feat(kafka): add AWS MSK IAM authentication via SASL/OAUTHBEARER#1730
feat(kafka): add AWS MSK IAM authentication via SASL/OAUTHBEARER#1730piclemx wants to merge 2 commits into
Conversation
Parseable's Kafka connector enumerated the OAUTHBEARER SASL mechanism but never implemented token generation, so it could not authenticate to AWS MSK clusters that use IAM. The connector was limited to PLAIN, SCRAM, and GSSAPI, and the `generate_oauth_token` callback returned "not implemented". This wires up SASL/OAUTHBEARER for AWS MSK IAM: - Mint IAM auth tokens with the `aws-msk-iam-sasl-signer` crate, driven from the (synchronous) librdkafka OAuth refresh callback via a captured Tokio runtime handle. The callback thread is not a runtime worker, so blocking on the async signer there is safe. - Enable `ClientContext::ENABLE_REFRESH_OAUTH_TOKEN`. librdkafka only invokes the callback for the OAUTHBEARER mechanism, so other mechanisms are unaffected. - Add an `--aws-region` / `P_KAFKA_AWS_REGION` option, falling back to the standard `AWS_REGION` / `AWS_DEFAULT_REGION` environment variables. - Make security validation mechanism-aware: OAUTHBEARER requires only a resolvable region (credentials come from the ambient AWS provider chain), and SASL_SSL no longer requires client certificates, which are a mutual-TLS concern rather than a SASL one. Credentials are resolved from the default AWS provider chain (IRSA, EC2 instance profile, env vars, etc.), so no secrets are added to config. Add unit tests covering the new validation branches and the OAUTHBEARER rdkafka config mapping. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds AWS MSK IAM OAuth bearer support to the Kafka connector through optional dependencies, AWS region configuration and validation, runtime-backed token generation, librdkafka refresh integration, and unit tests. ChangesAWS MSK IAM Kafka authentication
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Librdkafka
participant KafkaContext
participant TokioRuntime
participant AwsMskIamSigner
Librdkafka->>KafkaContext: Request OAuth token refresh
KafkaContext->>KafkaContext: Resolve AWS region and validate OAuthBearer
KafkaContext->>TokioRuntime: Run token generation
TokioRuntime->>AwsMskIamSigner: Generate MSK IAM auth token
AwsMskIamSigner-->>TokioRuntime: Return token and expiry
TokioRuntime-->>KafkaContext: Return signed token
KafkaContext-->>Librdkafka: Return OAuthToken
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
src/connectors/kafka/config.rs (1)
1077-1090: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winMake the missing-region test deterministic.
When either standard AWS region variable exists, this test performs no assertion and passes without exercising validation. Isolate the environment or extract region-source resolution so the failure path is always tested.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/connectors/kafka/config.rs` around lines 1077 - 1090, Make oauthbearer_requires_a_region deterministic by isolating or controlling AWS_REGION and AWS_DEFAULT_REGION before invoking SecurityConfig::validate, ensuring both region sources are absent and the test always asserts validation failure. Preserve the existing OAuthBearer/SaslSsl configuration while avoiding environment-dependent conditional assertions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/connectors/kafka/config.rs`:
- Around line 814-819: Update resolved_aws_region so each candidate source is
filtered for non-empty values before applying or_else precedence. Ensure an
empty explicit aws_region does not prevent fallback to AWS_REGION or
AWS_DEFAULT_REGION, while preserving the existing source priority and
Option<String> return type.
- Around line 841-855: Update the SASL/OAUTHBEARER validation in the
protocol-checking logic around self.protocol and self.sasl_mechanism to reject
SecurityProtocol::SaslPlaintext, while preserving the existing AWS region
validation for SecurityProtocol::SaslSsl. Return a clear validation error
stating that OAUTHBEARER requires SASL_SSL.
---
Nitpick comments:
In `@src/connectors/kafka/config.rs`:
- Around line 1077-1090: Make oauthbearer_requires_a_region deterministic by
isolating or controlling AWS_REGION and AWS_DEFAULT_REGION before invoking
SecurityConfig::validate, ensuring both region sources are absent and the test
always asserts validation failure. Preserve the existing OAuthBearer/SaslSsl
configuration while avoiding environment-dependent conditional assertions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 273e835e-44bd-4197-a782-747e706695b0
⛔ Files ignored due to path filters (1)
Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (3)
Cargo.tomlsrc/connectors/kafka/config.rssrc/connectors/kafka/mod.rs
|
I have read the CLA Document and I hereby sign the CLA |
- Reject SASL/OAUTHBEARER over SASL_PLAINTEXT. MSK IAM tokens are signed bearer credentials and must only travel over the encrypted SASL_SSL protocol, per AWS guidance for non-Java clients. - Normalize each AWS region source (trim + reject empty) before applying precedence, so an explicitly-empty --aws-region no longer shadows a valid AWS_REGION / AWS_DEFAULT_REGION fallback. - Replace inline env-var string literals with named constants (AWS_REGION_ENV, AWS_DEFAULT_REGION_ENV) to guard against typos (DeepSource RS-W1015). - Split validation into a pure `validate_with_region` helper so the missing-region failure path is tested deterministically instead of depending on the ambient environment. Add tests for the SASL_PLAINTEXT rejection and region normalization. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Summary
The Kafka connector enumerated the
OAUTHBEARERSASL mechanism but never implemented token generation —generate_oauth_tokenreturned "not implemented" andENABLE_REFRESH_OAUTH_TOKENwasfalse. As a result Parseable could not ingest from AWS MSK clusters using IAM authentication; only PLAIN, SCRAM, and GSSAPI worked.This PR implements SASL/OAUTHBEARER for AWS MSK IAM:
aws-msk-iam-sasl-signercrate, driven from the synchronous librdkafka OAuth refresh callback through a captured Tokio runtime handle. The callback runs on a librdkafka background thread (not a runtime worker), so blocking on the async signer there is safe.ClientContext::ENABLE_REFRESH_OAUTH_TOKEN. librdkafka only invokes the callback for the OAUTHBEARER mechanism, so other mechanisms are unaffected.--aws-region/P_KAFKA_AWS_REGIONoption, falling back to the standardAWS_REGION/AWS_DEFAULT_REGIONenvironment variables.SASL_SSLno longer requires client certificates, which are a mutual-TLS concern rather than a SASL one.No secrets are added to configuration — credentials are resolved from the ambient AWS provider chain at token-refresh time.
Testing
cargo check,cargo clippy, andcargo fmt --checkall clean with--features kafka.Notes
kafkafeature.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes