info: Authentication support for kafka and schema registry

[fjvierap]

We are evaluating the usage of karate kafka addon. The addon seem to be very good for our use case for end to testing. But our kafka cluster and schema registry requires authentication and not sure it this is supported by the addon.

We use confluent and schema registry basic authentication with API Key and API secret.

Is there some example we can use as reference?

[ptrthomas]

@fjvierap please have a look at this example for MTLS using a cert + keystore: https://github.com/karatelabs/karate-examples/blob/main/kafka-mtls/README.md

so the short answer is since you have full control over all kafka config properties, anything supported by kafka should work
the MTLS example was quite complex to set up, I'm hoping basic auth should be relatively simpler

let me know how it goes

[fjvierap]

Ok thanks...

Then it is clear that this will work for kafka:

			"security.protocol":        "SASL_SSL",
			"sasl.username":            config.Username,
			"sasl.password":            config.Password,

And i guess this will work for schema registry

basic.auth.credentials.source=USER_INFO,basic.auth.user.info=<username>:<password>

[ptrthomas]

@fjvierap thanks, I'll close this when we update the docs

[fjvierap]

For kafka we had to add the following properties en configuration:

'sasl.mechanism' : 'PLAIN',
  'sasl.jaas.config': 'org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";',

We managed to connect with schema registry

'schema.registry.basic.auth.credentials.source' : 'USER_INFO',
'schema.registry.basic.auth.user.info' : 'user:password'

But in logs we see this error even the test is working as expected

17:26:36.339 [main] DEBUG com.intuit.karate - response time in milliseconds: 2
30 < 401
30 < WWW-Authenticate: basic realm="SchemaRegistry"
30 < Content-Type: application/json;charset=iso-8859-1
30 < Content-Length: 43
{"error_code":401,"message":"Unauthorized"}

[ptrthomas]

@fjvierap thanks that is something we can improve, it is because we attempt a plain HTTP get to wait until the schema registry is up - it doesn't matter if it returns a 401 :) please keep the feedback coming