From 18264ad5c448da826f0a9415e61ba9f57d8b4e53 Mon Sep 17 00:00:00 2001 From: John Kyros Date: Wed, 25 Sep 2024 18:07:15 -0500 Subject: [PATCH] kafka: allow disabling FAST in sarama client Our sarama client has kerberos FAST negotiation turned on by default, but there are KDCs that can't handle FAST negotiation and will fail. There is an option to configure this on the sarama client, but we didn't expose it anywhere, so users couldn't get to it. This just adds an additional auth parameter to AuthConfig to expose that configuration option so users who need to shut off FAST are able to do so. Signed-off-by: John Kyros --- CHANGELOG.md | 1 + pkg/scalers/kafka_scaler.go | 15 +++++++++++++++ pkg/scalers/kafka_scaler_test.go | 4 ++++ 3 files changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index deab8a04db4..bb5b8d68281 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -74,6 +74,7 @@ Here is an overview of all new **experimental** features: - **GCP Scalers**: Added custom time horizon in GCP scalers ([#5778](https://github.com/kedacore/keda/issues/5778)) - **GitHub Scaler**: Fixed pagination, fetching repository list ([#5738](https://github.com/kedacore/keda/issues/5738)) - **Grafana dashboard**: Fix dashboard to handle wildcard scaledObject variables ([#6214](https://github.com/kedacore/keda/issues/6214)) +- **Kafka**: Allow disabling FAST negotation when using Kerberos ([#6188](https://github.com/kedacore/keda/issues/6188)) - **Kafka**: Fix logic to scale to zero on invalid offset even with earliest offsetResetPolicy ([#5689](https://github.com/kedacore/keda/issues/5689)) - **RabbitMQ Scaler**: Add connection name for AMQP ([#5958](https://github.com/kedacore/keda/issues/5958)) - **Selenium Scaler**: Add Support for Username and Password Authentication ([#6144](https://github.com/kedacore/keda/issues/6144)) diff --git a/pkg/scalers/kafka_scaler.go b/pkg/scalers/kafka_scaler.go index 48d6b3c9069..b353c1313b4 100644 --- a/pkg/scalers/kafka_scaler.go +++ b/pkg/scalers/kafka_scaler.go @@ -81,6 +81,7 @@ type kafkaMetadata struct { realm string kerberosConfigPath string kerberosServiceName string + kerberosDisableFAST bool // OAUTHBEARER tokenProvider kafkaSaslOAuthTokenProvider @@ -409,6 +410,15 @@ func parseKerberosParams(config *scalersconfig.ScalerConfig, meta *kafkaMetadata meta.kerberosServiceName = strings.TrimSpace(config.AuthParams["kerberosServiceName"]) } + meta.kerberosDisableFAST = false + if val, ok := config.AuthParams["kerberosDisableFAST"]; ok { + t, err := strconv.ParseBool(val) + if err != nil { + return fmt.Errorf("error parsing kerberosDisableFAST: %w", err) + } + meta.kerberosDisableFAST = t + } + meta.saslType = mode return nil } @@ -688,7 +698,12 @@ func getKafkaClientConfig(ctx context.Context, metadata kafkaMetadata) (*sarama. config.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH config.Net.SASL.GSSAPI.Password = metadata.password } + + if metadata.kerberosDisableFAST { + config.Net.SASL.GSSAPI.DisablePAFXFAST = true + } } + return config, nil } diff --git a/pkg/scalers/kafka_scaler_test.go b/pkg/scalers/kafka_scaler_test.go index 57a3f95eba9..fe42e28995c 100644 --- a/pkg/scalers/kafka_scaler_test.go +++ b/pkg/scalers/kafka_scaler_test.go @@ -209,6 +209,10 @@ var parseKafkaAuthParamsTestDataset = []parseKafkaAuthParamsTestData{ {map[string]string{"sasl": "gssapi", "username": "admin", "password": "admin", "kerberosConfig": "", "tls": "enable", "ca": "caaa", "cert": "ceert", "key": "keey"}, true, false}, // failure, SASL GSSAPI/keytab + TLS missing username {map[string]string{"sasl": "gssapi", "keytab": "/path/to/keytab", "kerberosConfig": "", "realm": "tst.com", "tls": "enable", "ca": "caaa", "cert": "ceert", "key": "keey"}, true, false}, + // success, SASL GSSAPI/disableFast + {map[string]string{"sasl": "gssapi", "username": "admin", "keytab": "/path/to/keytab", "kerberosConfig": "", "realm": "tst.com", "kerberosDisableFAST": "true"}, false, false}, + // failure, SASL GSSAPI/disableFast incorrect + {map[string]string{"sasl": "gssapi", "username": "admin", "keytab": "/path/to/keytab", "kerberosConfig": "", "realm": "tst.com", "kerberosDisableFAST": "notabool"}, true, false}, } var parseAuthParamsTestDataset = []parseAuthParamsTestDataSecondAuthMethod{ // success, SASL plaintext