Telegraf - Kerberos authentication

We are tryin to test the kerberos authentication between telegraf and one of the kafka broker server.

We are using below version of telegraf:
Telegraf 1.22.4 (git: HEAD acf67065)

below is confluent kafka version:
2.5.0.7.1.7.113-1 (Commit:0fdee98df1627278)

This version of telegraf supports kerberos authentication, but the documentation related to configuration required to be done to get it working is not good enough.

The configurations provided in telegraf.conf to enable kerberos authentication is not working and every time it is resulting in different error.

We have used sasl_mechanism = “GSSAPI”.

In the existing set up, Kafka authentication using Keytab is successful on one side whereas Telegraf - Kerberos authentication using GSSAPI is failing on the other side of integration. We have closely looked at the config file and found that currently, Telegraf - Kerberos authentication using GSSAPI call is experimental.(Testing phase)

For now, these are at least 4 options available for consideration: OAUTHBEARER, PLAIN, SCRAM-SHA-256 and SCRAM-SHA-512 that are more mature enough to use. However, some of these authentication mechanism is less secure.

We have investigated more from networking side to see what is causing the handshaking(GSSAPI call) to stop communicating from Telegraf end.

This seems no longer a Telegraf issue. This is a gokrb5 issue, which is coming from Confluent’s stack.

Please provide your input and if possible, create a separate PR for gokorb5 to address this specific problem. We would be expecting to get this feature included in next major Telegraf release. Thank you!

In addition to the above, we found that “Ticket and authenticator don’t match” points to question: cross-realm support · Issue #130 · jcmturner/gokrb5 · GitHub. Not sure if sarama or telegraf would need to expose anything further, but it also looks like gokrb5 does not support it. This is likely something that needs to bring up with Confluent since it is their libraries that are calling gokrb5.

Question:

1. Conceptually, what do you think of this chain GitHub - jcmturner/gokrb5: Pure Go Kerberos library for clients and services → GitHub - Shopify/sarama: Sarama is a Go library for Apache Kafka. → Telegraf plugin? We are asking since, in case of any problems, we may end up waiting for “jcmturner”.

Telegraf is a wrapper for Sarama (GitHub - Shopify/sarama: Sarama is a Go library for Apache Kafka.) → Sarama uses this library GitHub - jcmturner/gokrb5: Pure Go Kerberos library for clients and services.

That looks like one man maintained project Contributors to jcmturner/gokrb5 · GitHub . The libraries were used by Confluent platform but looks like not anymore.

Hi,

This seems no longer a Telegraf issue. This is a gokrb5 issue
Not sure if sarama or telegraf would need to expose anything further, but it also looks like gokrb5 does not support it.

Right, there are a couple of directions I might suggest going:

1. It looks like gokrb5 just released its first new version in a couple of years. Shopify/sarama, has already updated to this version as well. I’ve put up a PR to update the version in Telegraf as well. You can try one of the artifacts as well from that PR and see if the new version has resolved things.

2. If not, then as the gokrb5 issue you linked to seemed to indicate a fix was merged, I would file a new issue with the gokrb5 project with logs and error messages you are seeing. Ask for clarification of the state of support for cross-realm.

Thanks!

Thank you! We have to wait for the next release to get this fix done.

ok, just know that the next minor release of Telegraf is not for another 3 weeks. While the PR I linked to above has a pre-build Telegraf that you could try out now.