Re: [PR] [helm] Enable SASL authentication configurations [fluss]

[via GitHub]

xx789633 commented on code in PR #2506:
URL: https://github.com/apache/fluss/pull/2506#discussion_r2807287999


##########
helm/values.yaml:
##########
@@ -85,3 +87,12 @@ serviceAccount:
   # Additional annotations to apply to the ServiceAccount.
   # These can be useful, for example, to support integrations like workload 
identity.
   annotations: {}
+
+## Fluss security configurations for authentication.
+## These are required if SASL listeners are configured.
+security:
+  sasl_plain:
+    # List of client users for authentication
+    users:
+      - username: admin
+        password: password

Review Comment:
   If the password is not and sasl is enabled, we can generate a random one for 
the user



##########
helm/templates/secret-jaas-config.yaml:
##########
@@ -0,0 +1,48 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+{{- if (include "fluss.sasl.enabled" .) }}
+{{- $saslUsers := default (list) .Values.security.sasl_plain.users -}}
+{{- if eq (len $saslUsers) 0 -}}
+{{- fail "security.sasl_plain.users must contain at least one user when SASL 
is enabled in listeners" -}}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "fluss.fullname" . }}-sasl-jaas-config
+  labels:
+    {{- include "fluss.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  jaas.conf: |
+    FlussServer {
+       org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
+       {{- range $saslUsers }}
+       user_{{ .username }}="{{ .password }}"

Review Comment:
   If the password is empty, I think we should either fail or generate a random 
one for the user. I prefer the latter approach.



##########
helm/tests/sasl_test.yaml:
##########
@@ -0,0 +1,203 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+suite: sasl-disabled-secret
+templates:
+  - templates/secret-jaas-config.yaml
+tests:

Review Comment:
   No test for multiple SASL users in JAAS config. 



##########
helm/values.yaml:
##########
@@ -85,3 +87,12 @@ serviceAccount:
   # Additional annotations to apply to the ServiceAccount.
   # These can be useful, for example, to support integrations like workload 
identity.
   annotations: {}
+
+## Fluss security configurations for authentication.
+## These are required if SASL listeners are configured.
+security:
+  sasl_plain:

Review Comment:
   use camelCase



##########
helm/templates/sts-tablet.yaml:
##########
@@ -74,6 +74,16 @@ spec:
               echo "tablet-server.id: ${FLUSS_SERVER_ID}" >> 
$FLUSS_HOME/conf/server.yaml && \
               echo "bind.listeners: ${BIND_LISTENERS}" >> 
$FLUSS_HOME/conf/server.yaml && \
               echo "advertised.listeners: ${ADVERTISED_LISTENERS}" >> 
$FLUSS_HOME/conf/server.yaml && \
+              echo "security.protocol.map: INTERNAL:{{ upper 
.Values.listeners.internal.protocol }},CLIENT:{{ upper 
.Values.listeners.client.protocol }}" >> $FLUSS_HOME/conf/server.yaml && \

Review Comment:
   The SASL logic between coordinator and tablet StatefulSets seems to be 
duplicated. can we extract them into a template?



##########
helm/templates/sts-coordinator.yaml:
##########
@@ -77,6 +77,16 @@ spec:
               echo "" >> $FLUSS_HOME/conf/server.yaml && \
               echo "bind.listeners: ${BIND_LISTENERS}" >> 
$FLUSS_HOME/conf/server.yaml && \
               echo "advertised.listeners: ${ADVERTISED_LISTENERS}" >> 
$FLUSS_HOME/conf/server.yaml && \
+              echo "security.protocol.map: INTERNAL:{{ upper 
.Values.listeners.internal.protocol }},CLIENT:{{ upper 
.Values.listeners.client.protocol }}" >> $FLUSS_HOME/conf/server.yaml && \
+
+              {{- if (include "fluss.sasl.enabled" .) }}
+              echo "security.sasl.enabled.mechanisms: PLAIN" >> 
$FLUSS_HOME/conf/server.yaml && \

Review Comment:
   PLAIN is hardcoded. We might support more SASL mechanisms in the future.



##########
helm/templates/sts-coordinator.yaml:
##########


Review Comment:
   Values.resources.tabletServer?



##########
website/docs/install-deploy/deploying-with-helm.md:
##########
@@ -245,16 +250,47 @@ The chart automatically configures listeners for internal 
cluster communication
 - **Internal Port (9123)**: Used for internal communication within the cluster
 - **Client Port (9124)**: Used for client connections
 
-Custom listener configuration:
+Default listeners configuration:
 
 ```yaml
 listeners:
   internal:
+    protocol: PLAINTEXT
     port: 9123
   client:
+    protocol: PLAINTEXT
     port: 9124
 ```
 
+To enable SASL based authentication, set any of the protocols to `SASL`.
+
+### Enabling Secure Connection
+
+With the helm deployment, you can specify authentication protocols when 
connecting to the Fluss cluster.
+
+The following table shows the supported protocols and security they provide:
+
+| Method      | Authentication | TLS Encryption     |
+|-------------|:--------------:|:------------------:|
+| `PLAINTEXT` | No             | No                 |
+| `SASL`      | Yes            | No                 |
+
+By default, the `PLAINTEXT` protocol is used.
+
+The SASL authentication will be enabled if any of the listener protocols is 
using `SASL`.
+
+Set these values for additional configurations:
+
+```yaml
+security:
+  sasl_plain:
+    users:
+      - username: admin
+        password: password
+```
+
+The `security.sasl_plain.users` field defines the list of usernames and 
passwords for SASL/PLAIN authentication. When the internal listener protocol 
uses SASL, the first user in the list is used for internal client 
authentication. The authentication mechanism is fixed to `PLAIN`.

Review Comment:
   There seems to be no support for separate internal and client credentials. 
Can we provide variables like `auth.sasl.jaas.clientPasswords` and 
`auth.sasl.jaas.interBrokerPassword` to distinguish the credentials?



##########
helm/templates/secret-jaas-config.yaml:
##########
@@ -0,0 +1,48 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+{{- if (include "fluss.sasl.enabled" .) }}
+{{- $saslUsers := default (list) .Values.security.sasl_plain.users -}}
+{{- if eq (len $saslUsers) 0 -}}
+{{- fail "security.sasl_plain.users must contain at least one user when SASL 
is enabled in listeners" -}}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "fluss.fullname" . }}-sasl-jaas-config
+  labels:
+    {{- include "fluss.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  jaas.conf: |
+    FlussServer {
+       org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
+       {{- range $saslUsers }}
+       user_{{ .username }}="{{ .password }}"

Review Comment:
   If the password contains special characters, can this script still handle it?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@fluss.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org