Support custom SASL mechanisms #146
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There is some interest in supporting various SASL mechanisms not currently included in the library: * dpkp#2110 (DMS) * dpkp#2204 (SSPI) * dpkp#2232 (AWS_MSK_IAM) Adding these mechanisms in the core library may be undesirable due to: * Increased maintenance burden. * Unavailable testing environments. * Vendor specificity. This commit provides a quick prototype for a pluggable SASL system. --- **Example** To define a custom SASL mechanism a module must implement two methods: ```py def validate_config(conn): # Check configuration values, available libraries, etc. assert conn.config['vendor_specific_setting'] is not None, ( 'vendor_specific_setting required when sasl_mechanism=MY_SASL' ) def try_authenticate(conn, future): # Do authentication routine and return resolved Future with failed # or succeeded state. ``` And then the custom mechanism should be registered before initializing a KafkaAdminClient, KafkaConsumer, or KafkaProducer: ```py import kafka.sasl from kafka import KafkaProducer import my_sasl kafka.sasl.register_mechanism('MY_SASL', my_sasl) producer = KafkaProducer(sasl_mechanism='MY_SASL') ``` --- **Notes** **ABCs** This prototype does not implement an ABC for custom SASL mechanisms. Using an ABC would reduce a few of the explicit assertions involved with registering a mechanism and is a viable option. Due to differing feature sets between py2/py3 this option was not explored, but shouldn't be difficult. **Private Methods** This prototype relies on some methods that are currently marked as **private** in `BrokerConnection`. * `._can_send_recv` * `._lock` * `._recv_bytes_blocking` * `._send_bytes_blocking` A pluggable system would require stable interfaces for these actions. **Alternative Approach** If the module-scoped dict modification in `register_mechanism` feels too clunky maybe the addtional mechanisms can be specified via an argument when initializing one of the `Kafka*` classes?
4 tasks
wbarnha
commented
Mar 17, 2024
Comment on lines
+268
to
+271
| assert self.config['sasl_mechanism'] in sasl.MECHANISMS, ( | ||
| 'sasl_mechanism must be one of {}'.format(', '.join(sasl.MECHANISMS.keys())) | ||
| ) | ||
| sasl.MECHANISMS[self.config['sasl_mechanism']].validate_config(self) |
There was a problem hiding this comment.
This is so much cleaner. Thank you for writing this.
|
Actually, let's pull in the tests and make life easier to manage this PR. |
|
On further though, it would actually be better to pull in changes from #147 into this PR. |
|
Resuming in #170. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There is some interest in supporting various SASL mechanisms not
currently included in the library:
Adding these mechanisms in the core library may be undesirable due to:
This PR provides a quick prototype for a pluggable SASL system (and potential alternate route to supporting dpkp#2255).
I don't want to be presumptuous about the support for custom SASL extensions on the behalf of the maintainers of
kafka-python.I hope that this quick example can serve as a venue for discussion about the viability of the idea!
Example
To define a custom SASL mechanism a module must implement two methods:
And then the custom mechanism should be registered before initializing
a KafkaAdminClient, KafkaConsumer, or KafkaProducer:
Notes
ABCs
This prototype does not implement an ABC for custom SASL mechanisms.
Using an ABC would reduce a few of the explicit assertions involved with
registering a mechanism and is a viable option. Due to differing feature
sets between py2/py3 this option was not explored, but shouldn't be
difficult.
Private Methods
This prototype relies on some methods that are currently marked as
private in
BrokerConnection.._can_send_recv._lock._recv_bytes_blocking._send_bytes_blockingA pluggable system would require stable interfaces for these actions.
Alternative Approach
If the module-scoped dict modification in
register_mechanismfeels tooclunky maybe the addtional mechanisms can be specified via an argument
when initializing one of the
Kafka*classes?This change is