fix: add support for Kafka GSSAPI

The aiokafka package already supports GSSAPI as long as it has the correct packages installed along with kerberos. This fix just passes in the parameters from EDA to aiokafka The DE should have * krb5-workstation * krb5-libs * krb5-devel Along with the python gssapi package.
ansible · Mar 5, 2025 · 99b4182 · 99b4182
1 parent b128364
commit 99b4182
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 6 deletions.
diff --git a/.config/dictionary.txt b/.config/dictionary.txt
@@ -51,6 +51,8 @@ kaiokmo
 keygen
 keypass
 keytool
+krb5-user
+libkrb5-dev
 libpq
 libsystemd
 mydb

diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
@@ -84,7 +84,7 @@ jobs:
         run: |
           sudo apt-get -qq -o Dpkg::Use-Pty=0 remove -y docker-compose
           sudo apt-get -qq -o Dpkg::Use-Pty=0 update -y --fix-missing
-          sudo apt-get -qq -o Dpkg::Use-Pty=0 --assume-yes --no-install-recommends install -y apt-transport-https curl libsystemd0 libsystemd-dev pkg-config
+          sudo apt-get -qq -o Dpkg::Use-Pty=0 --assume-yes --no-install-recommends install -y apt-transport-https curl libsystemd0 libsystemd-dev pkg-config libkrb5-dev krb5-user
           sudo add-apt-repository ppa:deadsnakes/ppa
           curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
           echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -132,10 +132,10 @@ repos:
     rev: 7.4.1
     hooks:
       - id: pip-compile
-        name: pip-combile -> constraints.txt
+        name: pip-compile -> constraints.txt
         alias: deps
         always_run: true
-        entry: pip-compile --upgrade --no-annotate --strip-extras --unsafe-package=ansible-core --unsafe-package=doctutils --unsafe-package=setuptools --output-file=.config/constraints.txt .config/requirements.txt .config/requirements-test.txt .config/requirements-docs.txt
+        entry: pip-compile --upgrade --no-annotate --strip-extras --unsafe-package=ansible-core --unsafe-package=doctutils --unsafe-package=setuptools --output-file=.config/constraints.txt .config/requirements.in .config/requirements-test.in .config/requirements-docs.in
         files: ^.config\/.*requirements.*$
         language: python
         language_version: "3.9" # minimal we support officially

diff --git a/extensions/eda/plugins/event_source/kafka.py b/extensions/eda/plugins/event_source/kafka.py
@@ -94,6 +94,14 @@
     description:
       - Password for SASL PLAIN authentication.
     type: str
+  sasl_kerberos_service_name:
+    description:
+      - The service name, default is kafka
+    type: str
+  sasl_kerberos_domain_name:
+    description:
+      - The kerberos REALM
+    type: str
 """
 
 EXAMPLES = r"""
@@ -173,6 +181,8 @@ async def main(  # pylint: disable=R0914
         sasl_mechanism=args.get("sasl_mechanism", "PLAIN"),
         sasl_plain_username=args.get("sasl_plain_username"),
         sasl_plain_password=args.get("sasl_plain_password"),
+        sasl_kerberos_service_name=args.get("sasl_kerberos_service_name"),
+        sasl_kerberos_domain_name=args.get("sasl_kerberos_domain_name"),
     )
 
     await kafka_consumer.start()

diff --git a/requirements.txt b/requirements.txt
@@ -2,7 +2,7 @@ ansible-core>=2.15
 pyyaml>=6.0.1
 aiobotocore
 aiohttp
-aiokafka
+aiokafka[gssapi]
 azure-servicebus
 dpath
 # https://github.com/dpkp/kafka-python/issues/2412#issuecomment-2030459360

diff --git a/tests/unit/requirements.txt b/tests/unit/requirements.txt
@@ -1,6 +1,7 @@
 aiobotocore
 aiohttp
-aiokafka
+gssapi
+aiokafka[gssapi]
 asyncio
 asyncmock
 azure-servicebus

diff --git a/tox.ini b/tox.ini
@@ -142,7 +142,8 @@ description =
 commands =
   # fail-fast if psycopg in not properly installed.
   python3 -c "import psycopg"
-  sh -c "ansible-test units --color --requirements --target-python default -v --num-workers 1 --coverage --truncate 0 {posargs}"
+  python3 -c "import gssapi;print(gssapi.__file__)"
+  sh -c "ansible-test units --color --requirements -vv --num-workers 1 --coverage --truncate 0 {posargs}"
   ansible-test coverage report --requirements --omit '.tox/*,tests/*' --color --all --show-missing -v --truncate 0
   ansible-test coverage combine --export={envdir}
-Original file line number
+Diff line change
@@ Expand Up / @@ -51,6 +51,8 @@ kaiokmo @@
     keygen
     keypass
     keytool
+    krb5-user
+    libkrb5-dev
     libpq
     libsystemd
     mydb
@@ Expand Down @@