Skip to content

Commit 6b6fc68

Browse files
author
Alexander
authored
Correct the SchemaRegistry authentication for SASL_INHERIT (@abij, confluentinc#733)
* Consumers and Producers should use singular: 'sasl.mechanism' according to the docs. Docs: https://kafka.apache.org/0100/documentation.html#producerconfigs This will fix the SASL_INHERIT in SchemaRegistry. Still the key/secret (sasl.username/sasl.password) are normally different between Cluster and Schema-Registry. * Since 'sasl.mechanism' is singular, check it correctly * Update example ccloud with working config for the SchemaRegistry. * Revert "Update example ccloud with working config for the SchemaRegistry." This reverts commit 3c3ebe0 * Do include the correct `sasl.mechanism` config setting. * Add a fallback to plural 'mechanisms' * Add a small testcase for increased coverage.
1 parent a60efe0 commit 6b6fc68

File tree

4 files changed

+17
-6
lines changed

4 files changed

+17
-6
lines changed

confluent_kafka/avro/__init__.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ def __init__(self, config, default_key_schema=None,
3333
for key, value in config.items() if key.startswith("schema.registry")}
3434

3535
if sr_conf.get("basic.auth.credentials.source") == 'SASL_INHERIT':
36-
sr_conf['sasl.mechanisms'] = config.get('sasl.mechanisms', '')
36+
# Fallback to plural 'mechanisms' for backward compatibility
37+
sr_conf['sasl.mechanism'] = config.get('sasl.mechanism', config.get('sasl.mechanisms', ''))
3738
sr_conf['sasl.username'] = config.get('sasl.username', '')
3839
sr_conf['sasl.password'] = config.get('sasl.password', '')
3940
sr_conf['auto.register.schemas'] = config.get('auto.register.schemas', True)
@@ -111,7 +112,8 @@ def __init__(self, config, schema_registry=None, reader_key_schema=None, reader_
111112
for key, value in config.items() if key.startswith("schema.registry")}
112113

113114
if sr_conf.get("basic.auth.credentials.source") == 'SASL_INHERIT':
114-
sr_conf['sasl.mechanisms'] = config.get('sasl.mechanisms', '')
115+
# Fallback to plural 'mechanisms' for backward compatibility
116+
sr_conf['sasl.mechanism'] = config.get('sasl.mechanism', config.get('sasl.mechanisms', ''))
115117
sr_conf['sasl.username'] = config.get('sasl.username', '')
116118
sr_conf['sasl.password'] = config.get('sasl.password', '')
117119

confluent_kafka/avro/cached_schema_registry_client.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -135,8 +135,8 @@ def _configure_basic_auth(url, conf):
135135
raise ValueError("schema.registry.basic.auth.credentials.source must be one of {}"
136136
.format(VALID_AUTH_PROVIDERS))
137137
if auth_provider == 'SASL_INHERIT':
138-
if conf.pop('sasl.mechanism', '').upper() is ['GSSAPI']:
139-
raise ValueError("SASL_INHERIT does not support SASL mechanisms GSSAPI")
138+
if conf.pop('sasl.mechanism', '').upper() == 'GSSAPI':
139+
raise ValueError("SASL_INHERIT does not support SASL mechanism GSSAPI")
140140
auth = (conf.pop('sasl.username', ''), conf.pop('sasl.password', ''))
141141
elif auth_provider == 'USER_INFO':
142142
auth = tuple(conf.pop('basic.auth.user.info', '').split(':'))

examples/confluent_cloud.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@
5353

5454
p = Producer({
5555
'bootstrap.servers': '<ccloud bootstrap servers>',
56-
'sasl.mechanisms': 'PLAIN',
56+
'sasl.mechanism': 'PLAIN',
5757
'security.protocol': 'SASL_SSL',
5858
'sasl.username': '<ccloud key>',
5959
'sasl.password': '<ccloud secret>'
@@ -78,7 +78,7 @@ def acked(err, msg):
7878

7979
c = Consumer({
8080
'bootstrap.servers': '<ccloud bootstrap servers>',
81-
'sasl.mechanisms': 'PLAIN',
81+
'sasl.mechanism': 'PLAIN',
8282
'security.protocol': 'SASL_SSL',
8383
'sasl.username': '<ccloud key>',
8484
'sasl.password': '<ccloud secret>',

tests/avro/test_cached_client.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,15 @@ def test_basic_auth_sasl_inherit(self):
216216
})
217217
self.assertTupleEqual(('user_sasl', 'secret_sasl'), self.client._session.auth)
218218

219+
def test_basic_auth_sasl_inherit_invalid(self):
220+
with self.assertRaises(ValueError) as e:
221+
self.client = CachedSchemaRegistryClient({
222+
'url': 'https://user_url:secret_url@127.0.0.1:65534',
223+
'basic.auth.credentials.source': 'SASL_INHERIT',
224+
'sasl.mechanism': 'gssapi' # also test the .upper()
225+
})
226+
self.assertEqual(str(e.exception), "SASL_INHERIT does not support SASL mechanism GSSAPI")
227+
219228
def test_basic_auth_invalid(self):
220229
with self.assertRaises(ValueError):
221230
self.client = CachedSchemaRegistryClient({

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy