Add *.kerberos.disable-fast-negotiation option to Kafka consumer (#4520)

## Which problem is this PR solving? - Solves #2744 ## Short description of the changes - Added a variable in KerberosConfig struct and configured it - Added flags and the configuration for the same --------- Signed-off-by: bugslayer-332 <ayashwanth9503@gmail.com> Signed-off-by: Yuri Shkuro <github@ysh.us> Co-authored-by: bugslayer-332 <ayashwanth9503@gmail.com> Co-authored-by: Yuri Shkuro <github@ysh.us>
jaegertracing · Jun 11, 2023 · 71290f4 · 71290f4
1 parent 557bb1c
commit 71290f4
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 22 deletions.
diff --git a/pkg/kafka/auth/config.go b/pkg/kafka/auth/config.go
@@ -84,6 +84,7 @@ func (config *AuthenticationConfig) InitFromViper(configPrefix string, v *viper.
 	config.Kerberos.Password = v.GetString(configPrefix + kerberosPrefix + suffixKerberosPassword)
 	config.Kerberos.ConfigPath = v.GetString(configPrefix + kerberosPrefix + suffixKerberosConfig)
 	config.Kerberos.KeyTabPath = v.GetString(configPrefix + kerberosPrefix + suffixKerberosKeyTab)
+	config.Kerberos.DisablePAFXFast = v.GetBool(configPrefix + kerberosPrefix + suffixKerberosDisablePAFXFAST)
 
 	tlsClientConfig := tlscfg.ClientFlagsConfig{
 		Prefix: configPrefix,

diff --git a/pkg/kafka/auth/kerberos.go b/pkg/kafka/auth/kerberos.go
@@ -20,13 +20,14 @@ import (
 
 // KerberosConfig describes the configuration properties needed for Kerberos authentication with kafka consumer
 type KerberosConfig struct {
-	ServiceName string `mapstructure:"service_name"`
-	Realm       string `mapstructure:"realm"`
-	UseKeyTab   bool   `mapstructure:"use_keytab"`
-	Username    string `mapstructure:"username"`
-	Password    string `mapstructure:"password" json:"-"`
-	ConfigPath  string `mapstructure:"config_file"`
-	KeyTabPath  string `mapstructure:"keytab_file"`
+	ServiceName     string `mapstructure:"service_name"`
+	Realm           string `mapstructure:"realm"`
+	UseKeyTab       bool   `mapstructure:"use_keytab"`
+	Username        string `mapstructure:"username"`
+	Password        string `mapstructure:"password" json:"-"`
+	ConfigPath      string `mapstructure:"config_file"`
+	KeyTabPath      string `mapstructure:"keytab_file"`
+	DisablePAFXFast bool   `mapstructure:"disable_pa_fx_fast"`
 }
 
 func setKerberosConfiguration(config *KerberosConfig, saramaConfig *sarama.Config) {
@@ -43,4 +44,5 @@ func setKerberosConfiguration(config *KerberosConfig, saramaConfig *sarama.Confi
 	saramaConfig.Net.SASL.GSSAPI.Username = config.Username
 	saramaConfig.Net.SASL.GSSAPI.Realm = config.Realm
 	saramaConfig.Net.SASL.GSSAPI.ServiceName = config.ServiceName
+	saramaConfig.Net.SASL.GSSAPI.DisablePAFXFAST = config.DisablePAFXFast
 }
diff --git a/pkg/kafka/auth/options.go b/pkg/kafka/auth/options.go
@@ -26,22 +26,24 @@ const (
 	defaultAuthentication = none
 
 	// Kerberos configuration options
-	kerberosPrefix            = ".kerberos"
-	suffixKerberosServiceName = ".service-name"
-	suffixKerberosRealm       = ".realm"
-	suffixKerberosUseKeyTab   = ".use-keytab"
-	suffixKerberosUsername    = ".username"
-	suffixKerberosPassword    = ".password"
-	suffixKerberosConfig      = ".config-file"
-	suffixKerberosKeyTab      = ".keytab-file"
+	kerberosPrefix                = ".kerberos"
+	suffixKerberosServiceName     = ".service-name"
+	suffixKerberosRealm           = ".realm"
+	suffixKerberosUseKeyTab       = ".use-keytab"
+	suffixKerberosUsername        = ".username"
+	suffixKerberosPassword        = ".password"
+	suffixKerberosConfig          = ".config-file"
+	suffixKerberosKeyTab          = ".keytab-file"
+	suffixKerberosDisablePAFXFAST = ".disable-fast-negotiation"
 
-	defaultKerberosConfig      = "/etc/krb5.conf"
-	defaultKerberosUseKeyTab   = false
-	defaultKerberosServiceName = "kafka"
-	defaultKerberosRealm       = ""
-	defaultKerberosPassword    = ""
-	defaultKerberosUsername    = ""
-	defaultKerberosKeyTab      = "/etc/security/kafka.keytab"
+	defaultKerberosConfig          = "/etc/krb5.conf"
+	defaultKerberosUseKeyTab       = false
+	defaultKerberosServiceName     = "kafka"
+	defaultKerberosRealm           = ""
+	defaultKerberosPassword        = ""
+	defaultKerberosUsername        = ""
+	defaultKerberosKeyTab          = "/etc/security/kafka.keytab"
+	defaultKerberosDisablePAFXFast = false
 
 	plainTextPrefix          = ".plaintext"
 	suffixPlainTextUsername  = ".username"
@@ -82,6 +84,10 @@ func addKerberosFlags(configPrefix string, flagSet *flag.FlagSet) {
 		configPrefix+kerberosPrefix+suffixKerberosKeyTab,
 		defaultKerberosKeyTab,
 		"Path to keytab file. i.e /etc/security/kafka.keytab")
+	flagSet.Bool(
+		configPrefix+kerberosPrefix+suffixKerberosDisablePAFXFAST,
+		defaultKerberosDisablePAFXFast,
+		"Disable FAST negotiation when not supported by KDC's like Active Directory. See https://github.com/jcmturner/gokrb5/blob/master/USAGE.md#active-directory-kdc-and-fast-negotiation.")
 }
 
 func addPlainTextFlags(configPrefix string, flagSet *flag.FlagSet) {