Added a custom SASL config option to the Topic Operator #5473 #9606
Conversation
|
Thanks for the PR. @tombentley @fvaleri please have a look at it as you are the SMEs for the Topic Operator. |
Signed-off-by: John McPeek <[email protected]>
Signed-off-by: john-mcpeek <[email protected]> Signed-off-by: John McPeek <[email protected]>
Signed-off-by: John McPeek <[email protected]>
…okers still in use (strimzi#9585) Signed-off-by: John McPeek <[email protected]>
john-mcpeek
force-pushed
the
custom-topic-operator-sasl-config-5473
branch
from
3fbec7a to
3a50659
Compare
Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: John McPeek <[email protected]>
Signed-off-by: John McPeek <[email protected]>
|
/azp run regression |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run feature-gates-regression |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Hi @john-mcpeek, I think this is a useful feature, thanks. Left some comments.
topic-operator/src/main/java/io/strimzi/operator/topic/Session.java
Outdated
Show resolved
Hide resolved
| @@ -144,6 +144,28 @@ env: | |||
| <3> The keystore contains the private key for mTLS authentication. | |||
| <4> The password for accessing the keystore. | |||
|
|
|||
| . If you need a custom `SASL` configuration. For example, to access a cluster in a cloud provider with a custom login module, the `custom` `SASL_MECHANISM` allows for `SASL_CUSTOM_CONFIG`. + | |||
There was a problem hiding this comment.
You need to add "custom" to the SASL mechanism list on line 118, and rework the documentation about mandatory fields (STRIMZI_SASL_USERNAME and STRIMZI_SASL_PASSWORD are not mandatory with custom).
The same custom SASL config is available for the BTO, so we should also update that documentation.
In order to use the new "custom" SASL mechanism, I guess you would need to extend the default Strimzi operator image to add the required AWS libraries, but there is no mention in the documentation. It would be good to provide an example for AWS_MSK_IAM.
There was a problem hiding this comment.
I expected that if you need AWS IAM or AZURE, etc. you would create an image with those so we don't have to include every possible jar. I would like an standard mechanism for external jars other than a new image, but that may be a different conversation.
There was a problem hiding this comment.
Sorry, I don't know what you mean by BTO?
There was a problem hiding this comment.
I would like an standard mechanism for external jars other than a new image, but that may be a different conversation.
As you say, we can discuss that in a separate thread, but for now, we should include a Dockerfile example for this specific use case, so that other users can easily adapt to their needs.
Sorry, I don't know what you mean by BTO?
Bidirectional Topic Operator, it's the old deprecated implementation. In the latest Strimzi release you have the UTO (Unidirectional Topic Operator) enabled by default. https://strimzi.io/blog/2023/11/02/unidirectional-topic-operator
There was a problem hiding this comment.
Roger that, I get that in Dockerfile example.
Ah, I see, I'll get on that.
There was a problem hiding this comment.
On another note, the details of a working example might be a lot for the docs. What do you all think of a separate doc to explain the AWS example with a link in the Standalone doc?
There was a problem hiding this comment.
This is a repo I did to show the example. MSK-IAM-Example
There was a problem hiding this comment.
I think a generic Dockerfile example with placeholders is enough. As mentioned before, we should also update the BTO documentation. Alternatively, we can only implement and document this feature for the UTO, as the BTO is going away in two releases.
There was a problem hiding this comment.
Actually, BTO is scheduled for removal in 0.41. So unless we change it it will be gone in few weeks.
There was a problem hiding this comment.
BTO is gone in the meantime, so less work to do :)
documentation/modules/deploying/proc-deploy-topic-operator-standalone.adoc
Show resolved
Hide resolved
| String key = entry.getKey(); | ||
| String value = entry.getValue(); | ||
|
|
||
| if (key == null || key.isBlank() || !key.startsWith("sasl.")) { |
There was a problem hiding this comment.
We should also detect the use of one of the standard sasl.mechanism that we support (plain, scram-sha-256, scram-sha-512).
| String key = entry.getKey(); | ||
| String value = entry.getValue(); | ||
|
|
||
| if (key == null || key.isBlank() || !key.startsWith("sasl.")) { |
There was a problem hiding this comment.
We should also detect the use of one of the standard sasl.mechanism that we support (plain, scram-sha-256, scram-sha-512).
There was a problem hiding this comment.
We already do that is setSaslConfigs(). If they need this then I think limiting them could be counter productive.
There was a problem hiding this comment.
Why should we provide two ways to do the same thing? What's the use case?
There was a problem hiding this comment.
It seems to me like they could need a custom JAAS login module and a standard sasl mechanism. We don't know what they will need.
If you are dead set on it, I'll add the check.
There was a problem hiding this comment.
I think @john-mcpeek has a point here: There are use cases where people want to do funky things with SASL-PLAIN and a custom module, so let's allow this.
topic-operator/src/main/java/io/strimzi/operator/topic/v2/TopicOperatorConfig.java
Outdated
Show resolved
Hide resolved
| @@ -406,12 +413,62 @@ private TopicStore createTopicStore(Zk zk, Config config) { | |||
| } | |||
|
|
|||
| private void setSaslConfigs(Properties kafkaClientProps) { | |||
| String saslMechanism; | |||
| String jaasConfig; | |||
| String configSaslMechanism = config.get(Config.SASL_MECHANISM); | |||
There was a problem hiding this comment.
We should check for empty config, which is different from invalid mechanism.
There was a problem hiding this comment.
Empty or invalid is the same result. Are you meaning a different error message like "SASL_MECHANISM is empty"?
There was a problem hiding this comment.
Yes, but Tom proposed to drop this, and I agree.
topic-operator/src/main/java/io/strimzi/operator/topic/Session.java
Outdated
Show resolved
Hide resolved
| return kafkaClientProps; | ||
| } | ||
|
|
||
| private void putSaslConfigs(Map<String, Object> kafkaClientProps) { | ||
| TopicOperatorConfig config = this; | ||
| String configSaslMechanism = config.saslMechanism(); |
There was a problem hiding this comment.
We should check for empty config, which is different from invalid mechanism.
Co-authored-by: Federico Valeri <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: john-mcpeek <[email protected]>
….java Co-authored-by: Federico Valeri <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
…cOperatorConfig.java Co-authored-by: Federico Valeri <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
…cOperatorConfig.java Co-authored-by: Federico Valeri <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
| @@ -144,6 +144,28 @@ env: | |||
| <3> The keystore contains the private key for mTLS authentication. | |||
| <4> The password for accessing the keystore. | |||
|
|
|||
| . If you need a custom `SASL` configuration. For example, to access a cluster in a cloud provider with a custom login module, the `custom` `SASL_MECHANISM` allows for `SASL_CUSTOM_CONFIG`. + | |||
There was a problem hiding this comment.
I expected that if you need AWS IAM or AZURE, etc. you would create an image with those so we don't have to include every possible jar.
You should explain this in the documentation. Right now someone reading it might not guess all the steps you're expecting them to make.
| @@ -144,6 +144,28 @@ env: | |||
| <3> The keystore contains the private key for mTLS authentication. | |||
| <4> The password for accessing the keystore. | |||
|
|
|||
| . If you need a custom `SASL` configuration. For example, to access a cluster in a cloud provider with a custom login module, the `custom` `SASL_MECHANISM` allows for `SASL_CUSTOM_CONFIG`. + | |||
There was a problem hiding this comment.
org.apache.kafka.common.errors.InvalidRequestException: Amazon MSK Serverless doesn't support fetching broker or broker-logger configurations
Perhaps one way to handle this would be to allow the skipping of this check with an env var, e.g. ASSUME_AUTO_CREATE_TOPICS=FALSE. If this was not set we'd do the check which we currently do. If it was =FALSE then we just trust that the person configuring the operator is correct and skip the check. And in the unlikely case where it's =TRUE we fail in the same way as if we'd done the check ourselves.
topic-operator/src/main/java/io/strimzi/operator/topic/Session.java
Outdated
Show resolved
Hide resolved
topic-operator/src/main/java/io/strimzi/operator/topic/Session.java
Outdated
Show resolved
Hide resolved
topic-operator/src/main/java/io/strimzi/operator/topic/v2/TopicOperatorConfig.java
Outdated
Show resolved
Hide resolved
| env: | ||
| - name: SASL_MECHANISM # <1> | ||
| value: custom | ||
| - name: SASL_CUSTOM_CONFIG # <2> |
There was a problem hiding this comment.
- I wonder if
SASL_CUSTOM_CONFIG_JSONwould be clearer. - But also, did you consider using
Propertiesformat rather than JSON? Users would likely be familiar with this because it's what the Kafka Java client's use, so it might avoid them having to convert something they already have asPropertiesformat into JSON.
There was a problem hiding this comment.
- I like adding JSON to the name.
- JSONs easy to parse and I was worried about how it could be a mess getting people to understand the value as properties, but taking properties shouldn't be a big change if you would prefer that.
There was a problem hiding this comment.
I was worried about how it could be a mess getting people to understand the value as properties, but taking properties shouldn't be a big change if you would prefer that.
That's a good point. The case of accidentally using folded style block strings (>), like this, bothers me
- name: SASL_CUSTOM_CONFIG_PROPERTIES
value: >
sasl.mechanism: AWS_MSK_IAM
sasl.jaas.config: software.amazon.msk.auth.iam.IAMLoginModule required;
sasl.client.callback.handler.class: software.amazon.msk.auth.iam.IAMClientCallbackHandlerThat's legal YAML and legal .properties format, but it's not what the user intended because it's just the single key sasl.mechanism with a malformed value made up of the real value and the remaining keys and values. Kafka itself would catch that when/if there was sufficient validation on the first property defined. I think there's a similar issue with plain flow scalar strings. (I guess this kind of problem is worse than other common YAML problems, like writing foo: true [where the value is expected to be a string not a boolean, so needs to be quoted] precisely because in this case the expected and actual types are the same, so it's less likely to be caught.)
So I agree, on balance, that although the JSON is ugly it's less likely to be parsed wrongly.
Can we though:
- Call it
SASL_CUSTOM_CONFIG_JSON - Configure the
ObjectMapperto support comments. It's non-standard, but I think people might appreciate the possibility to comment on why/how they're setting individual properties.
There was a problem hiding this comment.
This is what I'm working on now. Is SASL_CUSTOM_CONFIG_JSON and not having a custom type the solution we are going with?
There was a problem hiding this comment.
@john-mcpeek yes, I think that's what we landed on, right @fvaleri ?
topic-operator/src/main/java/io/strimzi/operator/topic/Session.java
Outdated
Show resolved
Hide resolved
topic-operator/src/main/java/io/strimzi/operator/topic/Session.java
Outdated
Show resolved
Hide resolved
topic-operator/src/main/java/io/strimzi/operator/topic/Session.java
Outdated
Show resolved
Hide resolved
….java Co-authored-by: Tom Bentley <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
….java Co-authored-by: Tom Bentley <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
….java Co-authored-by: Tom Bentley <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
….java Co-authored-by: Tom Bentley <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
…cOperatorConfig.java Co-authored-by: Tom Bentley <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: John McPeek <[email protected]>
Signed-off-by: John McPeek <[email protected]>
|
@PaulRMellor I like the re-wording. Thank you. |
|
/azp run kraft-regression |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@john-mcpeek Just FYI: you do not have to rebase the PR all the time. It would be needed only if there would be some conflict. |
|
/azp run kraft regression |
|
No pipelines are associated with this pull request. |
|
/azp run kraft-regression |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Roger that, thank you. |
|
@scholzj What's next? |
|
@john-mcpeek, regression tests are all green, so I think we are just waiting for the final reviews from @tombentley and @PaulRMellor. |
documentation/modules/deploying/proc-deploy-topic-operator-standalone.adoc
Outdated
Show resolved
Hide resolved
documentation/modules/deploying/proc-deploy-topic-operator-standalone.adoc
Outdated
Show resolved
Hide resolved
documentation/modules/deploying/proc-deploy-topic-operator-standalone.adoc
Show resolved
Hide resolved
…ndalone.adoc Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
…ndalone.adoc Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: John McPeek <[email protected]>
| private void skipNonAlterableConfigs(Set<AlterConfigOp> alterConfigOps) { | ||
| var alterableConfigs = config.alterableTopicConfig(); | ||
| if (alterableConfigs != null && alterConfigOps != null && !alterableConfigs.isEmpty()) { | ||
| if (alterableConfigs.equalsIgnoreCase("none")) { |
There was a problem hiding this comment.
despite there is an ignore case, you are mentioning "none" (lower case) here but "NONE" (upper case) in the previous doc. I would stick with the same on both, i.e. "none" lower case.
There was a problem hiding this comment.
right, let's keep them aligned
There was a problem hiding this comment.
Ok, so, "none" everywhere including the documentation?
There was a problem hiding this comment.
What do we do for other similar options? Didn't @fvaleri before suggest to use uppercase? This should be also consistent with the ALL I guess?
There was a problem hiding this comment.
I am just for consistency so even the upper case is fine with me.
There was a problem hiding this comment.
Guys, I just need an answer. Upper or lower? Please.
There was a problem hiding this comment.
@john-mcpeek Well, it makes no sense to have none and ALL. So one way or another there will be another change needed. It was actually @tombentley who suggested upper case in #9606 (comment) and I think his logic makes sense. So if Paolo doesn't care you should go with uppercase everywhere.
There was a problem hiding this comment.
Tom originally suggested to have all uppercase as it is more evident comparing to regular configuration, which is lowercase. So let's use UPPERCASE (NONE and ALL).
There was a problem hiding this comment.
Ok, I think we are NONE and ALL everywhere now.
topic-operator/src/main/java/io/strimzi/operator/topic/BatchingTopicController.java
Show resolved
Hide resolved
topic-operator/src/main/java/io/strimzi/operator/topic/BatchingTopicController.java
Show resolved
Hide resolved
|
|
||
| if (reconcilableTopic != null && reconcilableTopic.kt() != null | ||
| && hasConfig(reconcilableTopic.kt()) && alterableConfigs != null) { | ||
| if (alterableConfigs.equalsIgnoreCase("NONE")) { |
There was a problem hiding this comment.
again despite the ignore case, why are you using "NONE" here instead of "none" as before? I would make consistency everywhere, even across the documentation part.
Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: john-mcpeek <[email protected]>
Signed-off-by: john-mcpeek <[email protected]>
|
Thanks a lot for the contribution @john-mcpeek. |
|
Thanks @john-mcpeek, and congrats for your first contribution. Well done. |
|
Thanks @scholzj @fvaleri @tombentley @ppatierno @PaulRMellor, it was an adventure :) |
Type of change
Enhancement
Description
I added a
customSASL_MECHANISMso that the Topic Operator in standalone can be used to manage topics inMSKwithIAMfor example.Checklist
Please go through this checklist and make sure all applicable tasks have been done