Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confluent Cloud api-key saasl config doc's and validation #339

Open
navery-max opened this issue Jun 14, 2024 · 1 comment
Open

Confluent Cloud api-key saasl config doc's and validation #339

navery-max opened this issue Jun 14, 2024 · 1 comment
Assignees
Labels
bug Something isn't working

Comments

@navery-max
Copy link
Collaborator

Looks like the provisioner needs to be run using:

provisioner -config.properties=mypropertiesfile.properties

which is loaded here:
https://github.com/specmesh/specmesh-build/blob/main/kafka/src/main/java/io/specmesh/kafka/Clients.java#L65

which will (via specmesh) execute the equivalent of below

Properties props = new Properties();
props.put("bootstrap.servers", "https://<cluster-id>.cc-<region>.confluent.cloud:9092");
props.put("security.protocol", "SASL_SSL");
props.put("sasl.mechanism", "PLAIN");
props.put("sasl.jaas.config", "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"<api-key>\" password=\"<api-secret>\";");
AdminClient adminClient = AdminClient.create(props);

// Create an ACL binding
AclBinding aclBinding = new AclBinding(
    new ResourcePattern(ResourceType.TOPIC, "mytopic", PatternType.LITERAL),
    new AccessControlEntry("User:alice", AclOperation.ALL, AclPermissionType.ALLOW)
);

@navery-max navery-max added the bug Something isn't working label Jun 14, 2024
@t0ffel
Copy link
Contributor

t0ffel commented Jun 14, 2024

Specmesh itself runs fine. Since we provide the appropriate kafka parameters with the correct sasl mechanism (PLAIN) and jaas config (which contains api key/api secret).
The specmesh.yaml though doesn't know anything about the api key. it knows about the user-readable "username" (I was using service account name here) which is not the correct username and has no relation to the real kafka user names. kafka thinks that only api keys are usernames.

After specmesh run the specific user tries to write/read kafka and gets ACL exception. jaas config is correct(with api key/api secret), but the ACL says the user-readable "username" is allowed to do the operation(as was instructed in specmesh.yaml), which the real user is the api key.

Confluent api keys: https://docs.confluent.io/cloud/current/access-management/authenticate/api-keys/api-keys.html
Api key ids as far as I understand are random strings and cannot be controlled - we cannot name kafka users.
Api keys will differ per environment - we probably cannot put them into specmesh.yaml?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants