[exporter/kafkaexporter] added an option to disable kerberos PA-FX-FA…

…ST negotiation (open-telemetry#33086) **Description:** Added the `disable_fast_negotiation` configuration option for Kafka Kerberos authentication. This option allows users to disable the PA-FX-FAST negotiation, which can cause issues when Active Directory is not configured to support it. This change ensures that Kafka Exporters can function correctly in such environments. **Link to tracking Issue:** [26345](open-telemetry#26345) **Testing:** - Added unit tests to verify the behaviour of the `disable_fast_negotiation` option in the `KerberosConfig` struct. - Tests include scenarios where `disable_fast_negotiation` is set to both `true` and `false`, ensuring that the configuration is correctly applied. **Documentation:** - Updated README files which describe the new configuration option - Updated the changelog to reflect the addition of the `disable_fast_negotiation` configuration option. --------- Co-authored-by: Sean Marciniak <[email protected]> Co-authored-by: Curtis Robert <[email protected]>
openinsight-proj · Jun 5, 2024 · 6cd3ab6 · 6cd3ab6
1 parent c99b5f7
commit 6cd3ab6
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 9 deletions.
diff --git a/.chloggen/kafka-DisablePAFXFAST-kerberos-auth.yaml b/.chloggen/kafka-DisablePAFXFAST-kerberos-auth.yaml
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: kafka
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Added `disable_fast_negotiation` configuration option for Kafka Kerberos authentication, allowing the disabling of PA-FX-FAST negotiation.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [26345]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user] 
diff --git a/exporter/kafkaexporter/README.md b/exporter/kafkaexporter/README.md
@@ -68,6 +68,7 @@ The following settings can be optionally configured:
     - `password`: The Kerberos password used for authenticate with KDC
     - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
     - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+    - `disable_fast_negotiation`: Disable PA-FX-FAST negotiation (Pre-Authentication Framework - Fast). Some common Kerberos implementations do not support PA-FX-FAST negotiation. This is set to `false` by default.
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. When
     disabled, the client does not make the initial request to broker at the

diff --git a/internal/kafka/authentication.go b/internal/kafka/authentication.go
@@ -52,15 +52,16 @@ type AWSMSKConfig struct {
 	BrokerAddr string `mapstructure:"broker_addr"`
 }
 
-// KerberosConfig defines kereros configuration.
+// KerberosConfig defines kerberos configuration.
 type KerberosConfig struct {
-	ServiceName string `mapstructure:"service_name"`
-	Realm       string `mapstructure:"realm"`
-	UseKeyTab   bool   `mapstructure:"use_keytab"`
-	Username    string `mapstructure:"username"`
-	Password    string `mapstructure:"password" json:"-"`
-	ConfigPath  string `mapstructure:"config_file"`
-	KeyTabPath  string `mapstructure:"keytab_file"`
+	ServiceName     string `mapstructure:"service_name"`
+	Realm           string `mapstructure:"realm"`
+	UseKeyTab       bool   `mapstructure:"use_keytab"`
+	Username        string `mapstructure:"username"`
+	Password        string `mapstructure:"password" json:"-"`
+	ConfigPath      string `mapstructure:"config_file"`
+	KeyTabPath      string `mapstructure:"keytab_file"`
+	DisablePAFXFAST bool   `mapstructure:"disable_fast_negotiation"`
 }
 
 // ConfigureAuthentication configures authentication in sarama.Config.
@@ -159,4 +160,5 @@ func configureKerberos(config KerberosConfig, saramaConfig *sarama.Config) {
 	saramaConfig.Net.SASL.GSSAPI.Username = config.Username
 	saramaConfig.Net.SASL.GSSAPI.Realm = config.Realm
 	saramaConfig.Net.SASL.GSSAPI.ServiceName = config.ServiceName
+	saramaConfig.Net.SASL.GSSAPI.DisablePAFXFAST = config.DisablePAFXFAST
 }
diff --git a/internal/kafka/authentication_test.go b/internal/kafka/authentication_test.go
@@ -42,7 +42,6 @@ func TestAuthentication(t *testing.T) {
 	saramaSASLPLAINConfig.Net.SASL.Enable = true
 	saramaSASLPLAINConfig.Net.SASL.User = "jdoe"
 	saramaSASLPLAINConfig.Net.SASL.Password = "pass"
-
 	saramaSASLPLAINConfig.Net.SASL.Mechanism = sarama.SASLTypePlaintext
 
 	saramaTLSCfg := &sarama.Config{}
@@ -64,6 +63,20 @@ func TestAuthentication(t *testing.T) {
 	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.KeyTabPath = "/path"
 	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_KEYTAB_AUTH
 
+	saramaKerberosDisablePAFXFASTTrueCfg := &sarama.Config{}
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.Enable = true
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.GSSAPI.ServiceName = "foobar"
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.GSSAPI.DisablePAFXFAST = true
+
+	saramaKerberosDisablePAFXFASTFalseCfg := &sarama.Config{}
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.Enable = true
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.GSSAPI.ServiceName = "foobar"
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.GSSAPI.DisablePAFXFAST = false
+
 	tests := []struct {
 		auth         Authentication
 		saramaConfig *sarama.Config
@@ -92,6 +105,14 @@ func TestAuthentication(t *testing.T) {
 			auth:         Authentication{Kerberos: &KerberosConfig{UseKeyTab: true, KeyTabPath: "/path"}},
 			saramaConfig: saramaKerberosKeyTabCfg,
 		},
+		{
+			auth:         Authentication{Kerberos: &KerberosConfig{ServiceName: "foobar", DisablePAFXFAST: true}},
+			saramaConfig: saramaKerberosDisablePAFXFASTTrueCfg,
+		},
+		{
+			auth:         Authentication{Kerberos: &KerberosConfig{ServiceName: "foobar", DisablePAFXFAST: false}},
+			saramaConfig: saramaKerberosDisablePAFXFASTFalseCfg,
+		},
 		{
 			auth:         Authentication{SASL: &SASLConfig{Username: "jdoe", Password: "pass", Mechanism: "SCRAM-SHA-256"}},
 			saramaConfig: saramaSASLSCRAM256Config,

diff --git a/receiver/kafkametricsreceiver/README.md b/receiver/kafkametricsreceiver/README.md
@@ -60,6 +60,7 @@ Optional Settings (with defaults):
         - `password`: The Kerberos password used for authenticate with KDC
         - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
         - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+        - `disable_fast_negotiation`: Disable PA-FX-FAST negotiation (Pre-Authentication Framework - Fast). Some common Kerberos implementations do not support PA-FX-FAST negotiation. This is set to `false` by default.
 
 ## Examples:
 

diff --git a/receiver/kafkareceiver/README.md b/receiver/kafkareceiver/README.md
@@ -71,6 +71,7 @@ The following settings can be optionally configured:
     - `password`: The Kerberos password used for authenticate with KDC
     - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
     - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+    - `disable_fast_negotiation`: Disable PA-FX-FAST negotiation (Pre-Authentication Framework - Fast). Some common Kerberos implementations do not support PA-FX-FAST negotiation. This is set to `false` by default.
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. When
     disabled, the client does not make the initial request to broker at the