Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kafka connection using SCRAM authentication #2046

Closed
TheDavidKruse opened this issue Jan 28, 2020 · 14 comments · Fixed by #2724
Closed

Kafka connection using SCRAM authentication #2046

TheDavidKruse opened this issue Jan 28, 2020 · 14 comments · Fixed by #2724

Comments

@TheDavidKruse
Copy link

Requirement - what kind of business use case are you trying to solve?

In our current architecture, we secure our connection to our Kafka pipelines using the SCRAM authentication method. We would like to use Go as our Jaeger collector for ease of use in microservices and to replace our current Java implementation.

Problem - what in Jaeger blocks you from solving the requirement?

The current Go collector doesn't have an implementation to authenticate with Kafka using SCRAM. This forces us into continuing the use with our Java version with higher CPU and memory overhead in our microservice.

Proposal - what do you suggest to solve the problem or improve the existing situation?

By using the xdg-go/scram package we can implement adequate SCRAM authentication between the collector and Kafka.

I have a pull request able to be made if it's applicable.

Any open questions to address

Would there be a better SCRAM auth package that could be used?
Would SCRAM with Kafka be useful for anyone else?

@ghost ghost added the needs-triage label Jan 28, 2020
@yurishkuro
Copy link
Member

Maybe this should be solved in Shopify/sarama? Jaeger simply uses what sarama provides, we don't build additional mechanisms which are not part of the driver.

@TheDavidKruse
Copy link
Author

That makes sense, let me head over there and see what kind of trouble I can stir up.

Thanks @yurishkuro

@TheDavidKruse
Copy link
Author

As it turns out, the way we have implemented it comes directly from the way they have in their (Sarama's) example.

However, with the example from their repo they do not take into account using Jaeger with Kafka as they have a custom consumer and producer loop. I find that the overlap between what they have implemented in their own way would be easy to implement into Jaeger as it takes care of most of the producer and consumer code and allows for a new authentication method next to TLS and Kerboros.

If it's not worth implementing, is the incorrect implementation location, or is not viewed as something that would benefit Jaeger directly I will close the issue.

@zenobiuszeto
Copy link

@yurishkuro The PR which we are going to raise will enable the support the SCRAM based SASL fro Jaeger collector for Kafka which uses Shopify/sarama.

Today we have the support for TLS and kerberos.

Are you aligned on raising the PR ?

@zenobiuszeto
Copy link

@yurishkuro I did this case during end of last year

is there a plan to enable SCRAM SASL from Jaeger collector side to kafka ?

Juraci Paixão Kröhling @jpkrohling Nov 21 2019 01:06
@zenobiuszeto what does it take to add support for it?
@zenobiuszeto if you can provide a PR, chances are high that we can merge it

@yurishkuro
Copy link
Member

I am still not clear why sarama has this SCRAM client abstraction rather than implementing it directly, I asked on their PR IBM/sarama#1295 (comment).

@yurishkuro
Copy link
Member

@jaegertracing/jaeger-maintainers how do we feel about taking a dependency on https://github.com/xdg-go/scram? That repo hasn't changed in 2yrs, a very straightforward (and the only) PR opened 6mo ago had no maintainer feedback.

@TheDavidKruse
Copy link
Author

Just bumping to see if there were any decisions yet. Thanks!

@yurishkuro
Copy link
Member

I added this to the agenda for the next project status call. Feel free to join. https://docs.google.com/document/d/1ZuBAwTJvQN7xkWVvEFXj5WU9_JmS5TPiNbxCJSvPqX0/edit#

@TheDavidKruse
Copy link
Author

Thank you!

@vprithvi
Copy link
Contributor

We may also want to consider alternatives like confluent-kafka-go or confluent-java (via gRPC plugin framework), which are under active development and seem to support SCRAM.

@yurishkuro
Copy link
Member

Decisions from status call:

  • Accept xgd-go/scram for now
  • Defer decision on Confluent until someone has time to test thoroughly

@TheDavidKruse do you want to propose a PR?

@TheDavidKruse
Copy link
Author

@yurishkuro I can do that! Give me a day or two to propose a PR.

@Neustradamus
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants