Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AWS IAM authentication #126

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add support for AWS IAM authentication #126

wants to merge 5 commits into from

Conversation

korsosa
Copy link
Contributor

@korsosa korsosa commented Sep 7, 2022
edited by roaksoax
Loading

AWS MSK has an optional IAM auth feature that enables to use AWS IAM policies for managing authentication/authorization to Kafka resources instead of Kafka ACLs. More information in the AWS MSK documentation.

This change

  • includes the AWS library for MSK IAM auth that provides a new SASL mechanism AWS_MSK_IAM
  • adds a config option sasl.client.callback.handler.class to allow providing custom SASL callback handlers
  • in previous plugin versions the transitive Jar dependencies were not exported. The AWS MSK IAM auth library is a jar without dependencies, this caused issues with finding various AWS classes. Instead of listing all the transitive AWS dependencies, this change also modifies build.gradle to export all Jar dependencies and add them to the jars file. If a transitive dependency should not be exported, the transitive=false flag can be used.

Tested both input and output on an AWS EC2 machine with AWS MSK (Kafka version 2.6.2) and Logstash 8.2.3.

Usage as input/output:

 kafka {
    topic_id => "yourtopic"
    bootstrap_servers => "yourbroker"
    security_protocol => "SASL_SSL"
    sasl_mechanism => "AWS_MSK_IAM"
    sasl_jaas_config => "software.amazon.msk.auth.iam.IAMLoginModule required;"
    sasl_client_callback_handler_class => "software.amazon.msk.auth.iam.IAMClientCallbackHandler"
  }

This PR also fixes the issue #124

Closes: #124

@korsosa korsosa marked this pull request as ready for review September 7, 2022 09:00
@korsosa korsosa changed the title [WIP] Add support for AWS IAM authentication Add support for AWS IAM authentication Sep 7, 2022
@korsosa
Copy link
Contributor Author

korsosa commented Sep 9, 2022

Hey @andsel & @jsvd, could you please review this PR? Is there anything I can do to help review/merge it? :)

@korsosa korsosa mentioned this pull request Sep 29, 2022
Draft
@otavioprado
Copy link

Hey @andsel & @jsvd, any idea when this PR will be merged?

@denes16
Copy link

denes16 commented May 16, 2023

Any news on this?

@mvignes89
Copy link

Any update on this ?

@korsosa
Copy link
Contributor Author

korsosa commented Jan 5, 2024

Hey @andsel, is there anything I can do to get this merged? I'd be happy to resolve the conflicts and update the PR but not sure if there's any intention from your side to merge it. Unfortunately, I haven't received any feedback since I opened the PR, although I believe this would be a useful addition to the plugin.

@andsel andsel self-requested a review January 24, 2024 08:58
andsel
andsel requested changes Jan 24, 2024
View reviewed changes
Copy link
Contributor

@andsel andsel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @korsosa
the PR seem promising, however would be better to split in 2:

  • the first PR would introduce just the setting sasl.client.callback.handler.class, which is the abstract way to provide any SASL client handler
  • another one for the specific dependencies related to AWS AIM

@jjatinggoyal
Copy link

Hi @korsosa, will you be working on this?

@andsel andsel mentioned this pull request Aug 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andsel andsel andsel requested changes

Assignees

@korsosa korsosa

Labels
status:changes-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Support for AWS MSK IAM authorization
7 participants
@korsosa @otavioprado @denes16 @mvignes89 @jjatinggoyal @andsel @roaksoax