[CORE-8436]: Add support for SASL/PLAIN #24525
Conversation
Pure refactor, no change in behaviour. Signed-off-by: Ben Pope <ben@redpanda.com>
michael-redpanda
requested review from
a team and
pgellert
and removed request for
a team
michael-redpanda
changed the title
michael-redpanda
force-pushed
the
sasl-plain/core-8407
branch
from
fe74778 to
ea25a3f
Compare
|
Force push
|
| if (supports("PLAIN")) { | ||
| supported_sasl_mechanisms.emplace_back( | ||
| security::plain_authenticator::name); | ||
| if (request.data.mechanism == security::plain_authenticator::name) { | ||
| ctx.sasl()->set_mechanism( | ||
| std::make_unique<security::plain_authenticator>( | ||
| ctx.credentials())); | ||
| } | ||
| } |
There was a problem hiding this comment.
discussion: Getting clarification from REQ-01. Not sure if the wording was wrong or if PLAIN implies also enabling SCRAM.
There was a problem hiding this comment.
Is it "{PLAIN} implies {PLAIN, SCRAM}" or "{PLAIN} without SCRAM is invalid" or "{PLAIN} implies only {PLAIN} on the kafka procotol, but you can still manage SCRAM users through the admin API"?
There was a problem hiding this comment.
PLAIN means enable PLAIN. One other secure mechanism must be explicitly enabled.
michael-redpanda
force-pushed
the
sasl-plain/core-8407
branch
from
ea25a3f to
7771b04
Compare
|
Force push
|
|
non flaky failures in https://buildkite.com/redpanda/redpanda/builds/59603#0193b6b2-1bf2-4981-b99e-25425073658b: non flaky failures in https://buildkite.com/redpanda/redpanda/builds/59603#0193b6b2-1bf0-4bbb-97af-594a8376f0df: |
Retry command for Build#59603please wait until all jobs are finished before running the slash command |
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/59603#0193b6b2-1bf2-4981-b99e-25425073658b |
|
the below tests from https://buildkite.com/redpanda/redpanda/builds/59656#0193bb20-bbaa-4494-87a5-ce21272fd252 have failed and will be retried |
| EXPECT_EQ(res.assume_error(), security::errc::invalid_credentials); | ||
| EXPECT_FALSE(authn->complete()); | ||
| EXPECT_TRUE(authn->failed()); | ||
| } |
There was a problem hiding this comment.
Possibly missing a test for invalid utf-8
There was a problem hiding this comment.
you're an invalid utf8
There was a problem hiding this comment.
Fair, but the character is not rendered or pronounced, so nobody has noticed yet.
| @@ -124,6 +124,12 @@ validate_sasl_mechanisms(const std::vector<ss::sstring>& mechanisms) { | |||
| return ssx::sformat("'{}' is not a supported SASL mechanism", m); | |||
| } | |||
| } | |||
|
|
|||
| if (mechanisms.size() == 1 && mechanisms[0] == "PLAIN") { | |||
There was a problem hiding this comment.
Is the condition supposed to be "at least one other" or "at least SCRAM as well"?
There was a problem hiding this comment.
Is the condition supposed to be "at least one other" or "at least SCRAM as well"?
From SUCCESS-02: "We will not support a cluster configured with only a PLAIN mechanism", which I understand to mean that at least one other secure mechanism is required, which includes all of the others; SCRAM,OAUTHBEARER, GSSAPI.
There was a problem hiding this comment.
The preceding sentence of SUCCESS-02 is "Users only need to create a single account to support either SCRAM or PLAIN authentication." which makes me think that it is SCRAM specifically that's also required. I think it's worth asking @deniscoady to see what he meant here. (I'd comment on the PRD, but I don't have access.)
There was a problem hiding this comment.
"Users only need to create a single account to support either SCRAM or PLAIN authentication.",
SCRAM Users are the single source of truth for users which are managed internally. Historically I've pushed for them to be named "SCRAM Uses" over "SASL Users" (c.f., SASL/OAUTHBEARER, SASL/GSSAPI, which are managed externally), but although they are created as SCRAM users, they are supported via HTTP Basic Auth, and now, via SASL/PLAIN.
There was a problem hiding this comment.
Right, I've got that. I guess what I'm trying to say is that it's not clear to me is whether the goal is:
(a) For Redpanda to be opinionated and nudge customers to enable at least one secure sasl mechanism, or
(b) For Redpanda to signal that SCRAM users and SASL users are the same so you probably want to enable SCRAM as well if you enable PLAIN.
If (a), then this implementation makes sense. But I think (b) would also be reasonable, given that I would expect most customers to use PLAIN while migrating over to Redpanda and away from PLAIN over to SCRAM. In that case, I think they would start by enabling PLAIN+SCRAM, then migrate, and finally disable PLAIN.
There was a problem hiding this comment.
I discussed with @deniscoady and I think we may modify this requirement slightly to make it so if you enable PLAIN you must also enable SCRAM. This impacts our internal clients (PP/SR/Auditing) so I think this is reasonable.
| if (supports("PLAIN")) { | ||
| supported_sasl_mechanisms.emplace_back( | ||
| security::plain_authenticator::name); | ||
| if (request.data.mechanism == security::plain_authenticator::name) { | ||
| ctx.sasl()->set_mechanism( | ||
| std::make_unique<security::plain_authenticator>( | ||
| ctx.credentials())); | ||
| } | ||
| } |
There was a problem hiding this comment.
Is it "{PLAIN} implies {PLAIN, SCRAM}" or "{PLAIN} without SCRAM is invalid" or "{PLAIN} implies only {PLAIN} on the kafka procotol, but you can still manage SCRAM users through the admin API"?
| EXPECT_EQ(res.assume_error(), security::errc::invalid_credentials); | ||
| EXPECT_FALSE(authn->complete()); | ||
| EXPECT_TRUE(authn->failed()); | ||
| } |
There was a problem hiding this comment.
Should we add a test that makes some assertions on the audit user as well?
There was a problem hiding this comment.
@pgellert what are you looking for irt to those?
There was a problem hiding this comment.
Just a simple test that verifies that the audit user's name is properly set on success. If you think it's too granular, I'm fine with that, but it would be a sanity check to ensure that the audit user is updated.
Optimise the password validation when SCRAM-SHA-512 is in use, by avoiding the validation against SCRAM-SHA-256 that will fail. Signed-off-by: Ben Pope <ben@redpanda.com>
SUCCESS-02 Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
No change in behaviour Signed-off-by: Ben Pope <ben@redpanda.com>
michael-redpanda
force-pushed
the
sasl-plain/core-8407
branch
from
7ac13ca to
f051233
Compare
|
Force push
|
Retry command for Build#59821please wait until all jobs are finished before running the slash command |
CI test resultstest results on build#59821
test results on build#59923
|
There was a problem hiding this comment.
lgtm (If we do change the requirement discussed in 08d63c9#r1887547776 then that will need another change to this PR but otherwise lgtm.)
That or we will file another PR. There's discussions on adding metrics and we have plenty of time until release. |
| std::chrono::seconds{std::stoi(interval_override)}); | ||
| vlog( | ||
| clusterlog.info, | ||
| "Overriding default license log annoy interval to: {}s", | ||
| license_check_retry.count()); | ||
| "Overriding default reminder period interval to: {}s", |
There was a problem hiding this comment.
It's probably worth extracting out the duplicate _license_nag_is_set functions.
There was a problem hiding this comment.
Oh I missed changing those as well
michael-redpanda
force-pushed
the
sasl-plain/core-8407
branch
from
f051233 to
9dec947
Compare
|
Force push
|
REQ-02 Signed-off-by: Ben Pope <ben@redpanda.com>
Renamed `__REDPANDA_LICENSE_CHECK_INTERVAL_SEC` with `__REDPANDA_PERIODIC_REMINDER_INTERVAL_SEC` to better reflect what messages this environmental variable is controlling. Signed-off-by: Michael Boquard <michael@redpanda.com>
This change allows for the selection of SASL/PLAIN as an authentication method using the Python RdKafka library. Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
Added SASL/PLAIN verification tests for: * KCL * RPK * Python RdKafka * Kafka CLI tools Validated that both SCRAM-256 and SCRAM-512 users worked. Fixes: CORE-8458 Fixes: CORE-8459 Fixes: CORE-8460 Tested that a log message appears when SASL/PLAIN is enabled and that PLAIN cannot be the only SASL mechanism in the mechanisms list. Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
michael-redpanda
force-pushed
the
sasl-plain/core-8407
branch
from
9dec947 to
98d6056
Compare
|
Force push
|
Retry command for Build#59923please wait until all jobs are finished before running the slash command |
Adds support for SASL/PLAIN authentication mechanism.
Configuration
Adds
"PLAIN"as a valid entry in thesasl_mechanismscluster config list.Caveats
"PLAIN"cannot be the only entry in thesasl_mechanismslist. Redpanda will log either atwarnwhen"PLAIN"is enabled. Will log aterrif"PLAIN"is enabled and TLS is not enabled on any interface.Fixes: CORE-8436
Fixes: CORE-8458
Fixes: CORE-8459
Fixes: CORE-8460
Todo:
"PLAIN"only is an errorBackports Required
Release Notes
Features
"PLAIN"to thesasl_mechanismscluster configuration list