- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 271
feat: finalize OAUTHBEARER support #547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: finalize OAUTHBEARER support #547
Conversation
| yes, we need this feature 🔥 btw, i already created aws-msk-iam-sasl-signer-php package for Amazon MSK IAM Authentication | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Do you think it would be feasible to add tests for these methods?
Currently we start a Kafka instance in CI here: https://github.com/arnaud-lb/php-rdkafka/blob/bcd5004f461d1d3a5f879bb21280bdde6f6800c2/.github/workflows/test/start-kafka.sh.
| 
 Thank you for the great review @arnaud-lb . I think I’ve got this all fixed locally but I want to take the time to get valgrind setup to be sure (I’m on a m1 which is not supported yet so I need to break out my Linux machine). I think I should be able to write some integration tests for this. Hopefully should have something up for review by the end of the week. | 
6a40ad1    to
    41c5d1f      
    Compare
  
    | I'm thrilled that the PR for oauth2 has already been implemented because I urgently need this feature for an application. Is it possible to provide a new release with this feature in the short term? That would be a big help for me. | 
| Hey all, I hope to get this over the line but I've had a shift in priorities after coming back from some time off. Configuring the OAuth side of things on Kafka is new to me and I haven't had the time to figure out exactly how that should work (for example, do we also need to spin up a keycloak container for generating and validating the tokens?). I'm open to any help if anyone else is more familiar in this area. Otherwise, I'll keep poking at this when I have time. | 
| What left is needed for this MR? Is there anything other than integration tests? I'm not too familiar with C but I would be happy to help brush up on it and work on implementing integration tests if that is all that is needed for merging. | 
| @arnaud-lb What is blocking this PR from being merged? I'm happy to take a stab at rounding it out. I need this feature for AWS IAM authentication with MSK, and I will be blocked until this merges. Cheers! | 
| afaik, the only thing blocking this PR is the additional tests that @arnaud-lb asked for. I haven't had the time to figure out how to get kafka set up properly. | 
* Fix seg fault in oauthbearerSetToken definition in rdkafka.c when not passing value for extension * Fix issue with oauthbearer_token_refresh not persisting (was not included in kafka_conf_callbacks_copy) * Modify start-kafka.sh to start kafka container with oauth2 configuration * Implement oauth2 integration tests
… support it * Add new test env var SKIP_OAUTH based on matrix.skipoauth * Set matrix.skipoauth on all librdkafka versions below v1.1.0 * Don't set up kafka_oauth2 container if SKIP_OAUTH is 1 * Skip tests in oauthbearer_integration.phpt if RD_KAFKA_VERSION is below 0x010100
| @cb-freddysart I’ve submitted a PR to your branch that starts a Kafka container with the oauthbearer security protocol alongside the regular Kafka container, and implements integration testing for the oauthbearer methods. It also includes a few small related fixes in the rdkafka extension. Would you be able to review and merge it into your branch? Once that's merged, we'll need to resolve merge conflicts. I decided not to merge 6.x into my branch and resolve conflicts beforehand to make the PR into your branch easier to review with fewer changes. After 6.x is merged into this branch, there’s one additional fix required for a test implemented in 6.x that doesn’t exist yet in this branch. The test is located at  I had to manually set the broker IDs in order to have two separate Kafka containers using the same Zookeeper instance, and I’m unable to set the broker ID above 1000. Therefore, we can’t retain the broker ID that the future test expects. | 
| Thanks a lot for the help @scorgn. The PR will be mergeable with these changes. | 
| Happy to help! Thanks for confirming. @cb-freddysart I also created another PR that does have 6.x merged in, conflicts resolved, and that test fixed. It will have more changes since it also includes commits from 6.x, but I created it just in case it is easier for you to merge in that PR and not have to fix conflicts/test. Will close whichever one is not merged. | 
| Great work @scorgn! I've approved both PRs. Let's merge the second PR since you have already gone to the trouble of pulling in 6.x? | 
| @cb-freddysart Yup that makes sense! I am not able to merge but you should be able to. | 
…nflicts Implement integration tests for oauth methods (also merge 6.x, solve conflicts, fix test)
…/php-rdkafka into feat/oauthbearer-set-token
|  | ||
| - name: 'Archive package' | ||
| uses: 'actions/upload-artifact@v2' | ||
| uses: 'actions/upload-artifact@v4' | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| Do we need to add the new oauth test file to package.xml? | 
| @scorgn, it's not totally clear to me as I've only be debugging this through action runs, but it looks like we might have a little flakiness with the kafka setup. I've increased the metadata timeout and enabled debug logs for the broker for the time being. This got the tests to more reliably get past kafka setup, but now we are seeing intermittent failures around topics not existing. | 
| @cb-freddysart Is the flakiness with those tests with v0.11.6 that say unknown broker? If so those are also flaky in 6.x and have been for a little bit. If we want to try to fix those I think a separate PR would be better, but I don't think it needs to be addressed for this PR. @arnaud-lb Do checks look ok as far as this being mergeable? | 
| @arnaud-lb any idea when this will merge and be released? I'm blocked until this gets in. | 
| Thank you @cb-freddysart @scorgn ! | 
| Released 6.0.4: https://github.com/arnaud-lb/php-rdkafka/releases/tag/6.0.4 | 
| Hi, thank you for the PR, @arnaud-lb. I have a question about this: Does the OAUTHBEARER only support low-level APIs? I’ve noticed that it hasn't been implemented for high-level APIs as well | 
This PR adds support for
rd_kafka_oauthbearer_set_tokenandrd_kafka_oauthbearer_set_token_failure. See https://github.com/confluentinc/librdkafka/pull/2189/files#diff-eef17694b5807cd63a95c3d86c39752b62f8bdb46e46c59231bf02353a5daef5 for where this functionality was added to librdkafka.With these changes, we are now able to successfully authenticate to AWS MSK via IAM. 🎉
Full working example: