Proposal: Support for Custom Authentication Type in Kafka Clients

[YuanShisong]

No description provided.

[scholzj]

Thanks for the proposal. Some quick comments:

Make sure reviewing the PR is as easy as possible. For example by:

• Using some empty lines:
  • Before and after headers
  • Before and after lists
  • Before and after examples etc.
• Having one sentence per line will make it easier to comment on a specific sentence and not on a whole paragraph

From the technical side of things:

• Please check the other type: custom APIs and how they work. Specifically the KAfka brokers type: custom authentication should give you an insight on what are the things you are likely missing (SASL mechanism? More different options?). There is also no Kafka otpion named customCallbackClass. So it is not clear what will you do with it.
• Clarify which operands are (not) affected. I would expect this to be supported in Connect, MM2 and Bridge.
• Provide more technical details about how the implementation will work for each of the above ^^^. (It might make sense to wait for Move Connect / MM2 configuration preparation from the shell scripts to the operator strimzi-kafka-operator#10668 to be done as that will significantly change it for Connect and MM2)
• Provide test / system test strategy (likely using this to configure something simple like SCRAM-SHA-512 or maybe OAuth what we can test on our own against Strimzi powered brokers)
• The key request here from our users is support for Amazon MSK and Microsoft Azure IAM authentication. So the proposal has to clarify either how will those work / be supported or how will this be extended to support these in the future.

[scholzj]

This is fine, but you should still explain how will the users do it -> the answer here is using the additional volumes through the spec.template section. You should expain it here. You should also explain how the users will add their own custom plugins you expect to use (likely by building a new container image and adding the required jar(s) there.

[ppatierno]

Thanks for the proposal. I left some quick comments and +1 on what Jakub already said, we would need a better formatting to improve the readability. Thanks!

[ppatierno]

you should be clear that it's going to be part of the api module

[ppatierno]

other than just configuring, you should explain that a user has to bake an image by adding the jar including the handler class, right?

[ppatierno]

what does exactly mean "correctly formatted"?

[ppatierno]

I don't think this is relevant here. Brokers are anyway part of Apache Kafka project so not within Strimzi and a Strimzi proposal can't have any effect on Apache Kafka.

[ppatierno]

I would also remove this one, otherwise the Topic Operator would be here as well.
Let's leave the affected part only.

[fvaleri]

Thanks for the proposal.

Currently, we have support for custom SASL authentication in the Topic Operator when deployed in standalone mode. This is described in the documentation, which also includes the Amazon MSK example. Hope it helps.

[ppatierno]

@YuanShisong are you still planning to work on this proposal? After more than one month it seems there are no new changes after the first feedback from the community.

[YuanShisong]

@YuanShisong are you still planning to work on this proposal? After more than one month it seems there are no new changes after the first feedback from the community.

Yes, I intend to continue with this proposal within the next week. Apologize for the lack of updates — I've been occupied with other work commitments. Thank you for your understanding.