Add kerberos support

[rubenvp8510]

Signed-off-by: Ruben Vargas ruben.vp8510@gmail.com

This is a pure go solution.

[mieczkowski]

Hi. I've just created my solution for kerberos auth, but I will be happy to test your solution (native is better than libsasl2 <3 ).

[mieczkowski]

Nice work! It works. Dynamic SPN (for kafka cluster) should be supported. And of course error handling :) I will cancel my PR and I'm waiting for this to merge!

[rubenvp8510]

@mieczkowski I did some changes, also handled errors, I'm starting in go and kafka, so accept suggestions WDYT?

[mieczkowski]

Looks good (and it works with kafka cluster :) ). One missing return, one suggestion about config, and some missing error checks. We should always check and handle errors from external libraries, even if we are pretty sure that it will not happen ;)

[mieczkowski]

How about move loading kt and cfg into (c *Config) Validate()? Keytab and KerberosConfig files should be validated in client creation, not in runtime

[rubenvp8510]

I understand that could be semantically better but..

After thinking on this, I don't see the difference, now the (c *Config) Validate() happens on the Open method, same as kerberos client creation (where the keytab parsing happens), same place where authentication happens.

Also, If I follow the same logic kerberos config validation, which happens when the kerberos client instance is created, I will need to move the kerberos client instantiation to (c *Config) Validate().

[rubenvp8510]

@mieczkowski @eapache @bai Could you review this one please?

Thanks

[rubenvp8510]

Any updates on this?

Thanks

[bai]

Thanks for your contribution!

[objectiser]

@bai Is there a release planned soon to include this feature?

[bai]

Yp, I'll cut a release in the next few days.

[objectiser]

@bai Thanks!

[objectiser]

Hi @bai, any update on when a release will be cut?

[shriram1993]

@rubenvp8510 I am trying to use kerberos authetication but getting error "wrong Token ID. Expected 0504, was 6030".
file name: /gssapi_kerberos.go
line no: 181
if err := wrapTokenReq.Unmarshal(bytes, true); err != nil {return nil, err}
Not getting any clue what i am doing wrong?
Please help.

[rubenvp8510]

@shriram1993 Could you please put information about your environment? version of kafka, how is it configured? how Kerberos is configured?

I see similar errors on other libraries that relies on gokrb5 for handling Kerberos authentication messages colinmarc/hdfs#145 , I think it could be something related to encryption.

Thanks.

[shriram1993]

Kafka version: 0.11.03
Kerberos Version: 1.15.1
Kerberos auth type: keytab file based
Kerberos server only supports SASL_PLAINTEXT.

The configuration set in krb5.conf
ticket_lifetime = 1d
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = false
allow_weak_crypto = false

[yzpnet]

How to support SASL_PLAINTEXT?

[shriram1993]

@rubenvp8510 I have the same question. My Kerberos server is expecting security protocol 'SASL_PLAINTEXT' but there is no way to set same in configuration. Please suggest.

cfg := sarama.NewConfig()
cfg.Producer.Return.Successes = true
cfg.Metadata.Retry.Max = 0
cfg.Net.SASL.Enable = true
cfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
cfg.Net.SASL.GSSAPI.ServiceName = "kafka"
cfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_KEYTAB_AUTH
cfg.Net.SASL.GSSAPI.KeyTabPath = "KEY TAB FILE PATH"
cfg.Net.SASL.GSSAPI.KerberosConfigPath = "KRB5 CONFIG PATH"
cfg.Net.SASL.GSSAPI.Username = "PRINCIPAL NAME"
cfg.Net.SASL.GSSAPI.Realm = "REALM"

[yzpnet]

@rubenvp8510
I have the same question too.
Kerberos auth need support SASL_PLAINTEXT.

[yzpnet]

SASL_PLAINTEXT

[rubenvp8510]

I'm going to start looking at how to implement SASL_PLAINTEXT support .@yzpnet @shriram1993 Could you provide me your kafka configuration? That would help a lot.

I'm a little bit confused, In one comment I read "Kerberos server only supports SASL_PLAINTEXT." but as far as I know the problem is not in the communication with the KDC but with Kafka

I'm assuming that the implementation needs to support Kafka SASL_PLAINTEXT + Kerberos. correct me if I misunderstood please.

Thank you!

[shriram1993]

Kafka config:
properties.setProperty("bootstrap.servers", "kafka-hotels.example.com:9092");
properties.setProperty("key.serializer.class", "kafka.serializer.StringEncoder");
properties.setProperty("serializer.class", "kafka.serializer.DefaultEncoder");
properties.setProperty("request.required.acks", "1");
properties.setProperty("retries", "3");
properties.setProperty("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
properties.setProperty("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
properties.setProperty("compression.type", "snappy");
properties.setProperty("request.timeout.ms", "300000");
properties.setProperty("metadata.fetch.timeout.ms", "100000");
properties.setProperty("security.protocol", "SASL_PLAINTEXT");
properties.setProperty("sasl.kerberos.service.name", "kafka");
System.setProperty("java.security.krb5.conf", "/etc/kerberos/conf/krb5.conf");
System.setProperty("java.security.auth.login.config", "path of jaas-cache.conf");

jaas-cache.conf:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="keytab.keytab"
storeKey=true
useTicketCache=false
serviceName="kafka"
principal="mirroruser@EXAMPLE.COM";
};

Krb5.conf:
default_realm = EXAMPLE.COM
clockskew = 300
ticket_lifetime = 1d
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
allow_weak_crypto = true

[shriram1993]

I'm a little bit confused, In one comment I read "Kerberos server only supports SASL_PLAINTEXT." but as far as I know the problem is not in the communication with the KDC but with Kafka

I'm assuming that the implementation needs to support Kafka SASL_PLAINTEXT + Kerberos. correct me if I misunderstood please.

Thank you!

Yes!! You are right. The issue is not with KDC it is with Kafka.
Kerberos only support SASL_PLAINTEXT means we are using Kerberos + Kafka with this security protocol SASL_PLAINTEXT.

[rubenvp8510]

well, this should work with SASL_PLAINTEXT by default, I'm reviewing what would cause the error you are seeing.

[rubenvp8510]

Hi @shriram1993 @yzpnet

After reviewing this in detail, I was managed to reproduce the issue, it seems like the actual implementation of Kerberos authentication does not support rc4-hmac.

The thing here is that the RFC-4121 (or at least the JAVA implementation) only support the use of aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 as a method for encrypt and integrity check for tkt and tgs. For work with rc4-hmac we would need to implement RFC-1964.

So, I would say this should work if you configure your Active Directory[1] to support those encrypt types and your krb5.conf to use it (not sure but I think you need to regenerate your keytab files if you are using). You can also need to disable FAST negotiation, I'll send a PR to expose that option for sarama.

Let me know if this works for you so I can close the corresponding issue. I'll test it and post my configs here.

1)https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/

[rubenvp8510]

Hi again

Confirmed that the issue is with rc4-hmac

This is my configuration:

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = EXAMPLE.COM
    clockskew = 300
    ticket_lifetime = 1d
    renew_lifetime = 7d
    forwardable = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    permitted_enctypes = aes256-cts-hmac-sha1-96
    udp_preference_limit = 1
    kdc_timeout = 3000
    proxiable = true
    dns_lookup_realm = true
    dns_lookup_kdc = true
    allow_weak_crypto = true

[realms]
EXAMPLE.COM = {
     kdc = 192.168.58.3
     admin_server = 192.168.58.3
}

[domain_realm]
 .kerberoswin.com = EXAMPLE.COM
  kerberoswin.com = EXAMPLE.COM

Followed the guide mentioned in my previous comment to configure AES encrypt types for my user accounts and regenerate keytabs for my services.

I regenerated my keytabs using this command:

ktpass -princ kafka/kafka@EXAMPLE.COM -mapuser EXAMPLE0\kafka -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass kfk_password -out C:\keytabs\kafka.ktab [2]

2. https://github.com/edenhill/librdkafka/wiki/Using-SASL-with-librdkafka-on-Windows

[virtualsafety]

i don't need kerberos auth,how to disable it ,because i do not want download so many third-party library.