Rebase onto https://github.com/confluentinc/librdkafka/tree/master

parent d2bc749
author garrett528 <andrew.garrett@compass.com> 1625669334 -0400
committer Jacob Lee <jacob.lee@pathccm.com> 1686019633 -0700
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAAH8AAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBvcGVuc3NoLmNvbQ
 AAAAhuaXN0cDI1NgAAAEEE/KxKuQeycJHYJkNEqsJPsQqQxVl1ftFETXL0PMawe+tBCMrH
 AiNd2GpQHEKTqzopO72+yiqWDjpM10WrTyzXBAAAAARzc2g6AAAAA2dpdAAAAAAAAAAGc2
 hhNTEyAAAAeAAAACJzay1lY2RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAASQAA
 ACBhH8xrzkQR+w6xy86JjJ6tC6udVA0Xn4VgdX3YEEZ25QAAACEA//YouC+q94g0jxjA8D
 tL+R+SGXR8782VjNc2vO5hS6YBAAAfoQ==
 -----END SSH SIGNATURE-----

sasl: Enable AWS_MSK_IAM SASL mechanism (confluentinc#3402)

AWS_MSK_IAM is a new SASL mechanism for
authenticating clients to AWS MSK Kafka
clusters and use IAM-based controls to
set Kafka ACLs and permissions. This change
provides support to allow clients to pass
AWS credentials at runtime which is used
to build the SASL payload and authenticate
clients to IAM enabled MSK clusters. It adds
a new SASL mechanism, AWS_MSK_IAM, as well
as configuration options to set the following:
* AWS access key id
* AWS secret access key
* AWS region
* AWS security token
The SASL handshake requires a specific payload
that is described here:
https://github.com/aws/aws-msk-iam-auth

Add curl to doozer build

Address comments (UrbanCompass#5)

Reduce Travis-CI runtime

 * Reduce number of jobs when not building a tag
 * Run unit tests if no tag, and local quick suite (old default) when tagged.
 * Combine some jobs.

Travis ARM64: build static lib

Travis: Disable C99 for all builds but the integration test build

.. since it hampers the use of assembler (asm()) on arm64.

Keep session alive when receiving heartbeat responses during rebalancing

add changelog message

Update Changelog

Add cleanup-s3.py script

Move Admin request arguments to result op to make them available on merge (confluentinc#3476)

Fix test 0055 now when flush() does not wait for linger.ms

Adds support for buildling on illumos

mklove: Use curl for module downloads

.. instead of wget, since we rely on curl elsewhere.

Verify checksum of source dependencies and bump to OpenSSL 1.1.1l, zstd 1.5.0

Travis: login with docker account to avoid rate-limiting

Docker dotnet images have changed names, updated.

rxidle and txidle were stats emitted as unsigned 64, now signed (confluentinc#3519)

Fix a small error due to the unreleased lock before program exit

Fix a small error due to the unreleased lock skm->lock before program exit.

mklove: make zlib test program compilable

The test program that is used at compile-time to detect whether zlib is
available fails to compile due to `NULL` being undefined:

```
_mkltmpyos55w.c:5:20: error: use of undeclared identifier 'NULL'
     z_stream *p = NULL;
                   ^
1 error generated.
```

This means that zlib availability is only automatically detected when
using pkg-config.

Import `stddef.h` (which defines `NULL`) in the test program, allowing
zlib to be automatically detected via a compilation check.

sasl: Enable STS credential refresh (UrbanCompass#7)

Define IOV_MAX as 1024 if not defined

Removed check int and added debug

Fixes error handling for error responses from STS (UrbanCompass#10)

mklove: make zlib test program compilable

The test program that is used at compile-time to detect whether zlib is
available fails to compile due to `NULL` being undefined:

```
_mkltmpyos55w.c:5:20: error: use of undeclared identifier 'NULL'
     z_stream *p = NULL;
                   ^
1 error generated.
```

This means that zlib availability is only automatically detected when
using pkg-config.

Import `stddef.h` (which defines `NULL`) in the test program, allowing
zlib to be automatically detected via a compilation check.

Travis: New secure env vars

AppVeyor: rotate access keys

Travis: show sha256sums of artifacts prior to deploy

Add MSVC 140 runtimes (for packaging)

Add 'ssl.ca.pem' property (confluentinc#2380)

Improve nuget release script

 - Verify artifact file contents and architectures.
 - Verify that artifact attributes match.
 - Get README, CONFIG,.. etc, from artifacts instead of local source tree
   (which may not match the released version).

Bump to version 1.8.2

(Skipping 1.8.1 due to dotnet release with that number)

mklove: fix static bundle .a generation on osx

mklove: portable checksum checking for downloads

mklove: allow --source-deps-only OpenSSL builds on OSX

Don't build ancient OSX Sierra artifacts

Travis: reduce build minutes (tagged jobs)

Travis: use --source-deps-only for dependencies instead of using homebrew

Homebrew is fantastically slow to update to Travis-CI, and it is burning
build credits like crazy.

mklove: added mklove_patch

mklove: show more of failed build logs

mklove openssl installer: workaround build issue in 1.1.1l on osx.

