pingcap · ti-chi-bot · Apr 11, 2022 · Apr 6, 2022 · Apr 7, 2022 · Apr 7, 2022
diff --git a/cdc/sink/producer/kafka/config.go b/cdc/sink/producer/kafka/config.go
@@ -43,7 +43,7 @@ type Config struct {
 	Compression     string
 	ClientID        string
 	Credential      *security.Credential
-	SaslScram       *security.SaslScram
+	SASL            *security.SASL
 	// control whether to create topic
 	AutoCreate bool
 
@@ -62,7 +62,7 @@ func NewConfig() *Config {
 		ReplicationFactor: 1,
 		Compression:       "none",
 		Credential:        &security.Credential{},
-		SaslScram:         &security.SaslScram{},
+		SASL:              &security.SASL{},
 		AutoCreate:        true,
 		DialTimeout:       10 * time.Second,
 		WriteTimeout:      10 * time.Second,
@@ -97,22 +97,6 @@ func (c *Config) setPartitionNum(realPartitionCount int32) error {
 	return nil
 }
 
-// AutoCreateTopicConfig is used to create topic configuration.
-type AutoCreateTopicConfig struct {
-	AutoCreate        bool
-	PartitionNum      int32
-	ReplicationFactor int16
-}
-
-// DeriveTopicConfig derive a `topicConfig` from the `Config`
-func (c *Config) DeriveTopicConfig() *AutoCreateTopicConfig {
-	return &AutoCreateTopicConfig{
-		AutoCreate:        c.AutoCreate,
-		PartitionNum:      c.PartitionNum,
-		ReplicationFactor: c.ReplicationFactor,
-	}
-}
-
 // Apply the sinkURI to update Config
 func (c *Config) Apply(sinkURI *url.URL) error {
 	c.BrokerEndpoints = strings.Split(sinkURI.Host, ",")
@@ -174,21 +158,6 @@ func (c *Config) Apply(sinkURI *url.URL) error {
 		c.Credential.KeyPath = s
 	}
 
-	s = params.Get("sasl-user")
-	if s != "" {
-		c.SaslScram.SaslUser = s
-	}
-
-	s = params.Get("sasl-password")
-	if s != "" {
-		c.SaslScram.SaslPassword = s
-	}
-
-	s = params.Get("sasl-mechanism")
-	if s != "" {
-		c.SaslScram.SaslMechanism = s
-	}
-
 	s = params.Get("auto-create-topic")
 	if s != "" {
 		autoCreate, err := strconv.ParseBool(s)
@@ -225,9 +194,101 @@ func (c *Config) Apply(sinkURI *url.URL) error {
 		c.ReadTimeout = a
 	}
 
+	err := c.applySASL(params)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *Config) applySASL(params url.Values) error {
+	s := params.Get("sasl-user")
+	if s != "" {
+		c.SASL.SASLUser = s
+	}
+
+	s = params.Get("sasl-password")
+	if s != "" {
+		c.SASL.SASLPassword = s
+	}
+
+	s = params.Get("sasl-mechanism")
+	if s != "" {
+		mechanism, err := security.SASLMechanismFormString(s)
+		if err != nil {
+			return cerror.WrapError(cerror.ErrKafkaInvalidConfig, err)
+		}
+		c.SASL.SASLMechanism = mechanism
+	}
+
+	s = params.Get("sasl-gssapi-auth-type")
+	if s != "" {
+		authType, err := security.AuthTypeFromString(s)
+		if err != nil {
+			return cerror.WrapError(cerror.ErrKafkaInvalidConfig, err)
+		}
+		c.SASL.GSSAPI.AuthType = authType
+	}
+
+	s = params.Get("sasl-gssapi-keytab-path")
+	if s != "" {
+		c.SASL.GSSAPI.KeyTabPath = s
+	}
+
+	s = params.Get("sasl-gssapi-kerberos-config-path")
+	if s != "" {
+		c.SASL.GSSAPI.KerberosConfigPath = s
+	}
+
+	s = params.Get("sasl-gssapi-service-name")
+	if s != "" {
+		c.SASL.GSSAPI.ServiceName = s
+	}
+
+	s = params.Get("sasl-gssapi-user")
+	if s != "" {
+		c.SASL.GSSAPI.Username = s
+	}
+
+	s = params.Get("sasl-gssapi-password")
+	if s != "" {
+		c.SASL.GSSAPI.Password = s
+	}
+
+	s = params.Get("sasl-gssapi-realm")
+	if s != "" {
+		c.SASL.GSSAPI.Realm = s
+	}
+
+	s = params.Get("sasl-gssapi-disable-pafxfast")
+	if s != "" {
+		disablePAFXFAST, err := strconv.ParseBool(s)
+		if err != nil {
+			return err
+		}
+		c.SASL.GSSAPI.DisablePAFXFAST = disablePAFXFAST
+	}
+
 	return nil
 }
 
+// AutoCreateTopicConfig is used to create topic configuration.
+type AutoCreateTopicConfig struct {
+	AutoCreate        bool
+	PartitionNum      int32
+	ReplicationFactor int16
+}
+
+// DeriveTopicConfig derive a `topicConfig` from the `Config`
+func (c *Config) DeriveTopicConfig() *AutoCreateTopicConfig {
+	return &AutoCreateTopicConfig{
+		AutoCreate:        c.AutoCreate,
+		PartitionNum:      c.PartitionNum,
+		ReplicationFactor: c.ReplicationFactor,
+	}
+}
+
 // NewSaramaConfig return the default config and set the according version and metrics
 func NewSaramaConfig(ctx context.Context, c *Config) (*sarama.Config, error) {
 	config := sarama.NewConfig()
@@ -312,19 +373,42 @@ func NewSaramaConfig(ctx context.Context, c *Config) (*sarama.Config, error) {
 			return nil, errors.Trace(err)
 		}
 	}
-	if c.SaslScram != nil && len(c.SaslScram.SaslUser) != 0 {
+
+	completeSaramaSASLConfig(config, c)
+
+	return config, err
+}
+
+func completeSaramaSASLConfig(config *sarama.Config, c *Config) {
+	if c.SASL != nil && c.SASL.SASLMechanism != "" {
 		config.Net.SASL.Enable = true
-		config.Net.SASL.User = c.SaslScram.SaslUser
-		config.Net.SASL.Password = c.SaslScram.SaslPassword
-		config.Net.SASL.Mechanism = sarama.SASLMechanism(c.SaslScram.SaslMechanism)
-		if strings.EqualFold(c.SaslScram.SaslMechanism, "SCRAM-SHA-256") {
-			config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &security.XDGSCRAMClient{HashGeneratorFcn: security.SHA256} }
-		} else if strings.EqualFold(c.SaslScram.SaslMechanism, "SCRAM-SHA-512") {
-			config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &security.XDGSCRAMClient{HashGeneratorFcn: security.SHA512} }
-		} else {
-			return nil, errors.New("Unsupported sasl-mechanism, should be SCRAM-SHA-256 or SCRAM-SHA-512")
+		config.Net.SASL.Mechanism = sarama.SASLMechanism(c.SASL.SASLMechanism)
+		switch c.SASL.SASLMechanism {
+		case sarama.SASLTypeSCRAMSHA256, sarama.SASLTypeSCRAMSHA512, sarama.SASLTypePlaintext:
+			config.Net.SASL.User = c.SASL.SASLUser
+			config.Net.SASL.Password = c.SASL.SASLPassword
+			if strings.EqualFold(string(c.SASL.SASLMechanism), sarama.SASLTypeSCRAMSHA256) {
+				config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient {
+					return &security.XDGSCRAMClient{HashGeneratorFcn: security.SHA256}
+				}
+			} else if strings.EqualFold(string(c.SASL.SASLMechanism), sarama.SASLTypeSCRAMSHA512) {
+				config.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient {
+					return &security.XDGSCRAMClient{HashGeneratorFcn: security.SHA512}
+				}
+			}
+		case sarama.SASLTypeGSSAPI:
+			config.Net.SASL.GSSAPI.AuthType = int(c.SASL.GSSAPI.AuthType)
+			config.Net.SASL.GSSAPI.Username = c.SASL.GSSAPI.Username
+			config.Net.SASL.GSSAPI.ServiceName = c.SASL.GSSAPI.ServiceName
+			config.Net.SASL.GSSAPI.KerberosConfigPath = c.SASL.GSSAPI.KerberosConfigPath
+			config.Net.SASL.GSSAPI.Realm = c.SASL.GSSAPI.Realm
+			config.Net.SASL.GSSAPI.DisablePAFXFAST = c.SASL.GSSAPI.DisablePAFXFAST
+			switch c.SASL.GSSAPI.AuthType {
+			case security.UserAuth:
+				config.Net.SASL.GSSAPI.Password = c.SASL.GSSAPI.Password
+			case security.KeyTabAuth:
+				config.Net.SASL.GSSAPI.KeyTabPath = c.SASL.GSSAPI.KeyTabPath
+			}
 		}
 	}
-
-	return config, err
 }
diff --git a/cdc/sink/producer/kafka/config_test.go b/cdc/sink/producer/kafka/config_test.go
@@ -73,10 +73,10 @@ func TestNewSaramaConfig(t *testing.T) {
 	saslConfig := NewConfig()
 	saslConfig.Version = "2.6.0"
 	saslConfig.ClientID = "test-sasl-scram"
-	saslConfig.SaslScram = &security.SaslScram{
-		SaslUser:      "user",
-		SaslPassword:  "password",
-		SaslMechanism: sarama.SASLTypeSCRAMSHA256,
+	saslConfig.SASL = &security.SASL{
+		SASLUser:      "user",
+		SASLPassword:  "password",
+		SASLMechanism: sarama.SASLTypeSCRAMSHA256,
 	}
 
 	cfg, err := NewSaramaConfig(ctx, saslConfig)
@@ -421,3 +421,110 @@ func TestConfigurationCombinations(t *testing.T) {
 		_ = adminClient.Close()
 	}
 }
+
+func TestApplySASL(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name      string
+		URI       string
+		exceptErr string
+	}{
+		{
+			name:      "no params",
+			URI:       "kafka://127.0.0.1:9092/abc",
+			exceptErr: "",
+		},
+		{
+			name: "valid PLAIN SASL",
+			URI: "kafka://127.0.0.1:9092/abc?kafka-version=2.6.0&partition-num=0" +
+				"&sasl-username=user&sasl-password=password&sasl-mechanism=plain",
+			exceptErr: "",
+		},
+		{
+			name: "valid SCRAM SASL",
+			URI: "kafka://127.0.0.1:9092/abc?kafka-version=2.6.0&partition-num=0" +
+				"&sasl-username=user&sasl-password=password&sasl-mechanism=SCRAM-SHA-512",
+			exceptErr: "",
+		},
+		{
+			name: "valid GSSAPI user auth SASL",
+			URI: "kafka://127.0.0.1:9092/abc?kafka-version=2.6.0&partition-num=0" +
+				"&sasl-mechanism=GSSAPI&sasl-gssapi-auth-type=USER" +
+				"&sasl-gssapi-kerberos-config-path=/root/config" +
+				"&sasl-gssapi-service-name=a&sasl-gssapi-user=user" +
+				"&sasl-gssapi-password=pwd" +
+				"&sasl-gssapi-realm=realm&sasl-gssapi-disable-pafxfast=false",
+			exceptErr: "",
+		},
+		{
+			name: "valid GSSAPI keytab auth SASL",
+			URI: "kafka://127.0.0.1:9092/abc?kafka-version=2.6.0&partition-num=0" +
+				"&sasl-mechanism=GSSAPI&sasl-gssapi-auth-type=keytab" +
+				"&sasl-gssapi-kerberos-config-path=/root/config" +
+				"&sasl-gssapi-service-name=a&sasl-gssapi-user=user" +
+				"&sasl-gssapi-keytab-path=/root/keytab" +
+				"&sasl-gssapi-realm=realm&sasl-gssapi-disable-pafxfast=false",
+			exceptErr: "",
+		},
+		{
+			name: "invalid mechanism",
+			URI: "kafka://127.0.0.1:9092/abc?kafka-version=2.6.0&partition-num=0" +
+				"&sasl-mechanism=a",
+			exceptErr: "unknown a SASL mechanism",
+		},
+		{
+			name: "invalid GSSAPI auth type",
+			URI: "kafka://127.0.0.1:9092/abc?kafka-version=2.6.0&partition-num=0" +
+				"&sasl-mechanism=gssapi&sasl-gssapi-auth-type=keyta1b",
+			exceptErr: "unknown keyta1b auth type",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			cfg := NewConfig()
+			sinkURI, err := url.Parse(test.URI)
+			require.Nil(t, err)
+			if test.exceptErr == "" {
+				require.Nil(t, cfg.applySASL(sinkURI.Query()))
+			} else {
+				require.Regexp(t, test.exceptErr, cfg.applySASL(sinkURI.Query()).Error())
+			}
+		})
+	}
+}
+
+func TestCompleteSaramaSASLConfig(t *testing.T) {
+	t.Parallel()
+
+	// Test that SASL is turned on correctly.
+	cfg := NewConfig()
+	cfg.SASL = &security.SASL{
+		SASLUser:      "user",
+		SASLPassword:  "password",
+		SASLMechanism: "",
+		GSSAPI:        security.GSSAPI{},
+	}
+	saramaConfig := sarama.NewConfig()
+	completeSaramaSASLConfig(saramaConfig, cfg)
+	require.False(t, saramaConfig.Net.SASL.Enable)
+	cfg.SASL.SASLMechanism = "plain"
+	completeSaramaSASLConfig(saramaConfig, cfg)
+	require.True(t, saramaConfig.Net.SASL.Enable)
+	// Test that the SCRAMClientGeneratorFunc is set up correctly.
+	cfg = NewConfig()
+	cfg.SASL = &security.SASL{
+		SASLUser:      "user",
+		SASLPassword:  "password",
+		SASLMechanism: "plain",
+		GSSAPI:        security.GSSAPI{},
+	}
+	saramaConfig = sarama.NewConfig()
+	completeSaramaSASLConfig(saramaConfig, cfg)
+	require.Nil(t, saramaConfig.Net.SASL.SCRAMClientGeneratorFunc)
+	cfg.SASL.SASLMechanism = "SCRAM-SHA-512"
+	completeSaramaSASLConfig(saramaConfig, cfg)
+	require.NotNil(t, saramaConfig.Net.SASL.SCRAMClientGeneratorFunc)
+}