switch k.SASLMechanism { | |
| switch k.SASLMechanism { | |
| case "": | |
| return nil |
services/kafka/sasl.go
Outdated
| if k.SASLOAUTHExpiryMargin == 0 { | ||
| k.SASLOAUTHExpiryMargin = 10 * time.Second | ||
| } |
There was a problem hiding this comment.
This was initialized before in the config, wasn't it? The current way the user cannot set the option to a valid zero...
services/kafka/sasl.go
Outdated
| func azureAD(tenant string) oauth2.Endpoint { | ||
| if tenant == "" { | ||
| tenant = "common" | ||
| } | ||
| return oauth2.Endpoint{ | ||
| AuthURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/authorize", | ||
| TokenURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/token", | ||
| DeviceAuthURL: "https://login.microsoftonline.com/" + tenant + "/oauth2/v2.0/devicecode", | ||
| } | ||
| } |
There was a problem hiding this comment.
Instead of this hand-crafted implementation, why not rely on https://pkg.go.dev/golang.org/x/oauth2@v0.23.0/endpoints?
There was a problem hiding this comment.
Yes, this was mistakenly copied.
| func NewRefreshingToken(source oauth2.TokenSource, cancel context.CancelFunc, extensions map[string]string) *RefreshingToken { | ||
| return &RefreshingToken{ | ||
| source: source, | ||
| cancel: cancel, | ||
| extensions: extensions, | ||
| } | ||
| } |
There was a problem hiding this comment.
The cancel function is never used in here and actually shouldn't be. The caller should cancel the context on exit...
There was a problem hiding this comment.
Yes, handling closing is still TODO
…(custom, auth0, azure), added config validation
vlastahajek
force-pushed
the
feat/kafka-oauth
branch
from
2977c54 to
65c000e
Compare
There was a problem hiding this comment.
@vlastahajek, thanks for the nice improvement 👍. I've just added some minor requirements before acceptance.
etc/kapacitor/kapacitor.conf
Outdated
| # sasl-oauth-client-secret = "" | ||
| ## The token URL to use when sasl-oauth-service is custom or auth0. Leave empty otherwise. | ||
| # sasl-oauth-token-url = "" | ||
| ## The expiry margin for the token. |
There was a problem hiding this comment.
A small suggestion to clarify the meaning of this property:
| ## The expiry margin for the token. | |
| ## The margin for the token's expiration time. |
services/kafka/config.go
Outdated
| @@ -49,7 +49,7 @@ type Config struct { | |||
| } | |||
|
|
|||
| func NewConfig() Config { | |||
| return Config{ID: DefaultID} | |||
| return Config{ID: DefaultID, SASLAuth: SASLAuth{SASLOAUTHExpiryMargin: 10 * time.Second}} | |||
There was a problem hiding this comment.
Please define the SASLOAUTHExpiryMargin value as a constant, similar to DefaultID.
| return Config{ID: DefaultID, SASLAuth: SASLAuth{SASLOAUTHExpiryMargin: 10 * time.Second}} | |
| return Config{ID: DefaultID, SASLAuth: SASLAuth{SASLOAUTHExpiryMargin: DefaultSASLOAUTHExpiryMargin}} |
Required checklist
/etcfolder andNewDemoConfigmethods) (influxdb and plutonium)Description
Adding SASL OAUTH token refreshing for Kafka plugin. The same support as Telegraf has - custom, Auth0, AzureAD.
Kapacitor docs update PR: #5617
New Kafka config params: