wip: SASL/GSSAPI support.

.gitignore

@@ -1,7 +1,10 @@
 dist/
+target/
 external/
 node_modules
 coverage
 .eslintcache
 .env
 .vscode
+*.node
+

docker-compose.yml

@@ -1,4 +1,23 @@
 services:
+  kdc:
+    image: alpine:latest
+    container_name: kdc
+    ports:
+      - '8000:88/tcp'
+      - '8000:88/udp'
+      - '8001:749'
+    volumes:
+      - './docker/kerberos/krb5-kdc.conf:/etc/krb5.conf:ro'
+      - './docker/kerberos/kdc.conf:/var/lib/krb5kdc/kdc.conf:ro'
+      - './docker/kerberos/init.sh:/init.sh:ro'
+      - './tmp/kerberos:/data'
+    entrypoint: ['/bin/sh', '/init.sh']
+    healthcheck:
+      test: ['CMD', 'kadmin.local', '-q', 'list_principals']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
   broker-single:
     # Rule of thumb: Confluent Kafka Version = Apache Kafka Version + 4.0.0
     image: &image confluentinc/cp-kafka:${KAFKA_VERSION:-7.9.0}
@@ -74,6 +93,38 @@ services:
       KAFKA_SASL_OAUTHBEARER_EXPECTED_AUDIENCE: users
       KAFKA_SASL_OAUTHBEARER_EXPECTED_SCOPE: test
 
+  broker-sasl-kerberos:
+    image: *image
+    container_name: broker-sasl-kerberos
+    ports:
+      - "9003:9092" # SASL
+      - "19003:19092" # PLAIN TEXT - Used to create users
+    healthcheck: *health_check
+    volumes:
+      - "./docker/sasl/jaas-kerberos.conf:/etc/kafka/jaas.conf:ro"
+      - "./docker/kerberos/krb5-broker.conf:/etc/krb5.conf:ro"
+      - "./tmp/kerberos/broker.keytab:/etc/kafka/broker.keytab:ro"
+    depends_on:
+      kdc:
+        condition: service_healthy
+    environment:
+      <<: *common_config
+      # Broker specific general and port options
+      KAFKA_LISTENERS: "SASL://:9092,DOCKER://:19092,CONTROLLER://:29092"
+      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "SASL:SASL_PLAINTEXT,DOCKER:PLAINTEXT,CONTROLLER:PLAINTEXT"
+      KAFKA_ADVERTISED_LISTENERS: "SASL://localhost:9003,DOCKER://broker-sasl-kerberos:19092"
+      KAFKA_CONTROLLER_QUORUM_VOTERS: "1@broker-sasl-kerberos:29092"
+      # SASL
+      KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/kafka/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf"
+      KAFKA_LISTENER_NAME_SASL_GSSAPI_SASL_JAAS_CONFIG: 'com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/kafka/broker.keytab" principal="broker/[email protected]";'
+      KAFKA_CONNECTIONS_MAX_REAUTH_MS: 5000
+      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false"
+      KAFKA_SUPER_USERS: 'User:admin;User:broker/[email protected];User:admin-keytab/[email protected];User:admin-password/[email protected]'
+      KAFKA_SASL_ENABLED_MECHANISMS: "GSSAPI"
+      KAFKA_SASL_MECHANISM_CONTROLLER_PROTOCOL: "PLAIN"
+      KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: "PLAIN"
+      KAFKA_SASL_KERBEROS_SERVICE_NAME: 'kafka'
+
   broker-cluster-1:
     image: *image
     container_name: broker-cluster-1

docker/kerberos/README.md

@@ -0,0 +1,10 @@
+To create `kafka.keytab`:
+
+```
+ktutil
+addent -password -p admin/[email protected] -k 1 -e aes256-cts-hmac-sha1-96
+write_kt kafka.keytab
+quit
+```
+
+On Mac, use `ktutil` from `krb5`, installed via Homebrew

docker/kerberos/init.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+
+# Setup KDC if needed
+if [ ! -f /var/lib/krb5kdc/principal ]; then
+  echo "Setting up KDC ..."
+
+  apk add --no-cache krb5-server krb5
+  kdb5_util create -s -P password
+
+  # # ACL file
+  echo "*/[email protected] *" > /var/lib/krb5kdc/kadm5.acl
+
+  # Create principals
+  kadmin.local -q "addprinc -pw admin [email protected]" # Main administrator
+  kadmin.local -q "addprinc -randkey broker/[email protected]" # Kafka broker
+  kadmin.local -q "addprinc -randkey [email protected]" # Client with keytab
+  kadmin.local -q "addprinc -pw admin [email protected]" # Client with password
+
+  # Genera keytab
+  kadmin.local -q "ktadd -k /data/broker.keytab broker/[email protected]"
+  kadmin.local -q "ktadd -k /data/admin.keytab [email protected]"  
+fi  
+
+krb5kdc
+kadmind -nofork

docker/kerberos/kdc.conf

@@ -0,0 +1,11 @@
+[kdcdefaults]
+    kdc_ports = 88
+    kdc_tcp_ports = 88
+
+[realms]
+    EXAMPLE.COM = {
+        acl_file = /var/lib/krb5kdc/kadm5.acl
+        dict_file = /usr/share/dict/words
+        admin_keytab = /var/lib/krb5kdc/kadm5.keytab
+        supported_enctypes = aes256-cts:normal aes128-cts:normal
+    }

docker/kerberos/krb5-broker.conf

@@ -0,0 +1,14 @@
+[libdefaults]
+    default_realm = EXAMPLE.COM
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    EXAMPLE.COM = {
+        kdc = kdc:88
+        admin_server = kdc:749
+    }
+
+[domain_realm]
+    .example.com = EXAMPLE.COM
+    example.com = EXAMPLE.COM

docker/kerberos/krb5-kdc.conf

@@ -0,0 +1,14 @@
+[libdefaults]
+    default_realm = EXAMPLE.COM
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    EXAMPLE.COM = {
+        kdc = localhost:88
+        admin_server = localhost:749
+    }
+
+[domain_realm]
+    .example.com = EXAMPLE.COM
+    example.com = EXAMPLE.COM

docker/sasl/jaas-kerberos.conf

@@ -0,0 +1,9 @@
+KafkaServer {
+  com.sun.security.auth.module.Krb5LoginModule required
+  useKeyTab=true
+  storeKey=true
+  keyTab="/etc/kafka/broker.keytab"
+  principal="broker/[email protected]"
+  serviceName="kafka"
+  useTicketCache=false;
+};

native/.cargo/config.toml

@@ -0,0 +1,2 @@
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-C", "target-feature=+crt-static"]