Kafka kerberos authentication support for collector/ingester

[rubenvp8510]

Signed-off-by: Ruben Vargas ruben.vp8510@gmail.com

Which problem is this PR solving?

• Add support for Kerberos authentication to ingester/collector
• Fixes Using a kerberos secured Kafka as buffer between Jaeger and Elasticsearch #1188

Short description of the changes

• Now that sarama library has support for Kerberos authentication, this PR add support for it on the jaeger side using flags.

[codecov]

Codecov Report

Merging #1589 into master will increase coverage by 0.02%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1589      +/-   ##
==========================================
+ Coverage   98.72%   98.74%   +0.02%     
==========================================
  Files         191      191              
  Lines        9182     9190       +8     
==========================================
+ Hits         9065     9075      +10     
+ Misses         91       89       -2     
  Partials       26       26

Impacted Files	Coverage Δ
cmd/ingester/app/flags.go	100% <100%> (ø)	⬆️
plugin/storage/kafka/options.go	100% <100%> (ø)	⬆️
...lugin/sampling/strategystore/adaptive/processor.go	100% <0%> (+0.78%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5b52726...fa0e5ad. Read the comment docs.

[rubenvp8510]

I just need to test this.

[objectiser]

Just left some initial comments, as will be on PTO next week.

[objectiser]

Instead of camel case, I think most flags use hyphens (e.g. service-name). Same applies to useKeyTab and kerberosConfig.

[objectiser]

This option will already have a .kerberos prefix - so the option itself could just be named .config

[objectiser]

nit: This could be just ConfigPath

[objectiser]

Same comments as for the ingester, related to the option names.

[pavolloffay]

Is there a way to depend on a version?

[objectiser]

Hopefully a new release should be coming soon: IBM/sarama#1366 (comment)

[rubenvp8510]

This is just temporal, waiting for a new release of sarama.

[objectiser]

@pavolloffay if we don't get a sarama release soon, are we ok to release with the SHA?

[pavolloffay]

Are there more authentication mechanisms? Is so maybe we should rather have .kerberos=true

[objectiser]

Or .authentication=kerberos

[rubenvp8510]

for now, there is only one authentication mechanism which is in this case Kerberos, but Kafka (and Sarama) support others, I would say that @objectiser suggestion is the way to go, just in case that in the future we wanted more mechanisms.

[rubenvp8510]

I've already tested this with a kafka cluster configured with Kerberos. this PR is still using a commit hash, waiting for a new release of Sarama.

[objectiser]

@pavolloffay if we don't get a sarama release soon, are we ok to release with the SHA?

[objectiser]

Could you include the valid values (e.g. none, kerberos) and which is default.

[rubenvp8510]

I changed this to indicate valid values, the default value is displayed by the library that generates the help output.

This is the printed message:

--kafka.consumer.authentication string Authentication type used to authenticate with kafka cluster. e.g. none, kerberos (default "none")

[pavolloffay]

It looks good. Just some massaging comments.

The flags names should be changed for consistency and the kerberos flags could be defined in one place.

[pavolloffay]

For the consistency with other flags this should be changed .config-file.

PAN_STORAGE_TYPE=elasticsearch go run -tags ui ./cmd/all-in-one/main.go -h | grep file                                                                          11:30 
2019/06/26 11:31:02 maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined
      --collector.grpc.tls.cert string                            Path to TLS certificate file
      --collector.grpc.tls.key string                             Path to TLS key file
      --config-file string                                        Configuration file in JSON, TOML, YAML, HCL, or Java properties formats (default none). See spf13/viper for precedence.
      --es-archive.tags-as-fields.all                             (experimental) Store all span and process tags as object fields. If true .tags-as-fields.config-file is ignored. Binary tags are always stored as nested objects.
      --es-archive.tags-as-fields.config-file string              (experimental) Optional path to a file containing tag keys which will be stored as object fields. Each key should be on a separate line.
      --es-archive.tls.ca string                                  Path to TLS CA file
      --es-archive.tls.cert string                                Path to TLS certificate file
      --es-archive.tls.key string                                 Path to TLS key file
      --es-archive.token-file string                              Path to a file containing bearer token. This flag also loads CA if it is specified.
      --es.tags-as-fields.all                                     (experimental) Store all span and process tags as object fields. If true .tags-as-fields.config-file is ignored. Binary tags are always stored as nested objects.
      --es.tags-as-fields.config-file string                      (experimental) Optional path to a file containing tag keys which will be stored as object fields. Each key should be on a separate line.
      --es.tls.ca string                                          Path to TLS CA file
      --es.tls.cert string                                        Path to TLS certificate file
      --es.tls.key string                                         Path to TLS key file
      --es.token-file string                                      Path to a file containing bearer token. This flag also loads CA if it is specified.
      --query.static-files string                                 The directory path override for the static assets for the UI
      --query.ui-config string                                    The path to the UI configuration file in JSON format
      --reporter.grpc.tls.ca string                               Path to a TLS CA file. (default use the systems truststore)
      --sampling.strategies-file string                           The path for the sampling strategies file in JSON format. See sampling documentation to see format of the file

[pavolloffay]

See the previous comment - change to keytab-file

[pavolloffay]

use the DefaultKerberosConfig

[pavolloffay]

use DefaultKerberosKeyTab

[pavolloffay]

nit: reuse constant DefaultKerberosConfig?

[pavolloffay]

nit: reuse constant DefaultKerberosKeyTab?

[pavolloffay]

Instead of repeating this over, could we define it only in one place e.g. pkg/kafka/auth?

[pavolloffay]

LGTM just two nits

[pavolloffay]

nit: I would define this as array and pass to flag description:

• to avoid duplication in constants
• this way we don't forget to update help message if new auth is added

[pavolloffay]

nit: related to my previous comment, remove this and just pass authTypes[0] to flag definition

[gauravgill95]

Hi I am getting error saying Failed to init storage factory. Kafka client has run out of available brokers to talk to(Is your cluster reachable) ?
I error comes in SASL PlAINTEXT. My producer works fine in Plaintext.
Any help would be great