Merge pull request #1 from swythan/26345_kafka_DisablePAFXFAST

Expose `disable_fast_negotiation` for kafka `krb5` auth method

.chloggen/kafka_disable_fast_negotiation.yaml

@@ -0,0 +1,18 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: kafka
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Added `disable_fast_negotiation` config option for kafka kerberos authentication
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [26345]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:  This allows `PA_FX_FAST` negotiation to be disabled.

exporter/kafkaexporter/README.md

@@ -66,6 +66,7 @@ The following settings can be optionally configured:
     - `password`: The Kerberos password used for authenticate with KDC
     - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
     - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+    - `disable_fast_negotiation`: Disable FAST pre-authentication framework. Some common Kerberos implementations do not support FAST negotiation.  
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. When
     disabled, the client does not make the initial request to broker at the

exporter/kafkaexporter/authentication.go

@@ -51,15 +51,16 @@ type AWSMSKConfig struct {
 	BrokerAddr string `mapstructure:"broker_addr"`
 }
 
-// KerberosConfig defines kereros configuration.
+// KerberosConfig defines kerberos configuration.
 type KerberosConfig struct {
-	ServiceName string `mapstructure:"service_name"`
-	Realm       string `mapstructure:"realm"`
-	UseKeyTab   bool   `mapstructure:"use_keytab"`
-	Username    string `mapstructure:"username"`
-	Password    string `mapstructure:"password" json:"-"`
-	ConfigPath  string `mapstructure:"config_file"`
-	KeyTabPath  string `mapstructure:"keytab_file"`
+	ServiceName     string `mapstructure:"service_name"`
+	Realm           string `mapstructure:"realm"`
+	UseKeyTab       bool   `mapstructure:"use_keytab"`
+	Username        string `mapstructure:"username"`
+	Password        string `mapstructure:"password" json:"-"`
+	ConfigPath      string `mapstructure:"config_file"`
+	KeyTabPath      string `mapstructure:"keytab_file"`
+	DisablePAFXFAST bool   `mapstructure:"disable_fast_negotiation"`
 }
 
 // ConfigureAuthentication configures authentication in sarama.Config.
@@ -158,4 +159,5 @@ func configureKerberos(config KerberosConfig, saramaConfig *sarama.Config) {
 	saramaConfig.Net.SASL.GSSAPI.Username = config.Username
 	saramaConfig.Net.SASL.GSSAPI.Realm = config.Realm
 	saramaConfig.Net.SASL.GSSAPI.ServiceName = config.ServiceName
+	saramaConfig.Net.SASL.GSSAPI.DisablePAFXFAST = config.DisablePAFXFAST
 }

exporter/kafkaexporter/authentication_test.go

@@ -56,12 +56,21 @@ func TestAuthentication(t *testing.T) {
 	saramaKerberosCfg.Net.SASL.Enable = true
 	saramaKerberosCfg.Net.SASL.GSSAPI.ServiceName = "foobar"
 	saramaKerberosCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+	saramaKerberosCfg.Net.SASL.GSSAPI.DisablePAFXFAST = false
+
+	saramaKerberosCfgNoFast := &sarama.Config{}
+	saramaKerberosCfgNoFast.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaKerberosCfgNoFast.Net.SASL.Enable = true
+	saramaKerberosCfgNoFast.Net.SASL.GSSAPI.ServiceName = "foobar"
+	saramaKerberosCfgNoFast.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+	saramaKerberosCfgNoFast.Net.SASL.GSSAPI.DisablePAFXFAST = true
 
 	saramaKerberosKeyTabCfg := &sarama.Config{}
 	saramaKerberosKeyTabCfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
 	saramaKerberosKeyTabCfg.Net.SASL.Enable = true
 	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.KeyTabPath = "/path"
 	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_KEYTAB_AUTH
+	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.DisablePAFXFAST = false
 
 	tests := []struct {
 		auth         Authentication
@@ -87,6 +96,10 @@ func TestAuthentication(t *testing.T) {
 			auth:         Authentication{Kerberos: &KerberosConfig{ServiceName: "foobar"}},
 			saramaConfig: saramaKerberosCfg,
 		},
+		{
+			auth:         Authentication{Kerberos: &KerberosConfig{ServiceName: "foobar", DisablePAFXFAST: true}},
+			saramaConfig: saramaKerberosCfgNoFast,
+		},
 		{
 			auth:         Authentication{Kerberos: &KerberosConfig{UseKeyTab: true, KeyTabPath: "/path"}},
 			saramaConfig: saramaKerberosKeyTabCfg,

receiver/kafkametricsreceiver/README.md

@@ -61,7 +61,7 @@ Optional Settings (with defaults):
         - `password`: The Kerberos password used for authenticate with KDC
         - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
         - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
-
+        - `disable_fast_negotiation`: Disable FAST pre-authentication framework. Some common Kerberos implementations do not support FAST negotiation.
 ## Examples:
 
 1) Basic configuration with all scrapers:

receiver/kafkareceiver/README.md

@@ -73,6 +73,7 @@ The following settings can be optionally configured:
     - `password`: The Kerberos password used for authenticate with KDC
     - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
     - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+    - `disable_fast_negotiation`: Disable FAST pre-authentication framework. Some common Kerberos implementations do not support FAST negotiation.
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. When
     disabled, the client does not make the initial request to broker at the