Add support for connecting to SASL authenticated Kafka clusters. (#109)

* Proof of Concept for SASL plaintext auth

* Start refactoring common Kafka client configuration into separate utility class

* Start updating cluster create/update UI to support SASL options

* drop dead fields

* Use flyway to migrate database tables

* Update Cluster model for new fields

* Wire in UI to controller to persist cluster with SASL settings

* Add test coverage to Cluster controller for setting up sasl clusters

* fix bad assertions

* Wire in SASL options from Cluster

* Add test coverage

* Rearrange tests

* add missing headers

* WIP - add customized listeners?

* Enable SSL, SASL support in DevCluster

* Add test coverage for SSL, SASL, and SASL_SSL clusters

* update gitignore

* fix travis

* fix travis

* fix travis

* fix travis

* Fix failing test

* add missing imports

Author: Crim

.gitignore

@@ -5,4 +5,7 @@ kafka-webview-ui/src/main/frontend/node_modules/
 kafka-webview-ui/src/main/frontend/dist/
 kafka-webview-ui/src/main/resources/static/
 data/
-TODO
+kafka-webview-ui/src/test/resources/kafka.keystore.jks
+kafka-webview-ui/src/test/resources/kafka.truststore.jks
+dev-cluster/src/main/resources/kafka.keystore.jks
+dev-cluster/src/main/resources/kafka.truststore.jks

.travis.yml

@@ -6,5 +6,12 @@ cache:
   directories:
   - $HOME/.m2
   - kafka-webview-ui/src/main/frontend/node_modules/
-before_script:
-  - mkdir -p ./data/uploads
+script:
+  ## Ensure data directory exists
+  - mkdir -p ./data/uploads
+  ## Generate dummy SSL certificates
+  - ./generateDummySslCertificates.sh
+  ## Run CheckStyle and License Header checks, compile, and install locally
+  - mvn clean install -DskipTests=true -DskipCheckStyle=false -Dmaven.javadoc.skip=true -B -V
+  ## Run Test Suite
+  - mvn test -B -DskipCheckStyle=true -Djava.security.auth.login.config=${PWD}/kafka-webview-ui/src/test/resources/jaas.conf

CHANGELOG.md

@@ -4,9 +4,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## 2.1.0 (UNRELEASED)
 #### New Features
+- Add support for SASL authentication to Kafka clusters.
 - Consumer details can now be viewed on Clusters.
 - Explicitly expose user login session timeout configuration value in documentation.
 
+
 #### Bug fixes
 - Topics shown on brokers now include "internal" topics.
 - Generated consumer client.id shortened.

dev-cluster/pom.xml

@@ -52,7 +52,7 @@
         <dependency>
             <groupId>com.salesforce.kafka.test</groupId>
             <artifactId>kafka-junit-core</artifactId>
-            <version>3.0.1</version>
+            <version>3.1.0</version>
         </dependency>
 
         <!-- Include Kafka 1.1.x -->
@@ -67,6 +67,13 @@
             <version>1.1.1</version>
         </dependency>
 
+        <!-- Command line argument parsing -->
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.4</version>
+        </dependency>
+
         <!-- LDAP Server -->
         <dependency>
             <groupId>com.unboundid</groupId>

dev-cluster/src/main/java/org/sourcelab/kafka/devcluster/DevCluster.java

@@ -26,12 +26,25 @@
 
 import com.salesforce.kafka.test.KafkaTestCluster;
 import com.salesforce.kafka.test.KafkaTestUtils;
+import com.salesforce.kafka.test.listeners.BrokerListener;
+import com.salesforce.kafka.test.listeners.PlainListener;
+import com.salesforce.kafka.test.listeners.SaslPlainListener;
+import com.salesforce.kafka.test.listeners.SaslSslListener;
+import com.salesforce.kafka.test.listeners.SslListener;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.DefaultParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
 import org.apache.kafka.clients.consumer.ConsumerRecords;
 import org.apache.kafka.clients.consumer.KafkaConsumer;
 import org.apache.kafka.common.serialization.StringDeserializer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.net.URL;
 import java.util.Collections;
 import java.util.Properties;
 
@@ -49,49 +62,147 @@ public class DevCluster {
      * @param args command line args.
      */
     public static void main(final String[] args) throws Exception {
-        // Right now we accept one parameter, the number of nodes in the cluster.
-        final int clusterSize;
-        if (args.length > 0) {
-            clusterSize = Integer.parseInt(args[0]);
-        } else {
-            clusterSize = 1;
-        }
+        // Parse command line arguments
+        final CommandLine cmd = parseArguments(args);
 
+        // Right now we accept one parameter, the number of nodes in the cluster.
+        final int clusterSize = Integer.parseInt(cmd.getOptionValue("size"));
         logger.info("Starting up kafka cluster with {} brokers", clusterSize);
 
+        // Default to plaintext listener.
+        BrokerListener listener = new PlainListener();
+
+        final URL trustStore = DevCluster.class.getClassLoader().getResource("kafka.truststore.jks");
+        final URL keyStore = DevCluster.class.getClassLoader().getResource("kafka.keystore.jks");
+
+        final Properties properties = new Properties();
+        if (cmd.hasOption("sasl") && cmd.hasOption("ssl")) {
+            listener = new SaslSslListener()
+                // SSL Options
+                .withClientAuthRequired()
+                .withTrustStoreLocation(trustStore.getFile())
+                .withTrustStorePassword("password")
+                .withKeyStoreLocation(keyStore.getFile())
+                .withKeyStorePassword("password")
+                .withKeyPassword("password")
+                // SASL Options.
+                .withUsername("kafkaclient")
+                .withPassword("client-secret");
+        } else if (cmd.hasOption("sasl")) {
+            listener = new SaslPlainListener()
+                .withUsername("kafkaclient")
+                .withPassword("client-secret");
+        } else if (cmd.hasOption("ssl")) {
+            listener = new SslListener()
+                .withClientAuthRequired()
+                .withTrustStoreLocation(trustStore.getFile())
+                .withTrustStorePassword("password")
+                .withKeyStoreLocation(keyStore.getFile())
+                .withKeyStorePassword("password")
+                .withKeyPassword("password");
+        }
+
         // Create a test cluster
-        final KafkaTestCluster kafkaTestCluster = new KafkaTestCluster(clusterSize);
+        final KafkaTestCluster kafkaTestCluster = new KafkaTestCluster(
+            clusterSize,
+            properties,
+            Collections.singletonList(listener)
+        );
 
         // Start the cluster.
         kafkaTestCluster.start();
 
-        // Create a topic
-        final String topicName = "TestTopicA";
-        final int partitionsCount = 5 * clusterSize;
-        final KafkaTestUtils utils = new KafkaTestUtils(kafkaTestCluster);
-        utils.createTopic(topicName, partitionsCount, (short) clusterSize);
+        // Create topics
+        String[] topicNames = null;
+        if (cmd.hasOption("topic")) {
+            topicNames = cmd.getOptionValues("topic");
+
+            for (final String topicName : topicNames) {
+                final KafkaTestUtils utils = new KafkaTestUtils(kafkaTestCluster);
+                utils.createTopic(topicName, clusterSize, (short) clusterSize);
 
-        // Publish some data into that topic
-        for (int partition = 0; partition < partitionsCount; partition++) {
-            utils.produceRecords(1000, topicName, partition);
+                // Publish some data into that topic
+                for (int partition = 0; partition < clusterSize; partition++) {
+                    utils.produceRecords(1000, topicName, partition);
+                }
+            }
         }
 
+        // Log topic names created.
+        if (topicNames != null) {
+            logger.info("Created topics: {}", String.join(", ", topicNames));
+        }
+
+        // Log how to connect to cluster brokers.
         kafkaTestCluster
             .getKafkaBrokers()
             .stream()
             .forEach((broker) -> {
                 logger.info("Started broker with Id {} at {}", broker.getBrokerId(), broker.getConnectString());
             });
 
+        // Log cluster connect string.
         logger.info("Cluster started at: {}", kafkaTestCluster.getKafkaConnectString());
 
-        runEndlessConsumer(topicName, utils);
-        runEndlessProducer(topicName, partitionsCount, utils);
+        //runEndlessConsumer(topicName, utils);
+        //runEndlessProducer(topicName, partitionsCount, utils);
 
         // Wait forever.
         Thread.currentThread().join();
     }
 
+    private static CommandLine parseArguments(final String[] args) throws ParseException {
+        // create Options object
+        final Options options = new Options();
+
+        // add number of brokers
+        options.addOption(Option.builder("size")
+            .desc("Number of brokers to start")
+            .required()
+            .hasArg()
+            .type(Integer.class)
+            .build()
+        );
+
+        options.addOption(Option.builder("topic")
+            .desc("Create test topic")
+            .required(false)
+            .hasArgs()
+            .build()
+        );
+
+        // Optionally enable SASL
+        options.addOption(Option.builder("sasl")
+            .desc("Enable SASL authentication")
+            .required(false)
+            .hasArg(false)
+            .type(Boolean.class)
+            .build()
+        );
+
+        // Optionally enable SSL
+        options.addOption(Option.builder("ssl")
+            .desc("Enable SSL")
+            .required(false)
+            .hasArg(false)
+            .type(Boolean.class)
+            .build()
+        );
+
+        try {
+            final CommandLineParser parser = new DefaultParser();
+            return parser.parse(options, args);
+        } catch (final Exception exception) {
+            System.out.println("ERROR: " + exception.getMessage() + "\n");
+            final HelpFormatter formatter = new HelpFormatter();
+            formatter.printHelp( "DevCluster", options);
+            System.out.println("");
+            System.out.flush();
+
+            throw exception;
+        }
+    }
+
     /**
      * Fire up a new thread running an endless producer script into the given topic and partitions.
      * @param topicName Name of the topic to produce records into.

