- ``ca-location``: If this is provided and a secure connection is used, the
specified CA will be used instead of the default CA to authenticate the
broker.
- - user/password: This must be provided only over HTTPS. Topic creation
- requests will otherwise be rejected.
- - user/password: This must be provided along with ``use-ssl``. Connections to
- the broker will otherwise fail.
- - mechanism: may be provided together with user/password (default: ``PLAIN``). The supported SASL mechanisms are:
+ - user/password may be provided over HTTPS. If not, the config parameter
+ `rgw_allow_notification_secrets_in_cleartext` must be `true` in order to create topic
+ - user/password may be provided along with ``use-ssl``.
+ The broker credentials will otherwise be sent over insecure transport
+ - ``mechanism`` may be provided together with user/password (default: ``PLAIN``).
+ The supported SASL mechanisms are:
- PLAIN
- SCRAM-SHA-256
// if (rd_kafka_conf_set(conn->temp_conf, "enable.ssl.certificate.verification", "0", errstr, sizeof(errstr)) != RD_KAFKA_CONF_OK) goto conf_error;
ldout(conn->cct, 20) << "Kafka connect: successfully configured security" << dendl;
+ } else if (!conn->user.empty()) {
+ // use SASL+PLAINTEXT
+ if (rd_kafka_conf_set(conn->temp_conf, "security.protocol", "SASL_PLAINTEXT", errstr, sizeof(errstr)) != RD_KAFKA_CONF_OK ||
+ rd_kafka_conf_set(conn->temp_conf, "sasl.username", conn->user.c_str(), errstr, sizeof(errstr)) != RD_KAFKA_CONF_OK ||
+ rd_kafka_conf_set(conn->temp_conf, "sasl.password", conn->password.c_str(), errstr, sizeof(errstr)) != RD_KAFKA_CONF_OK) goto conf_error;
+ ldout(conn->cct, 20) << "Kafka connect: successfully configured SASL_PLAINTEXT" << dendl;
+
+ if (conn->mechanism) {
+ if (rd_kafka_conf_set(conn->temp_conf, "sasl.mechanism", conn->mechanism->c_str(), errstr, sizeof(errstr)) != RD_KAFKA_CONF_OK) goto conf_error;
+ ldout(conn->cct, 20) << "Kafka connect: successfully configured SASL mechanism" << dendl;
+ } else {
+ if (rd_kafka_conf_set(conn->temp_conf, "sasl.mechanism", "PLAIN", errstr, sizeof(errstr)) != RD_KAFKA_CONF_OK) goto conf_error;
+ ldout(conn->cct, 20) << "Kafka connect: using default SASL mechanism" << dendl;
+ }
}
// set the global callback for delivery success/fail
// this should be validated by the regex in parse_url()
ceph_assert(user.empty() == password.empty());
- if (!user.empty() && !use_ssl) {
+ if (!user.empty() && !use_ssl && !g_conf().get_val<bool>("rgw_allow_notification_secrets_in_cleartext")) {
ldout(cct, 1) << "Kafka connect: user/password are only allowed over secure connection" << dendl;
return nullptr;
}