docs: add essential Kafka client security parameters to bindings #56
Conversation
There are a huge number of Kafka client configs we could add to server bindings, but I'm skeptical of the value of just copying them all across. Most client config values have sensible defaults that are suitable in most cases. cf. https://kafka.apache.org/documentation/#consumerconfigs Two values are essential for code generation with secured Kafka clusters, however - identifying the security mechanism and protocol to use. This commit adds these two most commonly-used parameters to the Kafka server bindings. I suggest we start with these and gauge usage before starting to add many more, as these are enough to enable code generation for secured Kafka clusters. Closes: asyncapi/spec#466 Signed-off-by: Dale Lane <[email protected]>
|
Hi @dalelane! Thanks for making this PR. [Edit] I see @fmvilas suggested this already as per your notes in asyncapi/spec#466 |
Could you give me a bit more detail about how that'd work, please? Or maybe an example of what this would look like in security schemes? |
We already have implemented one of the available SASL mechanisms: x509. type: saslScramSha512Or create a global one for all SHA, which means we would have x509 duplicated, not so ideal I think. type: sasl
saslMechanism: ScramSha512 |
|
|
||
| Field Name | Type | Description | Applicability [default] | Constraints |
There was a problem hiding this comment.
If the whole "Constraints" column is empty, shouldn't we just get rid of it entirely?
There was a problem hiding this comment.
I was doing that to avoid the merge conflict if both this and #55 get approved
There was a problem hiding this comment.
Oh, I see. Thanks for the explanation 👍
|
|
||
| Field Name | Type | Description | Applicability [default] | Constraints | ||
| ---|:---:|:---:|:---:|--- | ||
| `saslMechamism` | string | Specifies the [`sasl.mechanism`](https://kafka.apache.org/documentation/#consumerconfigs_sasl.mechanism) config property that must be specified by Kafka clients connecting to this server. <br>Example values include `GSSAPI`, `PLAIN`, `OAUTHBEARER`, `SCRAM-SHA-256`, `SCRAM-SHA-512` | OPTIONAL [`GSSAPI`] | - |
There was a problem hiding this comment.
Really the default value is GSSAPI? Isn't it PLAIN?
There was a problem hiding this comment.
Also, shouldn't we have something like a NONE value to disable the saslMechanism?
There was a problem hiding this comment.
I did that to mirror what Kafka does by default - which is GSSAPI
But I think adding a NONE option for when using kafka instead of kafka-secure might make sense, and make a better default.
There was a problem hiding this comment.
Yeah. In any case, if we move this to the Security Schemes Object, we would not need the NONE value anymore. Sorry, for the messed-up review. I realized about the other comments after I made the review.
There was a problem hiding this comment.
no problem at all - it's been a useful thread, thanks to both you and @smoya !
|
I just saw Sergio's comment. Yeah, it's true it would make more sense to add this to Security Schemes. The way to proceed is similar. If something is missing on the Security Schemes Object, then feel free to add new keys, like |
|
The problem with |
You are totally right @nictownsend. x509 would need to be a shared mechanism, in this case between TLS/SSL and SASL.
|
|
That's been really useful, thanks @smoya @nictownsend I think where we end up is:
* - a new security scheme type to be added |
|
Closing as I think we've agreed this is better captured in security schemes, as described in #56 (comment) so I've opened asyncapi/spec#502 for this |
* feat: add SASL security scheme types for use by Kafka specs As discussed in asyncapi/bindings#56 this adds additional security scheme types. The motivation for adding them is to enable description of secured Kafka clusters, however the security protocols and mechanisms being added are not unique to Kafka, so this commit adds them as generic security schemes so they could be used by other protocols as well. Contributes to: #466 Signed-off-by: Dale Lane <[email protected]> * chore: update for grammar Moved the "and" to the end of the list. Signed-off-by: Dale Lane <[email protected]> * docs: additional SASL documentation Contributes to: #466 Signed-off-by: Dale Lane <[email protected]>
There are a huge number of Kafka client configs we could add to
server bindings, but I'm skeptical of the value of just copying
them all across. Most client config values have sensible
defaults that are suitable in most cases.
cf. https://kafka.apache.org/documentation/#consumerconfigs
Two values are essential for code generation with secured Kafka
clusters, however - identifying the security mechanism and
protocol to use. This commit adds these two most commonly-used
parameters to the Kafka server bindings. I suggest we start with
these and gauge usage before starting to add many more, as these
are enough to enable code generation for secured Kafka clusters.
Closes: asyncapi/spec#466
Signed-off-by: Dale Lane [email protected]