From 6cd3ab6182d768431ba2059d9d7950fd01364962 Mon Sep 17 00:00:00 2001
From: Sy B <phoenix49@gmail.com>
Date: Wed, 5 Jun 2024 17:26:18 +0100
Subject: [PATCH] [exporter/kafkaexporter] added an option to disable kerberos
 PA-FX-FAST negotiation (#33086)

**Description:**
Added the `disable_fast_negotiation` configuration option for Kafka
Kerberos authentication. This option allows users to disable the
PA-FX-FAST negotiation, which can cause issues when Active Directory is
not configured to support it. This change ensures that Kafka Exporters
can function correctly in such environments.

**Link to tracking Issue:**
[26345](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/26345)

**Testing:**
- Added unit tests to verify the behaviour of the
`disable_fast_negotiation` option in the `KerberosConfig` struct.
- Tests include scenarios where `disable_fast_negotiation` is set to
both `true` and `false`, ensuring that the configuration is correctly
applied.

**Documentation:**
- Updated README files which describe the new configuration option
- Updated the changelog to reflect the addition of the
`disable_fast_negotiation` configuration option.

---------

Co-authored-by: Sean Marciniak <30928402+MovieStoreGuy@users.noreply.github.com>
Co-authored-by: Curtis Robert <crobert@splunk.com>
---
 .../kafka-DisablePAFXFAST-kerberos-auth.yaml  | 27 +++++++++++++++++++
 exporter/kafkaexporter/README.md              |  1 +
 internal/kafka/authentication.go              | 18 +++++++------
 internal/kafka/authentication_test.go         | 23 +++++++++++++++-
 receiver/kafkametricsreceiver/README.md       |  1 +
 receiver/kafkareceiver/README.md              |  1 +
 6 files changed, 62 insertions(+), 9 deletions(-)
 create mode 100644 .chloggen/kafka-DisablePAFXFAST-kerberos-auth.yaml

diff --git a/.chloggen/kafka-DisablePAFXFAST-kerberos-auth.yaml b/.chloggen/kafka-DisablePAFXFAST-kerberos-auth.yaml
new file mode 100644
index 000000000000..3283753f378e
--- /dev/null
+++ b/.chloggen/kafka-DisablePAFXFAST-kerberos-auth.yaml
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: kafka
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Added `disable_fast_negotiation` configuration option for Kafka Kerberos authentication, allowing the disabling of PA-FX-FAST negotiation.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [26345]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user] 
diff --git a/exporter/kafkaexporter/README.md b/exporter/kafkaexporter/README.md
index d5ac9644199c..02137a862092 100644
--- a/exporter/kafkaexporter/README.md
+++ b/exporter/kafkaexporter/README.md
@@ -68,6 +68,7 @@ The following settings can be optionally configured:
     - `password`: The Kerberos password used for authenticate with KDC
     - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
     - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+    - `disable_fast_negotiation`: Disable PA-FX-FAST negotiation (Pre-Authentication Framework - Fast). Some common Kerberos implementations do not support PA-FX-FAST negotiation. This is set to `false` by default.
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. When
     disabled, the client does not make the initial request to broker at the
diff --git a/internal/kafka/authentication.go b/internal/kafka/authentication.go
index 104d6152a1b2..d6e48b4bc95c 100644
--- a/internal/kafka/authentication.go
+++ b/internal/kafka/authentication.go
@@ -52,15 +52,16 @@ type AWSMSKConfig struct {
 	BrokerAddr string `mapstructure:"broker_addr"`
 }
 
-// KerberosConfig defines kereros configuration.
+// KerberosConfig defines kerberos configuration.
 type KerberosConfig struct {
-	ServiceName string `mapstructure:"service_name"`
-	Realm       string `mapstructure:"realm"`
-	UseKeyTab   bool   `mapstructure:"use_keytab"`
-	Username    string `mapstructure:"username"`
-	Password    string `mapstructure:"password" json:"-"`
-	ConfigPath  string `mapstructure:"config_file"`
-	KeyTabPath  string `mapstructure:"keytab_file"`
+	ServiceName     string `mapstructure:"service_name"`
+	Realm           string `mapstructure:"realm"`
+	UseKeyTab       bool   `mapstructure:"use_keytab"`
+	Username        string `mapstructure:"username"`
+	Password        string `mapstructure:"password" json:"-"`
+	ConfigPath      string `mapstructure:"config_file"`
+	KeyTabPath      string `mapstructure:"keytab_file"`
+	DisablePAFXFAST bool   `mapstructure:"disable_fast_negotiation"`
 }
 
 // ConfigureAuthentication configures authentication in sarama.Config.
@@ -159,4 +160,5 @@ func configureKerberos(config KerberosConfig, saramaConfig *sarama.Config) {
 	saramaConfig.Net.SASL.GSSAPI.Username = config.Username
 	saramaConfig.Net.SASL.GSSAPI.Realm = config.Realm
 	saramaConfig.Net.SASL.GSSAPI.ServiceName = config.ServiceName
+	saramaConfig.Net.SASL.GSSAPI.DisablePAFXFAST = config.DisablePAFXFAST
 }
diff --git a/internal/kafka/authentication_test.go b/internal/kafka/authentication_test.go
index 38be5ab45d5e..6571817d5495 100644
--- a/internal/kafka/authentication_test.go
+++ b/internal/kafka/authentication_test.go
@@ -42,7 +42,6 @@ func TestAuthentication(t *testing.T) {
 	saramaSASLPLAINConfig.Net.SASL.Enable = true
 	saramaSASLPLAINConfig.Net.SASL.User = "jdoe"
 	saramaSASLPLAINConfig.Net.SASL.Password = "pass"
-
 	saramaSASLPLAINConfig.Net.SASL.Mechanism = sarama.SASLTypePlaintext
 
 	saramaTLSCfg := &sarama.Config{}
@@ -64,6 +63,20 @@ func TestAuthentication(t *testing.T) {
 	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.KeyTabPath = "/path"
 	saramaKerberosKeyTabCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_KEYTAB_AUTH
 
+	saramaKerberosDisablePAFXFASTTrueCfg := &sarama.Config{}
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.Enable = true
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.GSSAPI.ServiceName = "foobar"
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+	saramaKerberosDisablePAFXFASTTrueCfg.Net.SASL.GSSAPI.DisablePAFXFAST = true
+
+	saramaKerberosDisablePAFXFASTFalseCfg := &sarama.Config{}
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.Enable = true
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.GSSAPI.ServiceName = "foobar"
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.GSSAPI.AuthType = sarama.KRB5_USER_AUTH
+	saramaKerberosDisablePAFXFASTFalseCfg.Net.SASL.GSSAPI.DisablePAFXFAST = false
+
 	tests := []struct {
 		auth         Authentication
 		saramaConfig *sarama.Config
@@ -92,6 +105,14 @@ func TestAuthentication(t *testing.T) {
 			auth:         Authentication{Kerberos: &KerberosConfig{UseKeyTab: true, KeyTabPath: "/path"}},
 			saramaConfig: saramaKerberosKeyTabCfg,
 		},
+		{
+			auth:         Authentication{Kerberos: &KerberosConfig{ServiceName: "foobar", DisablePAFXFAST: true}},
+			saramaConfig: saramaKerberosDisablePAFXFASTTrueCfg,
+		},
+		{
+			auth:         Authentication{Kerberos: &KerberosConfig{ServiceName: "foobar", DisablePAFXFAST: false}},
+			saramaConfig: saramaKerberosDisablePAFXFASTFalseCfg,
+		},
 		{
 			auth:         Authentication{SASL: &SASLConfig{Username: "jdoe", Password: "pass", Mechanism: "SCRAM-SHA-256"}},
 			saramaConfig: saramaSASLSCRAM256Config,
diff --git a/receiver/kafkametricsreceiver/README.md b/receiver/kafkametricsreceiver/README.md
index 6ed73de612de..e070a40786a8 100644
--- a/receiver/kafkametricsreceiver/README.md
+++ b/receiver/kafkametricsreceiver/README.md
@@ -60,6 +60,7 @@ Optional Settings (with defaults):
         - `password`: The Kerberos password used for authenticate with KDC
         - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
         - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+        - `disable_fast_negotiation`: Disable PA-FX-FAST negotiation (Pre-Authentication Framework - Fast). Some common Kerberos implementations do not support PA-FX-FAST negotiation. This is set to `false` by default.
 
 ## Examples:
 
diff --git a/receiver/kafkareceiver/README.md b/receiver/kafkareceiver/README.md
index 6432ee256586..499591d3e19e 100644
--- a/receiver/kafkareceiver/README.md
+++ b/receiver/kafkareceiver/README.md
@@ -71,6 +71,7 @@ The following settings can be optionally configured:
     - `password`: The Kerberos password used for authenticate with KDC
     - `config_file`: Path to Kerberos configuration. i.e /etc/krb5.conf
     - `keytab_file`: Path to keytab file. i.e /etc/security/kafka.keytab
+    - `disable_fast_negotiation`: Disable PA-FX-FAST negotiation (Pre-Authentication Framework - Fast). Some common Kerberos implementations do not support PA-FX-FAST negotiation. This is set to `false` by default.
 - `metadata`
   - `full` (default = true): Whether to maintain a full set of metadata. When
     disabled, the client does not make the initial request to broker at the