Skip to content

Commit d586819

Browse files
authored
feat(kafka-logger): add support for scram for authentication (#12693)
1 parent 73618d4 commit d586819

File tree

8 files changed

+363
-4
lines changed

8 files changed

+363
-4
lines changed

apisix/plugins/kafka-logger.lua

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ local schema = {
7777
mechanism = {
7878
type = "string",
7979
default = "PLAIN",
80-
enum = {"PLAIN"},
80+
enum = {"PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512"},
8181
},
8282
user = { type = "string", description = "user" },
8383
password = { type = "string", description = "password" },

ci/init-plugin-test-service.sh

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,15 @@ after() {
2020
docker exec -i apache-apisix-kafka-server1-1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server1:2181 --replication-factor 1 --partitions 1 --topic test2
2121
docker exec -i apache-apisix-kafka-server1-1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server1:2181 --replication-factor 1 --partitions 3 --topic test3
2222
docker exec -i apache-apisix-kafka-server2-1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server2:2181 --replication-factor 1 --partitions 1 --topic test4
23-
23+
docker exec -i apache-apisix-kafka-server3-scram-1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server3:2181 --replication-factor 1 --partitions 1 --topic test-scram-256
24+
docker exec -i apache-apisix-kafka-server3-scram-1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server3:2181 --replication-factor 1 --partitions 1 --topic test-scram-512
25+
# Create user with SCRAM-SHA-512
26+
docker exec apache-apisix-kafka-server3-scram-1 /opt/bitnami/kafka/bin/kafka-configs.sh \
27+
--zookeeper zookeeper-server3:2181 \
28+
--alter \
29+
--add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' \
30+
--entity-type users \
31+
--entity-name admin
2432
# prepare openwhisk env
2533
docker pull openwhisk/action-nodejs-v14:1.20.0
2634
docker run --rm -d --name openwhisk -p 3233:3233 -p 3232:3232 -v /var/run/docker.sock:/var/run/docker.sock openwhisk/standalone:1.0.0

ci/pod/docker-compose.plugin.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,16 @@ services:
8080
networks:
8181
kafka_net:
8282

83+
zookeeper-server3:
84+
image: bitnamilegacy/zookeeper:3.6.0
85+
env_file:
86+
- ci/pod/kafka/zookeeper-server/env/common.env
87+
restart: unless-stopped
88+
ports:
89+
- "12182:12181"
90+
networks:
91+
kafka_net_2:
92+
8393
kafka-server1:
8494
image: bitnamilegacy/kafka:2.8.1
8595
env_file:
@@ -113,6 +123,25 @@ services:
113123
volumes:
114124
- ./ci/pod/kafka/kafka-server/kafka_jaas.conf:/opt/bitnami/kafka/config/kafka_jaas.conf:ro
115125

126+
kafka-server3-scram:
127+
image: bitnamilegacy/kafka:2.8.1
128+
env_file:
129+
- ci/pod/kafka/kafka-server/env/common3-scram.env
130+
environment:
131+
KAFKA_CFG_ZOOKEEPER_CONNECT: zookeeper-server3:2181
132+
restart: unless-stopped
133+
ports:
134+
- "29092:29092" # PLAINTEXT for inter-broker communication
135+
- "29094:29094" # SASL_SCRAM for clients
136+
depends_on:
137+
- zookeeper-server1
138+
- zookeeper-server2
139+
- zookeeper-server3
140+
networks:
141+
kafka_net_2:
142+
volumes:
143+
- ./ci/pod/kafka/kafka-server/kafka_scram_jaas.conf:/opt/bitnami/kafka/config/kafka_jaas.conf:ro
144+
116145
## SkyWalking
117146
skywalking:
118147
image: apache/skywalking-oap-server:8.7.0-es6
@@ -392,6 +421,7 @@ services:
392421
networks:
393422
apisix_net:
394423
kafka_net:
424+
kafka_net_2:
395425
skywalk_net:
396426
rocketmq_net:
397427
opa_net:
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
ALLOW_PLAINTEXT_LISTENER=yes
2+
KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=false
3+
4+
# CORRECTED: Use SASL_PLAINTEXT protocol with SCRAM mechanism
5+
KAFKA_CFG_LISTENERS=PLAINTEXT://0.0.0.0:29092,SASL_PLAINTEXT://0.0.0.0:29094
6+
KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://kafka-server3-scram:29092,SASL_PLAINTEXT://127.0.0.1:29094
7+
8+
# SCRAM-specific configuration
9+
KAFKA_CFG_SASL_ENABLED_MECHANISMS=SCRAM-SHA-256,SCRAM-SHA-512
10+
KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAINTEXT
11+
12+
# Security protocol for inter-broker communication (since it's a single-node cluster)
13+
KAFKA_CFG_SECURITY_INTER_BROKER_PROTOCOL=PLAINTEXT
14+
15+
# Optional: Explicitly set the security protocol map
16+
KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=PLAINTEXT:PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT
17+
18+
# Other configurations
19+
KAFKA_CFG_OFFSETS_TOPIC_NUM_PARTITIONS=1
20+
KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR=1
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
//
2+
// Licensed to the Apache Software Foundation (ASF) under one or more
3+
// contributor license agreements. See the NOTICE file distributed with
4+
// this work for additional information regarding copyright ownership.
5+
// The ASF licenses this file to You under the Apache License, Version 2.0
6+
// (the "License"); you may not use this file except in compliance with
7+
// the License. You may obtain a copy of the License at
8+
//
9+
// http://www.apache.org/licenses/LICENSE-2.0
10+
//
11+
// Unless required by applicable law or agreed to in writing, software
12+
// distributed under the License is distributed on an "AS IS" BASIS,
13+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
// See the License for the specific language governing permissions and
15+
// limitations under the License.
16+
//
17+
18+
KafkaServer {
19+
org.apache.kafka.common.security.scram.ScramLoginModule required
20+
username="admin"
21+
password="admin-secret";
22+
org.apache.kafka.common.security.plain.PlainLoginModule required
23+
username="admin"
24+
password="admin-secret"
25+
user_admin="admin-secret";
26+
};

docs/en/latest/plugins/kafka-logger.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ It might take some time to receive the log data. It will be automatically sent a
4242
| brokers.host | string | True | | | The host of Kafka broker, e.g, `192.168.1.1`. |
4343
| brokers.port | integer | True | | [0, 65535] | The port of Kafka broker |
4444
| brokers.sasl_config | object | False | | | The sasl config of Kafka broker |
45-
| brokers.sasl_config.mechanism | string | False | "PLAIN" | ["PLAIN"] | The mechaism of sasl config |
45+
| brokers.sasl_config.mechanism | string | False | "PLAIN" | ["PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512"] | The mechaism of sasl config |
4646
| brokers.sasl_config.user | string | True | | | The user of sasl_config. If sasl_config exists, it's required. |
4747
| brokers.sasl_config.password | string | True | | | The password of sasl_config. If sasl_config exists, it's required. |
4848
| kafka_topic | string | True | | | Target topic to push the logs for organisation. |

docs/zh/latest/plugins/error-log-logger.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ description: API 网关 Apache APISIX error-log-logger 插件用于将 APISIX
5151
| kafka.brokers.host | string || | | Kafka broker 的节点 host 配置,例如 `192.168.1.1`|
5252
| kafka.brokers.port | string || | | Kafka broker 的节点端口配置 |
5353
| kafka.brokers.sasl_config | object || | | Kafka broker 中的 sasl_config |
54-
| kafka.brokers.sasl_config.mechanism | string || "PLAIN" | ["PLAIN"] | Kafka broker 中的 sasl 认证机制 |
54+
| kafka.brokers.sasl_config.mechanism | string || "PLAIN" | ["PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512"] | Kafka broker 中的 sasl 认证机制 |
5555
| kafka.brokers.sasl_config.user | string || | | Kafka broker 中 sasl 配置中的 user,如果 sasl_config 存在,则必须填写 |
5656
| kafka.brokers.sasl_config.password | string || | | Kafka broker 中 sasl 配置中的 password,如果 sasl_config 存在,则必须填写 |
5757
| kafka.kafka_topic | string || | | 需要推送的 Kafka topic。|

0 commit comments

Comments
 (0)