Apply OpenSSL PR 16409 patch to fix 1.1.1l build issues on OSX

Travis: Remove -Werror from OSX worker since OpenSSL builds have quite a few warnings

mklove: try both wget and curl for archive downloads

Don't overwrite ssl.ca.location on OSX (confluentinc#3566)

Travis: bump Linux base builder from trusty to xenial to circumvent ISRG cert expiry

.. which causes older versions of OpenSSL+curl to fail to download OpenSSL..

AddOffsetsToTxn Refresh errors did not trigger coord refresh (confluentinc#3571)

Ensure timers are started even if timeout is 0

Transactional producer: Fix possible message loss on OUT_OF_ORDER_SEQ error (confluentinc#3575)

Mock push_request_errors() appended the errors in reverse order

Update list of supported KIPs

Add rd_buf_new()

Import cJSON v1.7.14

URL: https://github.com/DaveGamble/cJSON
Tag: v1.7.14
SHA: d2735278ed1c2e4556f53a7a782063b31331dbf7

Added HTTP(S) client using cURL

Add HTTP(S) client using cURL

Fix uninitialized warning on msvc

Remove commented-out printfs

Remove stray license include in librdkafka vcxproj

librdkafka.vcxproj: remove stale OpenSSL paths and enable Vcpkg manifests

mklove: but all built deps in the same destdir and set up compiler flags accordingly

This fixes some issues when dependency B depends on dependency A, in this
case for libcurl that depends on OpenSSL, to make it find the OpenSSL
libraries, pkg-config files, etc.

mklove: don't include STATIC_LIB_..s in BUILT_WITH

mklove: Some autoconf versions seem to need a full path to $INSTALL

curl: disable everything but HTTP(S)

Added string splitter and kv splitter

OAuth/OIDC: Add fields to client configuration (confluentinc#3510)

Implement native Win32 IO/Queue scheduler (WSAWaitForMultipleEvents)

This removes the internal loopback connections (one per known broker)
that were previously used to trigger io-based queue wakeups.

Add vcpkg_installed to gitignore

Left-trim spaces from string configuration values

This makes it easier to use Bash on Windows where a prefixing / is translated
into the MinGW32 file system root.

Mark rd_kafka_conf_kv_split as unused .. until it's used.

rd_kafka_queue_get_background() now creates the background thread

Added custom SASL callback queue

Fix test flags for 0122 and 0126

Test 0119: remove unused code

Direct questions to the github discussions forum to keep issue load down

Add clang-format style checking and fixing

Add Python style checking and fixing

Run style-checker with Github Actions

Automatic style fixes using 'make style-fix'

Manual style fixes of Python code

Avoid use of FILE* BIOs to circumvent OpenSSL_Applink requirement on Windows (confluentinc#3554)

Added README for fork (UrbanCompass#15)

merge upstream 2022 04 08 (UrbanCompass#17)

* Fix memory leak in admin requests

Fix a memory leak introduces in ca1b30e in which the arguments to an
admin request were not being freed. Discovered by the test suite for
rust-rdkafka [0].

[0]: https://github.com/fede1024/rust-rdkafka/pull/397/checks?check_run_id=3914902373

* Fix MinGW Travis build issues by breaking test execution into a separate script

* ACL Admin Apis: CreateAcls, DescribeAcls, DeleteAcls

* Minor ACL API adjustments and some small code tweaks

* Add ACL support to CHANGELOG

* Retrieve jwt token from token provider (@jliunyu, confluentinc#3560)

* Fixed typo

* MsgSets with just aborted msgs raised a MSG_SIZE error, and fix backoff (confluentinc#2993)

This also removes fetch backoffs on underflows (truncated responses).

* test 0129: style fix

* test 0105: Fix race condition

* Idempotent producer: save state for removed partitions

.. in case they come back. To avoid silent message loss.

* Remove incorrect comment on mock API

* Fix rkbuf_rkb assert on malformed JoinGroupResponse.metadata

* clusterid() would fail if there were no topics in metadata (confluentinc#3620)

* sasl.oauthbearer.extensions should be optional

Fixes confluentinc/confluent-kafka-python#1269.

* Added AK 3.1.0 to test versions

* Changelog updates

* Bump version to v1.9.0

* sasl.oauthbearer.scope should be optional

According to the section 4.4.2 of RFC 6749, the scope is optional
in the access token request in client credentials flow.

And indeed, for OIDC providers that I find in the wild such as
Amazon Cognito, the scope _is_ optional. If the scope is omitted
from the request, then the returned access token will contain any
and all scope(s) that are configured for the client.

See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

* Fix hang in list_groups() when cluster is unavailable (confluentinc#3705)

This was caused by holding on to an old broker state version that got outdated
and caused an infinite loop, rather than a timeout.

* Style fixes

* Integration test for OIDC (confluentinc#3646)

* Test for trivup

* integration test

* Update code style for existing code at rdkafka_sasl_oauthbearer_oidc.c

* Handle review comment

* tiny fix

* Handle review comments

* misc.c style fix

* Test fixes: OIDC requires AK 3.1, not 3.0

* Test 0113: reset security.protocol when using mock cluster

* Travis: use Py 3.8 (not 3.5) on Xenial builder

* Travis: bump integration test from AK 2.7.0 to 2.8.1

* Fix README release wording

* Improve subscribe() error documentation

* Fix linger.ms/message.timeout.ms config checking (confluentinc#3709)

* Replace deprecated zookeeper flag with bootstrap (@ladislavmacoun, confluentinc#3700)

* Replace deprecated zookeeper flag with bootstrap

Fixes: confluentinc#3699

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Add backwards compatibility

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Add assertion for cmd fitting inside buffer

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Increase command buffer

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Save one superfluous message timeout toppar scan

* Update to fedora:35 to fix the CentOS 8 build

mock epel-8-x86_64 is now broken in fedora:33:
https://bugzilla.redhat.com/show_bug.cgi?id=2049024

Update to fedora:35 with mock configs:
centos+epel-7-x86_64
centos-stream+epel-8-x86_64

* Add link to tutorial on Confluent Developer

Also fix indenting of bullet list

* Grooming (compilation warnings, potential issues)

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>

* fix: acl binding enum checks (@emasab, confluentinc#3741)

* checking enums values when creating or reading AclBinding and AclBindingFilter

* AclBinding destroy array function

* acl binding unit tests

* warnings and fix for unknown enums, test fixes

* int sizes matching the read size

* pointer to the correct broker

* cmake: Use CMAKE_INSTALL_LIBDIR

this ensures that it is portable across platforms e.g. ppc64/linux
uses lib64 not lib

Signed-off-by: Khem Raj <raj.khem@gmail.com>

* Trigger op callbacks regardless for unhandled types in consume_batch_queue() et.al. (confluentinc#3263)

* AppVeyor: Use Visual Studio 2019 image to build since 2015 has TLS problems

The 2015 image fails to donwload openssl due to TLS 1.2 not being available,
or something along those lines.

* mklove: add LD_LIBRARY_PATH to libcurl builder so that runtime checks pass

* Travis: build alpine & manylinux builds with --source-deps-only

This avoids relying on distro installed packages, which isn't very robust.

* Nuget Debian build: use --source-deps-only to avoid external dependencies

* RPM test: Use ubi8 image instead of centos:8

.. since centos is no more

* Curl 7.82.0

* mklove: curl now requires CoreFoundation and SystemConfiguration frameworks on osx

* Test 0128: skip if there's no oauthbearer support

* Test 0128: make thread-safe

* Test 0077: reduce flakyness by expediting compaction

* Update to zlib 1.2.12 and OpenSSL 1.1.1n

* vcpkg: revoke to zlib 1.2.11 since 1.2.12 is not yet available (as vcpkg)

* Travis: Disable mingw dynamic build for now (gcc breakage)

GCC 11 adds a new symbol that is not available in the mingw/msys2 libstdc++,
which makes it impossible to run applications that were built.

Until that's fixed we disable this worker since it will fail anyway.

* mklove: fix formatting of skipped pkg-config checks

* Fix lock order for rk_init_lock to avoid deadlock (non-released regression)

* vcpkg version bumps

* Update release instructions

* Make dynamic MinGW build copy DLLs instead of trying to manipulate PATH (@neptoess, confluentinc#3787)

* Make dynamic MinGW build copy DLLs instead of trying to manipulate PATH

* Remove tag requirement on MinGW dynamic build

Co-authored-by: Bill Rose <neptoess@gmail.com>

* Fix regression from last PR: curl_ldflags

* Reset stored offset on assign() and prevent offsets_store() for unassigned partitions

* Include broker_id in offset reset logs and corresponding consumer errors (confluentinc#3785)

* Txn: properly handle PRODUCER_FENCED in InitPid reply

* Provide reason to broker thread wakeups in debug logs

This will make troubleshooting easier

* rdkafka_performance: include broker in DR printouts

* Make SUBTESTS=.. match all of the subtest format string

* Added file io abstraction

* rdkafka_performance: cut down on the number of poll calls in full-rate mode

* Added test.mock.broker.rtt

* Log mock broker bootstrap.servers addresses when test.mock.num.brokers is set

* Mock brokers now allow compressed ProduceRequests

No decompression or validation is performed.

* Made rd_buf_read|peek_iXX() type safe

* SUB_TEST_SKIP() format verification

* Statistics: let broker.wakeups metric cover all broker wakeups, both IO and cnds

* Improved producer queue wakeups

* Broker thread: don't block on IO if there are ops available

* vcpkg: Update to zlib 1.2.12

* Fix some win32 compilation warnings

* Proper use of rd_socket_close() on Win32

Regression during v1.9.0 development

* Test 0101: missing return after Test::Skip()

* seek() doc clarification (confluentinc#3004)

* Documentation updates

* style-check* now fails on style warnings

* Automatic style fixes

* Some OIDC documentation fixes

* Fix for AWS_MSK_IAM

* Update for new method signature

Co-authored-by: Nikhil Benesch <nikhil.benesch@gmail.com>
Co-authored-by: Bill Rose <neptoess@gmail.com>
Co-authored-by: Emanuele Sabellico <emasab@gmail.com>
Co-authored-by: Magnus Edenhill <magnus@edenhill.se>
Co-authored-by: Jing Liu <jl5311@nyu.edu>
Co-authored-by: Matt Clarke <matt.clarke@ess.eu>
Co-authored-by: Leo Singer <leo.singer@ligo.org>
Co-authored-by: Ladislav <ladislavmacoun@gmail.com>
Co-authored-by: Ladislav Snizek <ladislav.snizek@cdn77.com>
Co-authored-by: Lance Shelton <lance.shelton@hammerspace.com>
Co-authored-by: Robin Moffatt <robin@rmoff.net>
Co-authored-by: Sergio Arroutbi <sarroutb@redhat.com>
Co-authored-by: Khem Raj <raj.khem@gmail.com>
Co-authored-by: Bill Rose <wwriv1991@gmail.com>

merge upstream 2022 08 01 (UrbanCompass#19)

Co-authored-by: Bill Rose <neptoess@gmail.com>
Co-authored-by: Magnus Edenhill <magnus@edenhill.se>
Co-authored-by: Nikhil Benesch <nikhil.benesch@gmail.com>
Co-authored-by: Emanuele Sabellico <emasab@gmail.com>
Co-authored-by: Jing Liu <jl5311@nyu.edu>
Co-authored-by: Matt Clarke <matt.clarke@ess.eu>
Co-authored-by: Leo Singer <leo.singer@ligo.org>
Co-authored-by: Ladislav <ladislavmacoun@gmail.com>
Co-authored-by: Ladislav Snizek <ladislav.snizek@cdn77.com>
Co-authored-by: Lance Shelton <lance.shelton@hammerspace.com>
Co-authored-by: Robin Moffatt <robin@rmoff.net>
Co-authored-by: Sergio Arroutbi <sarroutb@redhat.com>
Co-authored-by: Khem Raj <raj.khem@gmail.com>
Co-authored-by: Bill Rose <wwriv1991@gmail.com>
Co-authored-by: Dmytro Milinevskyi <dmytro.milinevskyi@datadoghq.com>
Co-authored-by: Mikhail Avdienko <whitearchey@gmail.com>
Co-authored-by: wding <yangwding@gmail.com>
Co-authored-by: Shawn <wangxiaofan0529@gmail.com>
Co-authored-by: ihsinme <ihsinme@gmail.com>
Co-authored-by: Emanuele Sabellico <esabellico@confluent.io>
Co-authored-by: Roman Schmitz <rschmitz@confluent.io>
Co-authored-by: Miklos Espak <miklos@smartcow.ai>
Co-authored-by: Alice Rum <wyvie@wyvie.org>
Co-authored-by: Eli Smaga <eli@confluent.io>

.gitignore

@@ -31,3 +31,4 @@ cov-int
 gdbrun*.gdb
 TAGS
 vcpkg_installed
+.vscode

CHANGELOG.md

@@ -1,3 +1,11 @@
+# librdkafka v2.2.0-aws-msk-iam
+
+librdkafka v2.2.0-aws-msk-iam is a patch release:
+
+ * Added `AWS_MSK_IAM` to supported `sasl.mechanisms`. This feature
+   provides support for using IAM authentication on AWS MSK clusters. (@garrett528, #3402)
+
+
 # librdkafka v2.2.0
 
 librdkafka v2.2.0 is a feature release:

CONFIGURATION.md

@@ -3,7 +3,7 @@
 
 Property                                 | C/P | Range           |       Default | Importance | Description              
 -----------------------------------------|-----|-----------------|--------------:|------------| --------------------------
-builtin.features                         |  *  |                 | gzip, snappy, ssl, sasl, regex, lz4, sasl_gssapi, sasl_plain, sasl_scram, plugins, zstd, sasl_oauthbearer, http, oidc | low        | Indicates the builtin features for this build of librdkafka. An application can either query this value or attempt to set it with its list of required features to check for library support. <br>*Type: CSV flags*
+builtin.features                         |  *  |                 | gzip, snappy, ssl, sasl, regex, lz4, sasl_gssapi, sasl_plain, sasl_scram, plugins, zstd, sasl_oauthbearer, http, oidc, http, oidc, sasl_aws_msk_iam | low        | Indicates the builtin features for this build of librdkafka. An application can either query this value or attempt to set it with its list of required features to check for library support. <br>*Type: CSV flags*
 client.id                                |  *  |                 |       rdkafka | low        | Client identifier. <br>*Type: string*
 metadata.broker.list                     |  *  |                 |               | high       | Initial list of brokers as a CSV list of broker host or host:port. The application may also use `rd_kafka_brokers_add()` to add brokers during runtime. <br>*Type: string*
 bootstrap.servers                        |  *  |                 |               | high       | Alias for `metadata.broker.list`: Initial list of brokers as a CSV list of broker host or host:port. The application may also use `rd_kafka_brokers_add()` to add brokers during runtime. <br>*Type: string*
@@ -84,15 +84,23 @@ ssl_engine_callback_data                 |  *  |                 |
 enable.ssl.certificate.verification      |  *  | true, false     |          true | low        | Enable OpenSSL's builtin broker (server) certificate verification. This verification can be extended by the application by implementing a certificate_verify_cb. <br>*Type: boolean*
 ssl.endpoint.identification.algorithm    |  *  | none, https     |         https | low        | Endpoint identification algorithm to validate broker hostname using broker certificate. https - Server (broker) hostname verification as specified in RFC2818. none - No endpoint verification. OpenSSL >= 1.0.2 required. <br>*Type: enum value*
 ssl.certificate.verify_cb                |  *  |                 |               | low        | Callback to verify the broker certificate chain. <br>*Type: see dedicated API*
-sasl.mechanisms                          |  *  |                 |        GSSAPI | high       | SASL mechanism to use for authentication. Supported: GSSAPI, PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, OAUTHBEARER. **NOTE**: Despite the name only one mechanism must be configured. <br>*Type: string*
-sasl.mechanism                           |  *  |                 |        GSSAPI | high       | Alias for `sasl.mechanisms`: SASL mechanism to use for authentication. Supported: GSSAPI, PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, OAUTHBEARER. **NOTE**: Despite the name only one mechanism must be configured. <br>*Type: string*
+sasl.mechanisms                          |  *  |                 |        GSSAPI | high       | SASL mechanism to use for authentication. Supported: GSSAPI, PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, OAUTHBEARER, AWS_MSK_IAM. **NOTE**: Despite the name only one mechanism must be configured. <br>*Type: string*
+sasl.mechanism                           |  *  |                 |        GSSAPI | high       | Alias for `sasl.mechanisms`: SASL mechanism to use for authentication. Supported: GSSAPI, PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, OAUTHBEARER, AWS_MSK_IAM. **NOTE**: Despite the name only one mechanism must be configured. <br>*Type: string*
 sasl.kerberos.service.name               |  *  |                 |         kafka | low        | Kerberos principal name that Kafka runs as, not including /hostname@REALM <br>*Type: string*
 sasl.kerberos.principal                  |  *  |                 |   kafkaclient | low        | This client's Kerberos principal name. (Not supported on Windows, will use the logon user's principal). <br>*Type: string*
 sasl.kerberos.kinit.cmd                  |  *  |                 | kinit -R -t "%{sasl.kerberos.keytab}" -k %{sasl.kerberos.principal} \|\| kinit -t "%{sasl.kerberos.keytab}" -k %{sasl.kerberos.principal} | low        | Shell command to refresh or acquire the client's Kerberos ticket. This command is executed on client creation and every sasl.kerberos.min.time.before.relogin (0=disable). %{config.prop.name} is replaced by corresponding config object value. <br>*Type: string*
 sasl.kerberos.keytab                     |  *  |                 |               | low        | Path to Kerberos keytab file. This configuration property is only used as a variable in `sasl.kerberos.kinit.cmd` as ` ... -t "%{sasl.kerberos.keytab}"`. <br>*Type: string*
 sasl.kerberos.min.time.before.relogin    |  *  | 0 .. 86400000   |         60000 | low        | Minimum time in milliseconds between key refresh attempts. Disable automatic key refresh by setting this property to 0. <br>*Type: integer*
 sasl.username                            |  *  |                 |               | high       | SASL username for use with the PLAIN and SASL-SCRAM-.. mechanisms <br>*Type: string*
 sasl.password                            |  *  |                 |               | high       | SASL password for use with the PLAIN and SASL-SCRAM-.. mechanism <br>*Type: string*
+sasl.aws.access.key.id                   |  *  |                 |               | high       | SASL AWS access key id for use with the AWS_MSK_IAM mechanism <br>*Type: string*
+sasl.aws.secret.access.key               |  *  |                 |               | high       | SASL AWS secret access key for use with the AWS_MSK_IAM mechanism <br>*Type: string*
+sasl.aws.region                          |  *  |                 |               | high       | SASL AWS region for use with the AWS_MSK_IAM mechanism <br>*Type: string*
+enable.sasl.aws.use.sts                  |  *  | true, false     |         false | low        | Enable the builtin AWS STS credential refresh handler. Only use this if you intend to use temporary credentials. If you use permanent credentials, keep this with the default (disabled). <br>*Type: boolean*
+sasl.aws.security.token                  |  *  |                 |               | high       | SASL AWS security for use with the AWS_MSK_IAM mechanism if using STS (temp) credentials <br>*Type: string*
+sasl.aws.role.arn                        |  *  |                 |               | high       | AWS RoleARN to use for calling STS. <br>*Type: string*
+sasl.aws.role.session.name               |  *  |                 |               | high       | Session name to use for STS AssumeRole. <br>*Type: string*
+sasl.aws.duration.sec                    |  *  | 900 .. 43200    |           900 | low        | The duration, in seconds, of the role session. Minimum is 900 seconds (15 minutes) and max is 12 hours. This will default to 900 seconds if not set. <br>*Type: integer*
 sasl.oauthbearer.config                  |  *  |                 |               | low        | SASL/OAUTHBEARER configuration. The format is implementation-dependent and must be parsed accordingly. The default unsecured token implementation (see https://tools.ietf.org/html/rfc7515#appendix-A.5) recognizes space-separated name=value pairs with valid names including principalClaimName, principal, scopeClaimName, scope, and lifeSeconds. The default value for principalClaimName is "sub", the default value for scopeClaimName is "scope", and the default value for lifeSeconds is 3600. The scope value is CSV format with the default value being no/empty scope. For example: `principalClaimName=azp principal=admin scopeClaimName=roles scope=role1,role2 lifeSeconds=600`. In addition, SASL extensions can be communicated to the broker via `extension_NAME=value`. For example: `principal=admin extension_traceId=123` <br>*Type: string*
 enable.sasl.oauthbearer.unsecure.jwt     |  *  | true, false     |         false | low        | Enable the builtin unsecure JWT OAUTHBEARER token handler if no oauthbearer_refresh_cb has been set. This builtin handler should only be used for development or testing, and not in production. <br>*Type: boolean*
 oauthbearer_token_refresh_cb             |  *  |                 |               | low        | SASL/OAUTHBEARER token refresh callback (set with rd_kafka_conf_set_oauthbearer_token_refresh_cb(), triggered by rd_kafka_poll(), et.al. This callback will be triggered when it is time to refresh the client's OAUTHBEARER token. Also see `rd_kafka_conf_enable_sasl_queue()`. <br>*Type: see dedicated API*

