kafka4beam / sasl_auth Goto Github PK

Some users may not wish to use a nif. We can write a near perfect NIF, but we're still at the mercy of libraries we're using. Thus, a port implementation of sasl_auth is surely in order, especially since ROFL performance isn't the goal here.

The Makefile is a bit clumsy in regards to mac os. Specifically, we're assuming everyone has cyrus-sasl and krb5 installed via brew. We should probably check if brew is installed, then check if cyrus-sasl is installed via brew. If brew is not installed or cyrus-sasl is not installed via brew, don't append include and lib paths to flags.

We have a few odds and ends we want to do to do including #9, and a few issues I'm about to open. That said, I'm not sure I see a reason to wait publishing this to hex. We could publish it as an RC or pre.

To note, I thought sasl_auth was already on hex, it is not, nor is brod_gsspai.

There are instructions in the README (introduced in PR #8) for how to run the test cases introduced in PR #8. These instructions are not complete. See, for example, this comment #8 (comment) and other comments for the same PR. We should either update these instructions so they are complete or replace the instructions with a reference to a script that sets everything up automatically.

This would make it easier to make sure we do not add commits that break any test case.

Hi @ElMaxo

I might have done something wrong.
it'd be great if you can help me to troubleshoot this.

I'm following the steps here to setup kerberos:
http://docs.confluent.io/current/cp-docker-images/docs/tutorials/clustered-deployment-sasl.html
Succeeded in producing the 42 messages at the end of the doc.
But when I try to do enable gssapi auth in brod, I get this:

=SUPERVISOR REPORT==== 30-May-2017::17:36:58 ===
     Supervisor: {local,brod_sup}
     Context:    child_terminated
     Reason:     {{{{badmatch,{error,"krb5_get_init_creds_keytab: (-1765328230) Cannot find KDC for realm \"TEST.CONFLUENT.IO\""}},
                    [{brod_gssapi,auth,6,
                                  [{file,"src/brod_gssapi.erl"},{line,51}]},
                     {brod_sock,sasl_auth,6,
                                [{file,"src/brod_sock.erl"},{line,265}]},
                     {brod_sock,maybe_sasl_auth,6,
                                [{file,"src/brod_sock.erl"},{line,230}]},
                     {brod_sock,init,5,
                                [{file,"src/brod_sock.erl"},{line,194}]},
                     {proc_lib,init_p_do_apply,3,
                               [{file,"proc_lib.erl"},{line,247}]}]},
                   [{"quickstart.confluent.io",29094}]},
                  [{brod_client,start_metadata_socket,5,
                                [{file,"src/brod_client.erl"},{line,677}]},
                   {brod_client,handle_info,2,
                                [{file,"src/brod_client.erl"},{line,290}]},
                   {gen_server,try_dispatch,4,
                               [{file,"gen_server.erl"},{line,601}]},
                   {gen_server,handle_msg,5,
                               [{file,"gen_server.erl"},{line,667}]},
                   {proc_lib,init_p_do_apply,3,
                             [{file,"proc_lib.erl"},{line,247}]}]}

Here is the command I run to start a client.

CaCert = "/tmp/cp-docker-images/examples/kafka-cluster-sasl/secrets/producer-ca1-signed.crt".
KeyTab = <<"/tmp/cp-docker-images/examples/kafka-cluster-sasl/secrets/saslproducer.keytab">>.
Prin = <<"saslproducer/[email protected]">>.
brod:start_client([{"quickstart.confluent.io", 29094}], client1,
                  [{ssl, [{cacertfile, CaCert}]}, {sasl, {callback, brod_gssapi, {gssapi, KeyTab, Prin}}}]).

It would be useful with an easy way to run the tests with an address sanitizer compiled NIF library as this would make it easier to find memory leaks, write-after-frees and other memory related problems.

(I will start to work on this now)

This is related to issue #10.

Currently, one have to set up a Kerberos server, figure out which cyrus-sasl packages that need to be installed, install Kerberos, and configure the Kerberos server correctly to run the tests. This could be a very time consuming process (especially if one is new to Kerberos). Therefore, it would be great if all these could be automated so that one can run the tests in a docker container by just executing a single command.