dev-cluster/src/main/resources/jaas.conf

@@ -0,0 +1,20 @@
+KafkaServer {
+   org.apache.kafka.common.security.plain.PlainLoginModule required
+   username="admin"
+   password="admin-secret"
+   user_admin="admin-secret"
+   user_kafkaclient="client-secret";
+};
+
+Server {
+   org.apache.zookeeper.server.auth.DigestLoginModule required
+   username="admin"
+   password="admin-secret"
+   user_zooclient="client-secret";
+};
+
+Client {
+   org.apache.zookeeper.server.auth.DigestLoginModule required
+   username="zooclient"
+   password="client-secret";
+};

dev-cluster/src/main/resources/log4j2.xml

@@ -10,7 +10,6 @@
     <Loggers>
         <Root level="info">
             <AppenderRef ref="STDOUT"/>
-            <AppenderRef ref="FILE"/>
         </Root>
     </Loggers>
 

generateDummySslCertificates.sh

@@ -0,0 +1,72 @@
+### This script generates a dummy self signed certificate used in the test suite.
+
+#!/bin/bash
+cd "$(dirname "$0")"
+
+set -e
+
+KEYSTORE_FILENAME="kafka.keystore.jks"
+VALIDITY_IN_DAYS=3650
+DEFAULT_TRUSTSTORE_FILENAME="kafka.truststore.jks"
+TRUSTSTORE_WORKING_DIRECTORY="generated/truststore"
+KEYSTORE_WORKING_DIRECTORY="generated/keystore"
+CA_CERT_FILE="ca-cert"
+KEYSTORE_SIGN_REQUEST="cert-file"
+KEYSTORE_SIGN_REQUEST_SRL="ca-cert.srl"
+KEYSTORE_SIGNED_CERT="cert-signed"
+WEBVIEW_UI_DEST_DIRECTORY="kafka-webview-ui/src/test/resources/"
+DEV_CLUSTER_DEST_DIRECTORY="dev-cluster/src/main/resources/"
+
+rm -rf generated
+mkdir -p $TRUSTSTORE_WORKING_DIRECTORY
+
+openssl req -new -x509 -keyout $TRUSTSTORE_WORKING_DIRECTORY/ca-key \
+    -out $TRUSTSTORE_WORKING_DIRECTORY/ca-cert -days $VALIDITY_IN_DAYS \
+    -subj "/C=JP/ST=Tokyo/L=Japan/O=KafkaWebView/OU=Engineer/CN=localhost" \
+    -passout pass:password
+
+trust_store_private_key_file="$TRUSTSTORE_WORKING_DIRECTORY/ca-key"
+
+keytool -keystore $TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME \
+    -alias CARoot -import -file $TRUSTSTORE_WORKING_DIRECTORY/ca-cert \
+    -storepass password -trustcacerts -noprompt
+trust_store_file="$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME"
+
+rm $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE
+
+mkdir $KEYSTORE_WORKING_DIRECTORY
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME \
+  -alias localhost -validity $VALIDITY_IN_DAYS -genkey -keyalg RSA \
+  -storepass password -keypass password \
+  -dname "CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=localhost"
+
+keytool -keystore $trust_store_file -export -alias CARoot -rfc -file $CA_CERT_FILE \
+  -storepass password -keypass password
+
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost \
+  -certreq -file $KEYSTORE_SIGN_REQUEST \
+  -keypass password -storepass password
+
+openssl x509 -req -CA $CA_CERT_FILE -CAkey $trust_store_private_key_file \
+  -in $KEYSTORE_SIGN_REQUEST -out $KEYSTORE_SIGNED_CERT \
+  -days $VALIDITY_IN_DAYS -CAcreateserial -passin pass:password
+
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias CARoot \
+  -import -file $CA_CERT_FILE \
+  -keypass password -storepass password -noprompt
+rm $CA_CERT_FILE
+
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost -import \
+  -file $KEYSTORE_SIGNED_CERT -storepass password -keypass password
+
+rm $KEYSTORE_SIGN_REQUEST_SRL
+rm $KEYSTORE_SIGN_REQUEST
+rm $KEYSTORE_SIGNED_CERT
+rm $trust_store_private_key_file
+
+cp -rp $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME $WEBVIEW_UI_DEST_DIRECTORY
+cp -rp $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME $DEV_CLUSTER_DEST_DIRECTORY
+cp -rp $trust_store_file $WEBVIEW_UI_DEST_DIRECTORY
+cp -rp $trust_store_file $DEV_CLUSTER_DEST_DIRECTORY
+
+rm -rf generated

kafka-webview-ui/pom.xml

@@ -88,6 +88,12 @@
             <artifactId>h2</artifactId>
         </dependency>
 
+        <!-- Flyway for database migrations -->
+        <dependency>
+            <groupId>org.flywaydb</groupId>
+            <artifactId>flyway-core</artifactId>
+        </dependency>
+
         <!-- Security Module -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -182,7 +188,7 @@
         <dependency>
             <groupId>com.salesforce.kafka.test</groupId>
             <artifactId>kafka-junit4</artifactId>
-            <version>3.0.1</version>
+            <version>3.1.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>