wip: SASL/GSSAPI support.

docker/compose-local.yml

@@ -65,10 +65,9 @@ services:
       - '9091:9092'
     healthcheck:
       <<: *health_check
-      test: ['CMD', '/opt/bitnami/kafka/bin/kafka-broker-api-versions.sh', '--bootstrap-server', 'localhost:9092']
     environment:
       <<: *common_config
-      KAFKA_CFG_ADVERTISED_LISTENERS: 'PLAINTEXT://localhost:9094,DOCKER://broker-single:19092'
+      KAFKA_CFG_ADVERTISED_LISTENERS: 'PLAINTEXT://localhost:9091,DOCKER://broker-single:19092'
       KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: '1@broker-single:29092'
       # Replication options
       KAFKA_CFG_DEFAULT_REPLICATION_FACTOR: '1'
@@ -90,7 +89,7 @@ services:
       # Ports configuration
       KAFKA_CFG_LISTENERS: 'SASL_PLAINTEXT://:9092,PLAINTEXT://:19092,CONTROLLER://:29092'
       KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: 'SASL_PLAINTEXT:SASL_PLAINTEXT,PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT'
-      KAFKA_CFG_ADVERTISED_LISTENERS: 'SASL_PLAINTEXT://localhost:9092,PLAINTEXT://localhost:19092'
+      KAFKA_CFG_ADVERTISED_LISTENERS: 'SASL_PLAINTEXT://localhost:9095,PLAINTEXT://localhost:19092'
       KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: '1@broker-sasl:29092'
       KAFKA_CFG_INTER_BROKER_LISTENER_NAME: 'PLAINTEXT'
       # Replication options
@@ -110,6 +109,7 @@ services:
 
   broker-sasl-oauthbearer:
     image: bitnami/kafka:${KAFKA_VERSION}
+    container_name: broker-sasl-oauthbearer
     ports:
       - '9096:9092' # SASL
     healthcheck: *health_check
@@ -120,7 +120,7 @@ services:
       # Ports configuration
       KAFKA_CFG_LISTENERS: 'SASL_PLAINTEXT://:9092,PLAINTEXT://:19092,CONTROLLER://:29092'
       KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: 'SASL_PLAINTEXT:SASL_PLAINTEXT,PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT'
-      KAFKA_CFG_ADVERTISED_LISTENERS: 'SASL_PLAINTEXT://localhost:9092,PLAINTEXT://localhost:19092'
+      KAFKA_CFG_ADVERTISED_LISTENERS: 'SASL_PLAINTEXT://localhost:9096,PLAINTEXT://localhost:19092'
       KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: '1@broker-sasl-oauthbearer:29092'
       KAFKA_CFG_INTER_BROKER_LISTENER_NAME: 'PLAINTEXT'
       # Replication options
@@ -139,3 +139,58 @@ services:
       KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL: 'PLAIN'
       KAFKA_CFG_SASL_OAUTHBEARER_EXPECTED_ISSUER: kafka
       KAFKA_CFG_SASL_OAUTHBEARER_EXPECTED_AUDIENCE: users
+
+  kdc:
+    image: alpine:latest
+    container_name: kdc
+    ports:
+      - '8000:88/tcp'
+      - '8000:88/udp'
+      - '8001:749'
+    volumes:
+      - './data/kerberos/kdc/krb5.conf:/etc/krb5.conf:ro'
+      - './data/kerberos/kdc/kdc.conf:/var/lib/krb5kdc/kdc.conf:ro'
+      - './data/kerberos/kdc/init.sh:/init.sh:ro'
+      - './data/kerberos/data:/data'
+    entrypoint: ['/bin/sh', '/init.sh']
+    healthcheck:
+      test: ['CMD', 'kadmin.local', '-q', 'list_principals']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  broker-sasl-kerberos:
+    image: bitnami/kafka:${KAFKA_VERSION}
+    container_name: broker-sasl-kerberos
+    ports:
+      - '9097:9092'
+    healthcheck: *health_check
+    volumes:
+      - './data/jaas/jaas-kerberos.conf:/opt/bitnami/kafka/config/kafka_jaas.conf'
+      - './data/kerberos/krb5.conf:/etc/krb5.conf'
+      - './data/kerberos/data/broker.keytab:/opt/bitnami/kafka/config/kafka.keytab'
+    depends_on:
+      kdc:
+        condition: service_healthy
+    environment:
+      <<: *common_config
+      # Ports configuration
+      KAFKA_CFG_LISTENERS: 'SASL_PLAINTEXT://:9092,PLAINTEXT://:19092,CONTROLLER://:29092'
+      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: 'SASL_PLAINTEXT:SASL_PLAINTEXT,PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT'
+      KAFKA_CFG_ADVERTISED_LISTENERS: 'SASL_PLAINTEXT://localhost:9097,PLAINTEXT://localhost:19092'
+      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: '1@broker-sasl-kerberos:29092'
+      KAFKA_CFG_INTER_BROKER_LISTENER_NAME: 'PLAINTEXT'
+      # Replication options
+      KAFKA_CFG_DEFAULT_REPLICATION_FACTOR: '1'
+      KAFKA_CFG_MIN_INSYNC_REPLICAS: '1'
+      KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR: '1'
+      KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR: '1'
+      KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: '1'
+      # SASL
+      KAFKA_CLIENT_USERS: 'admin'
+      KAFKA_CLIENT_PASSWORDS: 'admin'
+      KAFKA_CFG_SASL_ENABLED_MECHANISMS: 'GSSAPI'
+      KAFKA_CFG_SUPER_USERS: 'User:admin;User:broker/[email protected];User:admin-keytab/[email protected];User:admin-password/[email protected]'
+      KAFKA_CFG_ALLOW_EVERYONE_IF_NO_ACL_FOUND: 'false'
+      KAFKA_CFG_SASL_KERBEROS_SERVICE_NAME: 'kafka'
+      KAFKA_OPTS: '-Djava.security.auth.login.config=/opt/bitnami/kafka/config/kafka_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf'

docker/data/jaas/jaas-kerberos.conf

@@ -0,0 +1,9 @@
+KafkaServer {
+  com.sun.security.auth.module.Krb5LoginModule required
+  useKeyTab=true
+  storeKey=true
+  keyTab="/opt/bitnami/kafka/config/kafka.keytab"
+  principal="broker/[email protected]"
+  serviceName="kafka"
+  useTicketCache=false;
+};

docker/data/jaas/jaas.conf

@@ -1,8 +1,4 @@
 KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin" user_admin="admin";
   org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin";
-};
-
-KafkaClient {
-  org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin";
 };

docker/data/kerberos/README.md

@@ -0,0 +1,10 @@
+To create `kafka.keytab`:
+
+```
+ktutil
+addent -password -p admin/[email protected] -k 1 -e aes256-cts-hmac-sha1-96
+write_kt kafka.keytab
+quit
+```
+
+On Mac, use `ktutil` from `krb5`, installed via Homebrew

docker/data/kerberos/kdc/init.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+
+# Setup KDC if needed
+if [ ! -f /var/lib/krb5kdc/principal ]; then
+  echo "Setting up KDC ..."
+
+  apk add --no-cache krb5-server krb5
+  kdb5_util create -s -P password
+
+  # # ACL file
+  echo "*/[email protected] *" > /var/lib/krb5kdc/kadm5.acl
+
+  # Create principals
+  kadmin.local -q "addprinc -pw admin [email protected]" # Main administrator
+  kadmin.local -q "addprinc -randkey broker/[email protected]" # Kafka broker
+  kadmin.local -q "addprinc -randkey [email protected]" # Client with keytab
+  kadmin.local -q "addprinc -pw admin [email protected]" # Client with password
+
+  # Genera keytab
+  kadmin.local -q "ktadd -k /data/broker.keytab broker/[email protected]"
+  kadmin.local -q "ktadd -k /data/admin.keytab [email protected]"  
+fi  
+
+krb5kdc
+kadmind -nofork

docker/data/kerberos/kdc/kdc.conf

@@ -0,0 +1,11 @@
+[kdcdefaults]
+    kdc_ports = 88
+    kdc_tcp_ports = 88
+
+[realms]
+    EXAMPLE.COM = {
+        acl_file = /var/lib/krb5kdc/kadm5.acl
+        dict_file = /usr/share/dict/words
+        admin_keytab = /var/lib/krb5kdc/kadm5.keytab
+        supported_enctypes = aes256-cts:normal aes128-cts:normal
+    }

docker/data/kerberos/kdc/krb5.conf

@@ -0,0 +1,14 @@
+[libdefaults]
+    default_realm = EXAMPLE.COM
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    EXAMPLE.COM = {
+        kdc = localhost:88
+        admin_server = localhost:749
+    }
+
+[domain_realm]
+    .example.com = EXAMPLE.COM
+    example.com = EXAMPLE.COM

docker/data/kerberos/krb5.conf

@@ -0,0 +1,14 @@
+[libdefaults]
+    default_realm = EXAMPLE.COM
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    EXAMPLE.COM = {
+        kdc = kdc:88
+        admin_server = kdc:749
+    }
+
+[domain_realm]
+    .example.com = EXAMPLE.COM
+    example.com = EXAMPLE.COM

package.json

@@ -49,6 +49,7 @@
     "ajv": "^8.17.1",
     "debug": "^4.4.3",
     "fastq": "^1.19.1",
+    "kerberos": "^2.2.2",
     "mnemonist": "^0.40.3",
     "scule": "^1.3.0"
   },
@@ -59,6 +60,7 @@
   "devDependencies": {
     "@platformatic/rdkafka": "^4.0.0",
     "@types/debug": "^4.1.12",
+    "@types/kerberos": "^1.1.5",
     "@types/node": "^22.18.5",
     "@types/semver": "^7.7.1",
     "@watchable/unpromise": "^1.0.2",
@@ -84,4 +86,4 @@
   "engines": {
     "node": ">= 20.19.4 || >= 22.18.0 || >= 24.6.0"
   }
-}
+}