ccl: add support for additional sasl mechanisms (SCRAM-SHA-256 and SCRAM-SHA-512) #60150
Conversation
stevendanna
requested review from
a team and
dt
and removed request for
a team
|
This change is |
stevendanna
force-pushed
the
kafka-scram-support-with-tests
branch
from
4cb77c9
to
099aec2
Compare
stevendanna
changed the title
stevendanna
force-pushed
the
kafka-scram-support-with-tests
branch
from
099aec2
to
3da9bc4
Compare
There was a problem hiding this comment.
Reviewed 8 of 8 files at r1.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @dt and @stevendanna)
pkg/cmd/roachtest/cdc.go, line 550 at r2 (raw file):
if err := db.QueryRow( `CREATE CHANGEFEED FOR auth_test_table INTO $1`, fmt.Sprintf("%s?tls_enabled=true&ca_cert=%s&sasl_enabled=true&sasl_user=plain&sasl_password=plain-secret", kafka.sinkURLSASL(ctx), testCerts.CACertBase64()),
Are we losing all our tests of non-SCRAM logins here?
pkg/cmd/roachtest/cdc.go, line 921 at r2 (raw file):
org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret"
We should probably use different usernames/passwords for the different login methods so the test makes sure that we're not succeeding on the plaintext path and all the SASL stuff is getting ignored.
There was a problem hiding this comment.
Reviewable status:
pkg/cmd/roachtest/cdc.go, line 550 at r2 (raw file):
Previously, bdarnell (Ben Darnell) wrote…
Are we losing all our tests of non-SCRAM logins here?
D'oh. Thanks for catching this. We can test all three, I just was too aggressive when fixing a rebase conflict.
pkg/cmd/roachtest/cdc.go, line 921 at r2 (raw file):
Previously, bdarnell (Ben Darnell) wrote…
We should probably use different usernames/passwords for the different login methods so the test makes sure that we're not succeeding on the plaintext path and all the SASL stuff is getting ignored.
We do use different usernames for each login method that is used from cockroach. I've kept the "admin" password the same, but that should only be used by kafka internally for inter-broker communication.
stevendanna
force-pushed
the
kafka-scram-support-with-tests
branch
from
3da9bc4
to
5073246
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/cmd/roachtest/cdc.go, line 550 at r2 (raw file):
Previously, stevendanna (Steven Danna) wrote…
D'oh. Thanks for catching this. We can test all three, I just was too aggressive when fixing a rebase conflict.
Done.
stevendanna
force-pushed
the
kafka-scram-support-with-tests
branch
2 times, most recently
from
792aae5
to
bb7a238
Compare
Add support to specify the SASL mechanism for Kafka Changefeed DSNs via the `sasl_mechanism` option. Further, we add support for SCRAM-SHA-256 and SCRAM-SHA-512 in addition to the previously supported PLAIN mechanism. Co-authored-by: Steven Danna <danna@cockroachlabs.com> Release note (ccl change): Add `sasl_mechanism` parameter to Kafka Changefeed DSNs to specify SASL mechanism. CockroachDB supports the PLAIN, SCRAM-SHA-256, and SCRAM-SHA-512 SASL mechanisms.
Release note: None
stevendanna
force-pushed
the
kafka-scram-support-with-tests
branch
from
bb7a238
to
ebf48ed
Compare
|
bors r=bdarnell |
|
Build succeeded: |
|
@stevendanna: Thanks a lot for all about SCRAM. Linked to: |
This comment has been minimized.
This comment has been minimized.
This add support to specify the SASL mechanism for Kafka Changefeed
DSNs via the
sasl_mechanismoption. Further, we add support forSCRAM-SHA-256 and SCRAM-SHA-512 in addition to the previously
supported PLAIN mechanism.
Release note (ccl change): Add
sasl_mechanismparameter to KafkaChangefeed DSNs to specify SASL mechanism. CockroachDB supports the
PLAIN, SCRAM-SHA-256, and SCRAM-SHA-512 SASL mechanisms.