Support connecting to Kerberos secured Kafka #7990, updated to Kafka 0.10.1.2 #8394
Conversation
Merge from master
…Kafka Consumer API
…o Kafka 0.10.1.2
…o Kafka 0.10.1.2
|
Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign up at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need the corporate CLA signed. If you have received this in error or have any questions, please contact us at cla@fb.com. Thanks! |
|
@cawallin could someone on your team review this? |
pom.xml
Outdated
| @@ -56,6 +56,7 @@ | |||
| <dep.testng.version>6.10</dep.testng.version> | |||
| <dep.nifty.version>0.15.1</dep.nifty.version> | |||
| <dep.swift.version>0.15.2</dep.swift.version> | |||
| <dep.kafka-clients.version>0.10.2.1</dep.kafka-clients.version> | |||
There was a problem hiding this comment.
Don't add a property for a version that is only used in one place. We use properties for related artifacts that need to be versioned together.
There was a problem hiding this comment.
Thanks, modified as per suggestion.
presto-kafka/pom.xml
Outdated
| <groupId>joda-time</groupId> | ||
| <artifactId>joda-time</artifactId> | ||
| </dependency> | ||
|
|
||
| <!-- |
There was a problem hiding this comment.
Please delete rather than commenting out. The old version is available in the Git history. Commenting out code quickly clutters the code base.
presto-kafka/pom.xml
Outdated
| @@ -68,14 +68,20 @@ | |||
| </dependency> | |||
|
|
|||
| <dependency> | |||
| <groupId>org.apache.kafka</groupId> | |||
| <artifactId>kafka-clients</artifactId> | |||
| <version>${dep.kafka-clients.version}</version> | |||
There was a problem hiding this comment.
Add this to the dependencyManagement section in the root POM, then remove the version here. In almost all cases, versions should only be in the root POM, ensuring versions are consistent.
(Technically, this is not necessary here, because this dependency is only used in this one module, and different plugins can actually have different versions of the same library due to class loader isolation. But we follow the rule as much as possible so it's easy for everyone to understand and not wonder why there are exceptions.)
There was a problem hiding this comment.
Thanks, changes made per suggestion.
|
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks! |
…o Kafka 0.10.1.2
|
Thanks for review comments, changes made as per suggestion. |
|
@electrum sure |
|
@madhurkumar after all these changes, will it still work with kafka 0.8? |
|
No, Kafka client versions are forward compatible not fully backward compatible. In my tests, message consumption from 0.8.2.2 broker did not work. |
There was a problem hiding this comment.
Thanks for your contribution! And sorry for the delay.
A few questions: how does this patch get the Kerberos credentials? Is it as in here http://kafka.apache.org/documentation.html#security_client_staticjaas? For Presto, we avoid setting JAAS config files; instead, we handle the security stuff using Java code. The Hive connector does this (see https://github.com/prestodb/presto/blob/master/presto-hive/src/main/java/com/facebook/presto/hive/authentication/KerberosAuthentication.java that allows you to get a Subject; you should use that Subject and wrap all calls to Kafka with doAs -- see https://github.com/airlift/airlift/blob/be20a24b5bba2c5d674a4a7280e80cf61cf3e1cc/http-client/src/main/java/io/airlift/http/client/spnego/SpnegoAuthentication.java#L111). Also, the Kafka service name should be configurable; it isn't necessarily always going to be kafka (which I'm assuming is the default).
Lastly, since you're going to update the minimum supported version of Kafka, please send an email to presto-users@googlegroups.com to see if anyone is using Presto to connect to Kafka below the new minimum supported version.
| @@ -168,4 +175,28 @@ private static HostAddress toHostAddress(String value) | |||
| { | |||
| return HostAddress.fromString(value).withDefaultPort(KAFKA_DEFAULT_PORT); | |||
| } | |||
|
|
|||
| @Config("kafka.security-protocol") | |||
| public KafkaConnectorConfig setSecurityProtocol(String securityProtocol) | |||
There was a problem hiding this comment.
This should be an enum, so that the possible values can be validated
| kafka.table-names=test | ||
| kafka.hide-internal-columns=false | ||
| kafka.security-protocol=PLAINTEXT | ||
| kafka.auto-commit=false |
|
I am using kafka 0.8 & 0.10 |
|
@gaohao It is possible to have two Kafka plugins (the Hive plugin was similar until recently), though it does add an additional maintenance cost. The more code that can be shared, the better. |
|
@cawallin It would be possible to support multiple versions with the same plugin, however the plugin would need to dynamically create a classloader for the requested kafka client version. Is there another plugin that does this as an example? |
|
The way to do this is to split up the plugin, similar to how we used to have multiple variants of the Hive connector for different Hadoop versions. The same structure still exists today.
|
|
@cawallin sorry for the delay, I checked Kafka client but it doesn't support Kerberos without JAAS file please see https://github.com/apache/kafka/blob/0.10.0/clients/src/main/java/org/apache/kafka/common/security/authenticator/AbstractLogin.java |
|
Hello @madhurkumar - I stumbled across this PR as I am attempting to use presto against a kafka cluster with SASL enabled. It looks like the most recent version of the |
Sure, make sense to remove jaas file and allow configurations through property map. |
|
Hello @madhurkumar, I was trying connecting presto to my secured Kafka which uses Sasl protocol instead plaintext. Seems I am on old version so it didn’t find all such properties mentioned in Kafka.properties Just FYI, I am currently using both jaas config and direct properties map to established secured connection. Let me know if you need example using Kafka client code. Btw, Is there any presto version for now which I can use immediate to connect secure Kafka and I won’t mind providing jaas config for temporary purpose. |
|
pls let me know |
|
Please let me know |
@nitenA you can use my fork |
Conflicts: pom.xml presto-kafka/src/main/java/com/facebook/presto/kafka/KafkaInternalFieldDescription.java presto-kafka/src/main/java/com/facebook/presto/kafka/KafkaRecordSet.java presto-kafka/src/main/java/com/facebook/presto/kafka/KafkaRecordSetProvider.java presto-kafka/src/main/java/com/facebook/presto/kafka/KafkaSimpleConsumerManager.java presto-kafka/src/main/java/com/facebook/presto/kafka/KafkaSplitManager.java
|
Thanks for all your work on this. Do you have an ETA on when these changes will be merged to master? |
|
@madhurkumar Can you also create a PR to https://github.com/prestosql/presto? We’re interested in this. |
|
This pull request has been automatically marked as stale because it has not had recent activity. If you'd still like this PR merged, please comment on the task, make sure you've addressed reviewer comments, and rebase on the latest master. Thank you for your contributions! |
Fix for #7990