README_FORK.md

@@ -0,0 +1,277 @@
+librdkafka - the Apache Kafka C/C++ client library
+==================================================
+
+This is a forked version of the **librdkafka** library. It provides support for the SASL `AWS_MSK_IAM` mechanism.
+The following is a guide to using this fork with other library bindings. We will attempt to keep this 
+fork up-to-date as much as possible but we cannot guarantee timelines.
+
+If you have a request related to `AWS_MSK_IAM` support, please open an issue and we'll address as soon as possible.
+
+For more information on `AWS_MSK_IAM`, please refer to the [AWS documentation](https://docs.aws.amazon.com/msk/latest/developerguide/security_iam_service-with-iam.html).
+
+# Features #
+  * SASL support for the `AWS_MSK_IAM` mechanism
+  * Support for the use of STS temporary credentials with automatic credential refresh
+
+# Binding to other libraries
+
+## Prerequisites
+
+This fork must be built from source on the machine running your workload. This fork requires the following libraries
+to be installed before building from source:
+
+  * libssl-dev
+  * libcurl4-openss-dev
+  * libsasl2-dev
+  * liblz4-dev
+  * libzstd-dev
+  * libxml2-dev
+
+Some of these packages may or may not already be installed on your machine. It is advisable to have each of these libraries
+visible to `pkgconfig` for linking. To check the path that `pkgconfig` will search for the `.pc` files, run:
+
+```bash
+pkg-config --variable pc_path pkg-config
+```
+
+Make sure that the `.pc` files for each of the libraries above are in that path. If they are not, you may need to symlink them.
+
+Once the required libraries are installed, you need to build this fork from source:
+```bash
+./configure
+make
+sudo make install
+```
+
+When you run `./configure`, you will see if the required libraries were picked up and `SASL_AWS_MSK_IAM` should be included on the `BUILT_WITH` line in your terminal.
+
+## Using the fork with `kcat`
+1. Install `kcat` from source
+```bash
+git clone git@github.com:edenhill/kcat.git
+cd kcat
+touch bootstrap-no-librdkafka.sh
+vi bootstrap-no-librdkafka.sh
+```
+2. Copy the following shell script into the vim editor, save, and run `./bootstrap-no-librdkafka.sh`
+```bash
+#!/bin/bash
+#
+# This script provides a quick build alternative:
+# * Dependencies are downloaded and built automatically
+# * kcat is built automatically.
+# * kcat is linked statically to avoid runtime dependencies.
+#
+# While this might not be the preferred method of building kcat, it
+# is the easiest and quickest way.
+#
+
+set -o errexit -o nounset -o pipefail
+
+: "${LIBRDKAFKA_VERSION:=v1.7.0-AWS_MSK_IAM}"
+
+lrk_install_deps="--install-deps"
+lrk_static="--enable-static"
+
+for opt in $*; do
+    case $opt in
+        --no-install-deps)
+            lrk_install_deps=""
+            ;;
+
+        --no-enable-static)
+            lrk_static=""
+            ;;
+
+        *)
+            echo "Unknown option: $opt"
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+
+function download {
+    local url=$1
+    local dir=$2
+
+    if [[ -d $dir ]]; then
+        echo "Directory $dir already exists, not downloading $url"
+        return 0
+    fi
+
+    echo "Downloading $url to $dir"
+    if which wget 2>&1 > /dev/null; then
+        local dl='wget -q -O-'
+    else
+        local dl='curl -s -L'
+    fi
+
+    local tar_args=
+
+    # Newer Mac tar's will try to restore metadata/attrs from
+    # certain tar files (avroc in this case), which fails for whatever reason.
+    if [[ $(uname -s) == "Darwin" ]] &&
+           tar --no-mac-metadata -h >/dev/null 2>&1; then
+        tar_args="--no-mac-metadata"
+    fi
+
+    mkdir -p "$dir"
+    pushd "$dir" > /dev/null
+    ($dl "$url" | tar -xz $tar_args -f - --strip-components 1) || exit 1
+    popd > /dev/null
+}
+
+
+function github_download {
+    local repo=$1
+    local version=$2
+    local dir=$3
+
+    local url=https://github.com/${repo}/archive/${version}.tar.gz
+
+    download "$url" "$dir"
+}
+
+function build {
+    dir=$1
+    cmds=$2
+
+
+    echo "Building $dir with commands:"
+    echo "$cmds"
+    pushd $dir > /dev/null
+    set +o errexit
+    eval $cmds
+    ret=$?
+    set -o errexit
+    popd > /dev/null
+
+    if [[ $ret == 0 ]]; then
+        echo "Build of $dir SUCCEEDED!"
+    else
+        echo "Build of $dir FAILED!"
+        exit 1
+    fi
+
+    # Some projects, such as yajl, puts pkg-config files in share/ rather
+    # than lib/, copy them to the correct location.
+    cp -v $DEST/share/pkgconfig/*.pc "$DEST/lib/pkgconfig/" || true
+
+    return $ret
+}
+
+function pkg_cfg_lib {
+    pkg=$1
+
+    local libs=$(pkg-config --libs --static $pkg)
+
+    # If pkg-config isnt working try grabbing the library list manually.
+    if [[ -z "$libs" ]]; then
+        libs=$(grep ^Libs.private $DEST/lib/pkgconfig/${pkg}.pc | sed -e s'/^Libs.private: //g')
+    fi
+
+    # Since we specify the exact .a files to link further down below
+    # we need to remove the -l<libname> here.
+    libs=$(echo $libs | sed -e "s/-l${pkg}//g")
+    echo " $libs"
+
+    >&2 echo "Using $libs for $pkg"
+}
+
+mkdir -p tmp-bootstrap
+pushd tmp-bootstrap > /dev/null
+
+export DEST="$PWD/usr"
+export CFLAGS="-I$DEST/include"
+if [[ $(uname -s) == Linux ]]; then
+    export LDFLAGS="-L$DEST/lib -Wl,-rpath-link=$DEST/lib"
+else
+    export LDFLAGS="-L$DEST/lib"
+fi
+export PKG_CONFIG_PATH="$DEST/lib/pkgconfig"
+
+# github_download "UrbanCompass/librdkafka" "$LIBRDKAFKA_VERSION" "librdkafka"
+# build librdkafka "([ -f config.h ] || ./configure --prefix=$DEST $lrk_install_deps $lrk_static --disable-lz4-ext) && make -j && make install" || (echo "Failed to build librdkafka: bootstrap failed" ; false)
+
+github_download "edenhill/yajl" "edenhill" "libyajl"
+build libyajl "([ -d build ] || ./configure --prefix $DEST) && make install" || (echo "Failed to build libyajl: JSON support will probably be disabled" ; true)
+
+download http://www.digip.org/jansson/releases/jansson-2.12.tar.gz libjansson
+build libjansson "([[ -f config.status ]] || ./configure --enable-static --prefix=$DEST) && make && make install" || (echo "Failed to build libjansson: AVRO support will probably be disabled" ; true)
+
+github_download "apache/avro" "release-1.8.2" "avroc"
+build avroc "cd lang/c && mkdir -p build && cd build && cmake -DCMAKE_C_FLAGS=\"$CFLAGS\" -DCMAKE_INSTALL_PREFIX=$DEST .. && make install" || (echo "Failed to build Avro C: AVRO support will probably be disabled" ; true)
+
+github_download "confluentinc/libserdes" "master" "libserdes"
+build libserdes "([ -f config.h ] || ./configure  --prefix=$DEST --CFLAGS=-I${DEST}/include --LDFLAGS=-L${DEST}/lib) && make && make install" || (echo "Failed to build libserdes: AVRO support will probably be disabled" ; true)
+
+popd > /dev/null
+
+echo "Building kcat"
+./configure --clean
+export CPPFLAGS="${CPPFLAGS:-} -I$DEST/include"
+export STATIC_LIB_avro="$DEST/lib/libavro.a"
+export STATIC_LIB_rdkafka="$DEST/lib/librdkafka.a"
+export STATIC_LIB_serdes="$DEST/lib/libserdes.a"
+export STATIC_LIB_yajl="$DEST/lib/libyajl_s.a"
+export STATIC_LIB_jansson="$DEST/lib/libjansson.a"
+
+# libserdes does not have a pkg-config file to point out secondary dependencies
+# when linking statically.
+export LIBS="$(pkg_cfg_lib rdkafka) $(pkg_cfg_lib yajl) $STATIC_LIB_avro $STATIC_LIB_jansson -lcurl"
+
+# Remove tinycthread from libserdes b/c same code is also in librdkafka.
+ar dv $DEST/lib/libserdes.a tinycthread.o
+
+./configure --enable-static --enable-json --enable-avro
+make
+
+echo ""
+echo "Success! kcat is now built"
+echo ""
+
+make install
+
+kcat -h
+```
+3. Once the bootstrap script finishes, you can make sure that the library is installed correctly and is picking up the right **librdkafka** by running `kcat -h` and checking that you see the `sasl_aws_msk_iam` under the `builtin.features` when looking at the help output at the top.
+
+### Usage
+When running `kcat` commands, you need to specify the right **librdkafka** configuration properties for enabling IAM auth along with setting the ENV variables for `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and (optionally if using STS) `AWS_SESSION_TOKEN`. The required properties are defined as follows and you need to substitute the proper values for <ROLE_ARN> as well as <SESSION_NAME>:
+```bash
+kcat -X security.protocol=SASL_SSL \
+-X sasl.mechanisms=AWS_MSK_IAM \
+-X sasl.aws.access.key.id=${AWS_ACCESS_KEY_ID} \
+-X sasl.aws.secret.access.key=${AWS_SECRET_ACCESS_KEY} \
+-X sasl.aws.region=us-east-1 \
+-X sasl.aws.security.token=${AWS_SESSION_TOKEN} \
+-X sasl.aws.role.arn=<ROLE_ARN> \
+-X sasl.aws.role.session.name=<SESSION_NAME> \
+-X enable.sasl.aws.use.sts=1 \
+# see kcat documentation for further commands
+```
+
+The use of STS is NOT required. If you want to use permanent credentials instead, you can omit the following properties:
+
+  * sasl.aws.security.token
+  * sasl.aws.role.arn
+  * sasl.aws.role.session.name
+  * enable.sasl.aws.use.sts
+
+## Using the fork with `confluent-kafka-go`
+Using `confluent-kafka-go` or if you're building something that requires it, you must build the package with the dynamic build tag:
+```bash
+CGO_ENABLED=1 go build -tags dynamic ./...
+```
+
+Please see the [confluent-kafka-go README](https://github.com/confluentinc/confluent-kafka-go#librdkafka) for more details.
+
+## Using the fork with `confluent-kafka-python` (NOT YET VERIFIED IF WORKS)
+Install the Python package from source:
+```bash
+pip install --no-binary :all: confluent-kafka
+```
+
+Please see the [confluent-kafka-python README](https://github.com/confluentinc/confluent-kafka-python#install) for more details.

configure.self

@@ -150,6 +150,15 @@ void foo (void) {
         if [[ $WITH_CURL == y ]]; then
             mkl_allvar_set WITH_OAUTHBEARER_OIDC WITH_OAUTHBEARER_OIDC y
         fi
+
+        # SASL AWS MSK IAM requires base64 encoding from OpenSSL
+        if mkl_lib_check "curl" "" disable CC "-lcurl" \
+                            "#include <curl/curl.h>"; then
+            if mkl_lib_check "libxml2" "" disable CC "-lxml2" \
+                            "#include <libxml/parser.h>"; then
+                mkl_allvar_set WITH_SASL_AWS_MSK_IAM WITH_SASL_AWS_MSK_IAM y
+            fi
+        fi
     fi
 
     # CRC32C: check for crc32 instruction support.