Skip to content

Auth: Support for GCP IAM #1012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
Muchembi opened this issue Apr 9, 2025 · 9 comments · Fixed by #1013 · May be fixed by kafbat/ui-docs#51
Closed
2 tasks done

Auth: Support for GCP IAM #1012

Muchembi opened this issue Apr 9, 2025 · 9 comments · Fixed by #1013 · May be fixed by kafbat/ui-docs#51
Assignees
@Haarolean @Muchembi
Labels
area/auth App authentication related issues scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature

Comments

@Muchembi
Copy link
Contributor

Muchembi commented Apr 9, 2025

Issue submitter TODO list

  • I've searched for an already existing issues here
  • I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

Problem:
Google Managed Service for Apache Kafka cluster does not have a native UI to view the topics and messages. Auth is doen through an IAM service account. Kafabat UI does not currently support this.

Describe the feature you're interested in

I would like to be able to view my GMSK cluster on Kafbat UI.

I should be able to set up the following config to access my GMSK cluster:

bootstrap.servers=bootstrap.CLUSTER_ID.us-central1.managedkafka.PROJECT_ID.cloud.goog:9092
security.protocol=SASL_SSL
sasl.mechanism=OAUTHBEARER
sasl.login.callback.handler.class=com.google.cloud.hosted.kafka.auth.GcpLoginCallbackHandler
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;

Describe alternatives you've considered

  • AKHQ -> Not very intuitive

Version you're running

715df05

Additional context

No response
@Muchembi Muchembi added status/triage Issues pending maintainers triage type/feature A brand new feature labels Apr 9, 2025
@kapybro kapybro bot added area/auth App authentication related issues status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Apr 9, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 9, 2025

Hi Muchembi! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

@germanosin
Copy link
Member

germanosin commented Apr 9, 2025
edited
Loading

Hi @Muchembi,
Thanks for raising the issue. Apologies, but I didn't fully understand your request. Are you looking for GCP IAM support for Apache Kafka cluster authentication? If so, you can add the required dependency to the classpath and use it directly.

If you're interested in contributing this to the core, feel free to open a PR with the necessary dependency.
Anyway thanks for your interest and time!

@Muchembi

This comment has been minimized.

Sign in to view
@Muchembi Muchembi mentioned this issue Apr 9, 2025
Merged
13 tasks
Muchembi added a commit to Muchembi/kafka-ui that referenced this issue Apr 9, 2025
@Muchembi
Support for GCP IAM Auth for Google Managed Service for Apache Kafka ->
b3c51e4 
resolve kafbat#1012
@Haarolean

This comment has been minimized.

Sign in to view
@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes and removed type/feature A brand new feature status/triage/manual Manual triage in progress labels Apr 9, 2025
@germanosin

This comment has been minimized.

Sign in to view
@Haarolean Haarolean linked a pull request May 1, 2025 that will close this issue
docs: GCP IAM Auth Documentation kafbat/ui-docs#51
Open
@Haarolean
Copy link
Member

#1013 (comment)

@Haarolean Haarolean reopened this May 13, 2025
@Haarolean Haarolean assigned Haarolean and unassigned Muchembi May 13, 2025
@Haarolean Haarolean changed the title Auth: Support for GCP IAM for Google Managed Service for Apache Kafka (GMSK) Auth: Support for GCP IAM May 13, 2025
@mike-pt
Copy link

mike-pt commented May 13, 2025

I think I found the cause:

const authSchema = lazy((value) => {
  if (typeof value === 'object') {
    return object({
      method: string()
        .required('required field')
        .oneOf([
          'SASL/JAAS',
          'SASL/GSSAPI',
          'SASL/OAUTHBEARER',
          'SASL/PLAIN',
          'SASL/SCRAM-256',
          'SASL/SCRAM-512',
          'Delegation tokens',
          'SASL/LDAP',
          'SASL/AWS IAM',
          'SASL/Azure Entra',
          'mTLS',
        ]),
      securityProtocol: string()
        .oneOf(['SASL_SSL', 'SASL_PLAINTEXT'])
        .when('method', {
          is: (v: string) => {
            return [
              'SASL/JAAS',
              'SASL/GSSAPI',
              'SASL/OAUTHBEARER',
              'SASL/PLAIN',
              'SASL/SCRAM-256',
              'SASL/SCRAM-512',
              'SASL/LDAP',
              'SASL/AWS IAM',
              'SASL/Azure Entra',
            ].includes(v);
          },
          then: (schema) => schema.required('required field'),

@Haarolean
Copy link
Member

#1075 should fix this. I'll close the issue in favor of the PR

@mike-pt
Copy link

mike-pt commented May 13, 2025
edited
Loading

cool, I was about to send and I saw that

diff --git a/frontend/src/widgets/ClusterConfigForm/schema.ts b/frontend/src/widgets/ClusterConfigForm/schema.ts
index 5385a396..dc5b6e47 100644
--- a/frontend/src/widgets/ClusterConfigForm/schema.ts
+++ b/frontend/src/widgets/ClusterConfigForm/schema.ts
@@ -167,6 +167,7 @@ const authSchema = lazy((value) => {
           'SASL/LDAP',
           'SASL/AWS IAM',
           'SASL/Azure Entra',
+          'SASL/GCP IAM',
           'mTLS',
         ]),
       securityProtocol: string()
@@ -183,6 +184,7 @@ const authSchema = lazy((value) => {
               'SASL/LDAP',
               'SASL/AWS IAM',
               'SASL/Azure Entra',
+              'SASL/GCP IAM',
             ].includes(v);
           },
           then: (schema) => schema.required('required field'),

I did notice that this lists SASL/GCP IAM under both SASL_SSL SASL_PLAINTEXT (If I'm reading the code right) and I think only SASL_SSL is supported but I would consider it a big deal, I think the same might be true for some of the others anyway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Haarolean Haarolean

@Muchembi Muchembi

Labels
area/auth App authentication related issues scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Projects
None yet
Milestone
No milestone
4 participants
@germanosin @Haarolean @mike-pt @Muchembi