Uploaded image for project: 'Observability Documentation'
  1. Observability Documentation
  2. OBSDOCS-484

SASL mechanisms wrongly referenced for PLAIN and SCRAM

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Undefined
    • None
    • None
    • Logging
    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Administer
    • Bug Fix

    Description

       

      Description of problem:

      Our Documentation on Forwarding logs to third party systems refernces sasl.mechanisms in a confusing and wrong way.

      The paragraph reads:

       

      sasl.mechanisms: (array) List of allowed SASL mechanism names. If missing or empty, the system defaults are used.

      Where the code clearly indicates that only a string is accepted.

       

      func GetFromSecret(secret *corev1.Secret, name string) string {
        if secret != nil {
                return string(secret.Data[name])
        }
        return ""
}

      Futhermore, we need to make clear that sasl.mechanisms are ment for SCRAM methods only and not for differentiation between PLAIN or SCRAM.

       

      A working example of the three possible configuration (with 4.13 only SCRAM-256 is supported)

      SASL PLAIN configuration

       

      data:
   sasl.username: xxx
   sasl.password: xxx
   sasl.enable: True

       

      SASL SCRAM-256 configuration

       

      data:
   sasl.username: xxx
   sasl.password: xxx
   sasl.enable: True
   sasl.mechanism: sha256
      SASL SCRAM-512 configuration

       

      data:
   sasl.username: xxx
   sasl.password: xxx
   sasl.enable: True
   sasl.mechanism: sha512

      the optional sasl_over_ssl is automatically added with adding SSL fields in the secret.data section.

       

       

       

      Version-Release number of selected component (if applicable):

      5.x 

      How reproducible:

      always.

      A valid configuration from Red Hat Openshift Logging < 5.7 will break with 5.7 due to the feature SASL-SCRAM-256 added, implemented with LOG-3314 

      Steps to Reproduce:

      1. install Red Hat Openshift Logging 5.6
      2. configure SASL PLAIN  
        1. data: 
  sasl.username: xxx 
  sasl.password: xxx 
  sasl.enable: True 
  sasl.mechanism: PLAIN
      1. upgrade Red Hat Openshift Logging to 5.7

      Actual results:

       

      2023-08-21 12:53:43 +0000 [error]: unexpected error error_class=Kafka::SaslScramError error="SCRAM mechanism PLAIN is not supported."

       

      Expected results:

      successful authentication

      Additional info:

      After consulting the Engineering Team, we consider this a Documentation Bug as there's a misunderstandig of the wording sasl.mechanisms. SASL provides multiple methods to authenticate like SASL-PLAIN, SASL-SCRAM-256, SASL-SCRAM-512.

      These are wrongly (human) interpreted as mechanisms which are auto determined by the underlying go library instead and mechanism differentiate the SCRAM mechanisms.

      We published a KCS to clarify the situation until this BZ is resolved.

      Attachments

        Issue Links

          is triggered by

          Bug - A problem that impairs or prevents the functions of the product. LOG-3314 [fluentd] The passphrase can not be enabled when forwarding logs to Kafka

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Activity

            People

              rhn-support-ssiddhar Shreya Siddhartha
              rhn-support-milang Michaela Lang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: