Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SASL authentication for Kafka acquisition #3336

Open
acm-073 opened this issue Nov 20, 2024 · 5 comments
Open

Add SASL authentication for Kafka acquisition #3336

acm-073 opened this issue Nov 20, 2024 · 5 comments
Labels
kind/enhancement New feature or request needs/triage

Comments

@acm-073
Copy link

acm-073 commented Nov 20, 2024

What would you like to be added?

/kind enhancement
Hello,

crowdsec already supports log acquisition from Kafka streams. I tried to hook it up to Azure Event Hub, which has a Kafka endpoint. There are two things that need to be done to make this work:

  • Azure Event Hub requires SASL authentication, which is supported by the underlying kafka-go client but not available in the Kafka acquisition config
  • Azure Event Hub requires a TLS connection, but no client certificate. The way the current kafka TLS config works is: either TLS config is present, then a client certificate is expected/required, or TLS config is not present, then a plain socket connection is established

It would be great if crowdsec would support log acquisition from Azure Event Hubs because it is a common scenario in Azure to stream logs through an event hub.

I have created a working prototype and would be happy to create a PR if you're interested.

Regards
Albrecht

Why is this needed?

Streaming logs to Azure Event Hub is a common scenario in Azure cloud architectures. Being able to acquire logs directly from Event Hubs would greatly simplify the integration of crowdsec with Azure cloud applications.
@github-actions GitHub Actions
Copy link

@acm-073: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions GitHub Actions
Copy link

@acm-073: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind bug
  • /kind packaging
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@acm-073
Copy link
Author

acm-073 commented Nov 20, 2024

/kind enhancement

@github-actions github-actions bot added kind/enhancement New feature or request and removed needs/kind labels Nov 20, 2024
@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Nov 20, 2024
edited
Loading

With this

Azure Event Hub requires a TLS connection, but no client certificate. The way the current kafka TLS config works is: either TLS config is present, then a client certificate is expected/required, or TLS config is not present, then a plain socket connection is established

Do you want to just just load the CA certificate then just so I can understand? as if the ca cert is within the system, then you shouldnt need to define it here unless you can tell us if it self signed as we dont know how azure does its TLS.

Edit: ahh I think I see the issue.

@acm-073
Copy link
Author

acm-073 commented Nov 20, 2024

With this

Azure Event Hub requires a TLS connection, but no client certificate. The way the current kafka TLS config works is: either TLS config is present, then a client certificate is expected/required, or TLS config is not present, then a plain socket connection is established

Do you want to just just load the CA certificate then just so I can understand? as if the ca cert is within the system, then you shouldnt need to define it here unless you can tell us if it self signed as we dont know how azure does its TLS.

Edit: ahh I think I see the issue.

Let me detail some more:

  • if the TLS config in kafka acquisition is present, then the acquisition tries to load a client cert which it would use for client authentication. If none is configured, then the client configuration fails. A client cert is NOT required for Azure Event Hub - only server authentication (where the server presents a SSL certificate) is used. For this, of course the client needs to have the "public" CA certificates, but they are usually available in the environment
  • if the TLS config is not present, the acquisition tries to establish a plain tcp connection without using TLS, which fails with Azure Event Hubs.

My approach was to add a SASL config like this:

sasl:
  mechanism: PLAIN
  username: $ConnectionString
  password: <azure-eventhub-connection-string>
  use_ssl: true

and then in Kafka Dialer, set the TLS config either if kafka.TLS is set (with the client cert stuff) or if kafka.sasl.use_ssl is set, without client cert.

You can have a look at acm-073@cb500a1#diff-69964165ec35fb39e2763740aa78ff24fdd4f24055edadd9fb61d31d7ea29e7cR282 to see how I solved the issue.

Regards
Albrecht

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request needs/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LaurenceJJones @acm-073