Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose kerberos fast negotiation configuration #1466

Merged
merged 2 commits into from May 22, 2020
Merged

Expose kerberos fast negotiation configuration #1466

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
01ca5be
Expose kerberos fast negotiation configuration
rubenvp8510 Aug 22, 2019
dd2a9df
Formar NewKerberosClient comments acording to golang standad, added t…
rubenvp8510 Apr 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions gssapi_kerberos.go
View file
Open in desktop
Expand Up @@ -34,6 +34,7 @@ type GSSAPIConfig struct {
Username string
Password string
Realm string
DisablePAFXFAST bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm seeing some test for this API here sarama/kerberos_client_test.go, might worth to add a test that includes DisablePAFXFAST

}

type GSSAPIKerberosAuth struct {
Expand Down
15 changes: 5 additions & 10 deletions kerberos_client.go
View file
Open in desktop
Expand Up @@ -19,14 +19,9 @@ func (c *KerberosGoKrb5Client) CName() types.PrincipalName {
return c.Credentials.CName()
}

/*
*
* Create kerberos client used to obtain TGT and TGS tokens
* used gokrb5 library, which is a pure go kerberos client with
* some GSS-API capabilities, and SPNEGO support. Kafka does not use SPNEGO
* it uses pure Kerberos 5 solution (RFC-4121 and RFC-4120).
*
*/
// NewKerberosClient creates kerberos client used to obtain TGT and TGS tokens.
// It uses pure go Kerberos 5 solution (RFC-4121 and RFC-4120).
// uses gokrb5 library underlying which is a pure go kerberos client with some GSS-API capabilities.
func NewKerberosClient(config *GSSAPIConfig) (KerberosClient, error) {
cfg, err := krb5config.Load(config.KerberosConfigPath)
if err != nil {
Expand All @@ -42,10 +37,10 @@ func createClient(config *GSSAPIConfig, cfg *krb5config.Config) (KerberosClient,
if err != nil {
return nil, err
}
client = krb5client.NewClientWithKeytab(config.Username, config.Realm, kt, cfg)
client = krb5client.NewClientWithKeytab(config.Username, config.Realm, kt, cfg, krb5client.DisablePAFXFAST(config.DisablePAFXFAST))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and now that you're modifying this file, could you please update the NewKerberosClient func comment to make it go friendly

image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I'll do! I'm new using golang, so thanks for pointing me to the conventions.

} else {
client = krb5client.NewClientWithPassword(config.Username,
config.Realm, config.Password, cfg)
config.Realm, config.Password, cfg, krb5client.DisablePAFXFAST(config.DisablePAFXFAST))
}
return &KerberosGoKrb5Client{*client}, nil
}
24 changes: 24 additions & 0 deletions kerberos_client_test.go
View file
Open in desktop
Expand Up @@ -84,3 +84,27 @@ func TestCreateWithKeyTab(t *testing.T) {
t.Errorf("Expected error:%s, got:%s.", err, expectedErr)
}
}

func TestCreateWithDisablePAFXFAST(t *testing.T) {
kerberosConfig, err := krbcfg.NewConfigFromString(testdata.TEST_KRB5CONF)
if err != nil {
t.Fatal(err)
}
// Expect to try to create a client with keytab and fails with "o such file or directory" error
expectedErr := errors.New("open nonexist.keytab: no such file or directory")
clientConfig := NewConfig()
clientConfig.Net.SASL.Mechanism = SASLTypeGSSAPI
clientConfig.Net.SASL.Enable = true
clientConfig.Net.SASL.GSSAPI.ServiceName = "kafka"
clientConfig.Net.SASL.GSSAPI.Realm = "EXAMPLE.COM"
clientConfig.Net.SASL.GSSAPI.Username = "client"
clientConfig.Net.SASL.GSSAPI.AuthType = KRB5_KEYTAB_AUTH
clientConfig.Net.SASL.GSSAPI.KeyTabPath = "nonexist.keytab"
clientConfig.Net.SASL.GSSAPI.KerberosConfigPath = "/etc/krb5.conf"
clientConfig.Net.SASL.GSSAPI.DisablePAFXFAST = true

_, err = createClient(&clientConfig.Net.SASL.GSSAPI, kerberosConfig)
if err.Error() != expectedErr.Error() {
t.Errorf("Expected error:%s, got:%s.", err, expectedErr)
}
}