changefeedccl: refactor kafka auth to be plugin-based

Epic: none
Release note: None

Author: asg0451

pkg/BUILD.bazel

@@ -877,6 +877,7 @@ GO_TARGETS = [
     "//pkg/ccl/changefeedccl/changefeedvalidators:changefeedvalidators",
     "//pkg/ccl/changefeedccl/checkpoint:checkpoint",
     "//pkg/ccl/changefeedccl/checkpoint:checkpoint_test",
+    "//pkg/ccl/changefeedccl/kafkaauth:kafkaauth",
     "//pkg/ccl/changefeedccl/kvevent:kvevent",
     "//pkg/ccl/changefeedccl/kvevent:kvevent_test",
     "//pkg/ccl/changefeedccl/kvfeed:kvfeed",

pkg/ccl/changefeedccl/BUILD.bazel

@@ -28,7 +28,6 @@ go_library(
         "retry.go",
         "scheduled_changefeed.go",
         "schema_registry.go",
-        "scram_client.go",
         "sink.go",
         "sink_cloudstorage.go",
         "sink_external_connection.go",
@@ -58,6 +57,7 @@ go_library(
         "//pkg/ccl/changefeedccl/changefeedpb",
         "//pkg/ccl/changefeedccl/changefeedvalidators",
         "//pkg/ccl/changefeedccl/checkpoint",
+        "//pkg/ccl/changefeedccl/kafkaauth",
         "//pkg/ccl/changefeedccl/kvevent",
         "//pkg/ccl/changefeedccl/kvfeed",
         "//pkg/ccl/changefeedccl/resolvedspan",
@@ -166,7 +166,6 @@ go_library(
         "//pkg/util/tracing",
         "//pkg/util/uuid",
         "@com_github_apache_pulsar_client_go//pulsar",
-        "@com_github_aws_aws_msk_iam_sasl_signer_go//signer",
         "@com_github_cockroachdb_apd_v3//:apd",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_logtags//:logtags",
@@ -183,12 +182,7 @@ go_library(
         "@com_github_twmb_franz_go//pkg/kerr",
         "@com_github_twmb_franz_go//pkg/kgo",
         "@com_github_twmb_franz_go//pkg/kversion",
-        "@com_github_twmb_franz_go//pkg/sasl",
-        "@com_github_twmb_franz_go//pkg/sasl/oauth",
-        "@com_github_twmb_franz_go//pkg/sasl/plain",
-        "@com_github_twmb_franz_go//pkg/sasl/scram",
         "@com_github_twmb_franz_go_pkg_kadm//:kadm",
-        "@com_github_xdg_go_scram//:scram",
         "@com_google_cloud_go_pubsub//:pubsub",
         "@com_google_cloud_go_pubsub//apiv1",
         "@com_google_cloud_go_pubsub//apiv1/pubsubpb",
@@ -198,8 +192,6 @@ go_library(
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//credentials/insecure",
         "@org_golang_google_grpc//status",
-        "@org_golang_x_oauth2//:oauth2",
-        "@org_golang_x_oauth2//clientcredentials",
         "@org_golang_x_oauth2//google",
     ],
 )
@@ -375,6 +367,7 @@ go_test(
         "@com_github_twmb_franz_go//pkg/kgo",
         "@com_github_twmb_franz_go//pkg/kversion",
         "@com_github_twmb_franz_go//pkg/sasl",
+        "@com_github_twmb_franz_go//pkg/sasl/plain",
         "@com_github_twmb_franz_go_pkg_kadm//:kadm",
         "@com_google_cloud_go_pubsub//apiv1",
         "@com_google_cloud_go_pubsub//apiv1/pubsubpb",

pkg/ccl/changefeedccl/changefeed_test.go

@@ -5593,7 +5593,7 @@ func TestChangefeedErrors(t *testing.T) {
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `param sasl_handshake must be a bool`,
-		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_handshake=maybe`,
+		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_user=x&sasl_password=y&sasl_handshake=maybe`,
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `sasl_enabled must be enabled to configure SASL handshake behavior`,
@@ -5625,14 +5625,14 @@ func TestChangefeedErrors(t *testing.T) {
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `sasl_client_id is only a valid parameter for sasl_mechanism=OAUTHBEARER`,
-		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_client_id=a`,
+		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_client_id=a`,
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `sasl_enabled must be enabled to configure SASL mechanism`,
 		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_mechanism=SCRAM-SHA-256`,
 	)
 	sqlDB.ExpectErrWithTimeout(
-		t, `param sasl_mechanism must be one of SCRAM-SHA-256, SCRAM-SHA-512, OAUTHBEARER, PLAIN or AWS_MSK_IAM`,
+		t, `param sasl_mechanism must be one of AWS_MSK_IAM, OAUTHBEARER, PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512`,
 		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_mechanism=unsuppported`,
 	)
 	sqlDB.ExpectErrWithTimeout(

pkg/ccl/changefeedccl/changefeedbase/options.go

@@ -239,9 +239,6 @@ const (
 	Topics = `topics`
 )
 
-// Support additional mechanism on top of the default SASL mechanism.
-const SASLTypeAWSMSKIAM = "AWS_MSK_IAM"
-
 func makeStringSet(opts ...string) map[string]struct{} {
 	res := make(map[string]struct{}, len(opts))
 	for _, opt := range opts {

pkg/ccl/changefeedccl/kafkaauth/BUILD.bazel

@@ -0,0 +1,30 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "kafkaauth",
+    srcs = [
+        "doc.go",
+        "kafkaauth.go",
+        "sasl_msk.go",
+        "sasl_oauth.go",
+        "sasl_plain.go",
+        "sasl_scram.go",
+        "scram_client.go",
+    ],
+    importpath = "github.com/cockroachdb/cockroach/pkg/ccl/changefeedccl/kafkaauth",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/ccl/changefeedccl/changefeedbase",
+        "@com_github_aws_aws_msk_iam_sasl_signer_go//signer",
+        "@com_github_cockroachdb_errors//:errors",
+        "@com_github_ibm_sarama//:sarama",
+        "@com_github_twmb_franz_go//pkg/kgo",
+        "@com_github_twmb_franz_go//pkg/sasl",
+        "@com_github_twmb_franz_go//pkg/sasl/oauth",
+        "@com_github_twmb_franz_go//pkg/sasl/plain",
+        "@com_github_twmb_franz_go//pkg/sasl/scram",
+        "@com_github_xdg_go_scram//:scram",
+        "@org_golang_x_oauth2//:oauth2",
+        "@org_golang_x_oauth2//clientcredentials",
+    ],
+)

pkg/ccl/changefeedccl/kafkaauth/doc.go

@@ -0,0 +1,9 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+// Package kafkaauth provides Kafka SASL authentication mechanisms for use with
+// the changefeed kafka sinks (v1 & v2). Most standard SASL mechanisms are
+// supported, and some custom ones as well.
+package kafkaauth

pkg/ccl/changefeedccl/kafkaauth/kafkaauth.go

@@ -0,0 +1,192 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package kafkaauth
+
+import (
+	"context"
+	"sort"
+	"strings"
+
+	"github.com/IBM/sarama"
+	"github.com/cockroachdb/cockroach/pkg/ccl/changefeedccl/changefeedbase"
+	"github.com/cockroachdb/errors"
+	"github.com/twmb/franz-go/pkg/kgo"
+)
+
+type saslMechanismBuilder interface {
+	name() string
+	validateParams(u *changefeedbase.SinkURL) error
+	build(u *changefeedbase.SinkURL) (SASLMechanism, error)
+}
+
+// SASLMechanism is an interface for SASL mechanism instances, built from URLs,
+// to be applied to sarama and kgo configurations.
+type SASLMechanism interface {
+	// ApplySarama applies the SASL mechanism to the given sarama configuration.
+	ApplySarama(ctx context.Context, cfg *sarama.Config) error
+	// KgoOpts returns kgo options that implement the SASL mechanism.
+	KgoOpts(ctx context.Context) ([]kgo.Opt, error)
+}
+
+type saslMechanismRegistry map[string]saslMechanismBuilder
+
+// registry is the global registry of SASL Mechanisms.
+var registry saslMechanismRegistry = make(map[string]saslMechanismBuilder)
+
+// register registers a SASL Mechanism to the global registry. It must only be
+// called during init().
+func (r saslMechanismRegistry) register(b saslMechanismBuilder) {
+	n := b.name()
+	if _, ok := r[n]; ok {
+		panic("duplicate sasl mechanism registered: " + n)
+	}
+	r[n] = b
+}
+
+// Pick wraps registry.pick() which returns a saslMechanism for the given sink
+// URL, or ok=false if none is specified. It consumes all relevant query
+// parameters from `u`.
+func Pick(u *changefeedbase.SinkURL) (_ SASLMechanism, ok bool, _ error) {
+	return registry.pick(u)
+}
+
+// pick returns a saslMechanism for the given sink URL, or ok=false if none is specified.
+func (r saslMechanismRegistry) pick(u *changefeedbase.SinkURL) (_ SASLMechanism, ok bool, _ error) {
+	if u == nil {
+		return nil, false, errors.AssertionFailedf("sink url is nil")
+	}
+
+	var enabled bool
+	if _, err := u.ConsumeBool(changefeedbase.SinkParamSASLEnabled, &enabled); err != nil {
+		return nil, false, err
+	}
+	if !enabled {
+		return nil, false, maybeHelpfulErrorMessage(enabled, u)
+	}
+
+	mechanism := u.ConsumeParam(changefeedbase.SinkParamSASLMechanism)
+	if mechanism == "" {
+		mechanism = sarama.SASLTypePlaintext
+	}
+	b, ok := r[mechanism]
+	if !ok {
+		return nil, false, errors.Newf("param sasl_mechanism must be one of %s", r.allMechanismNames())
+	}
+
+	// Return slightly nicer errors for this common case.
+	if b.name() != sarama.SASLTypeOAuth {
+		if err := validateNoOAuthOnlyParams(u); err != nil {
+			return nil, false, err
+		}
+	}
+	if err := b.validateParams(u); err != nil {
+		return nil, false, err
+	}
+	mech, err := b.build(u)
+	if err != nil {
+		return nil, false, err
+	}
+	return mech, true, nil
+}
+
+func (r saslMechanismRegistry) allMechanismNames() string {
+	allMechanisms := make([]string, 0, len(r))
+	for k := range r {
+		allMechanisms = append(allMechanisms, k)
+	}
+	sort.Strings(allMechanisms)
+	return strings.Join(allMechanisms[:len(allMechanisms)-1], ", ") +
+		", or " + allMechanisms[len(allMechanisms)-1]
+}
+
+func newRequiredParamError(mechName string, param string) error {
+	return errors.Newf("%s must be provided when SASL is enabled using mechanism %s", param, mechName)
+}
+
+func peekAndRequireParams(
+	mechName string, u *changefeedbase.SinkURL, requiredParams []string,
+) error {
+	var errs []error
+	for _, param := range requiredParams {
+		if u.PeekParam(param) == "" {
+			errs = append(errs, newRequiredParamError(mechName, param))
+		}
+	}
+	return errors.Join(errs...)
+}
+
+// consumeHandshake consumes the handshake parameter from the sink URL.
+// handshake defaults to true (if sasl is enabled), unlike other options.
+func consumeHandshake(u *changefeedbase.SinkURL) (bool, error) {
+	var handshake bool
+	set, err := u.ConsumeBool(changefeedbase.SinkParamSASLHandshake, &handshake)
+	if err != nil {
+		return false, err
+	}
+	if !set {
+		handshake = true
+	}
+	return handshake, nil
+}
+
+// maybeHelpfulErrorMessage returns an error if the user has provided SASL parameters without enabling SASL.
+func maybeHelpfulErrorMessage(saslEnabled bool, u *changefeedbase.SinkURL) error {
+	if !saslEnabled {
+		// Handle special error messages.
+		if u.PeekParam(changefeedbase.SinkParamSASLHandshake) != "" {
+			return errors.New("sasl_enabled must be enabled to configure SASL handshake behavior")
+		}
+		if u.PeekParam(changefeedbase.SinkParamSASLMechanism) != "" {
+			return errors.New("sasl_enabled must be enabled to configure SASL mechanism")
+		}
+
+		saslOnlyParams := []string{
+			changefeedbase.SinkParamSASLUser,
+			changefeedbase.SinkParamSASLPassword,
+			changefeedbase.SinkParamSASLEnabled,
+			changefeedbase.SinkParamSASLClientID,
+			changefeedbase.SinkParamSASLClientSecret,
+			changefeedbase.SinkParamSASLTokenURL,
+			changefeedbase.SinkParamSASLGrantType,
+			changefeedbase.SinkParamSASLScopes,
+			changefeedbase.SinkParamSASLAwsIAMRoleArn,
+			changefeedbase.SinkParamSASLAwsRegion,
+			changefeedbase.SinkParamSASLAwsIAMSessionName,
+		}
+		for _, p := range saslOnlyParams {
+			if u.PeekParam(p) != "" {
+				return errors.Newf("sasl_enabled must be enabled if %s is provided", p)
+			}
+		}
+	}
+	return nil
+}
+
+// validateNoOAuthOnlyParams returns an error if the user has provided
+// OAUTHBEARER parameters without setting sasl_mechanism=OAUTHBEARER, for the
+// sake of slightly nicer errors.
+func validateNoOAuthOnlyParams(u *changefeedbase.SinkURL) error {
+	oauthOnlyParams := []string{
+		changefeedbase.SinkParamSASLClientID,
+		changefeedbase.SinkParamSASLClientSecret,
+		changefeedbase.SinkParamSASLTokenURL,
+		changefeedbase.SinkParamSASLGrantType,
+		changefeedbase.SinkParamSASLScopes,
+	}
+
+	for _, p := range oauthOnlyParams {
+		if u.PeekParam(p) != "" {
+			return errors.Newf("%s is only a valid parameter for sasl_mechanism=OAUTHBEARER", p)
+		}
+	}
+	return nil
+}
+
+func applySaramaCommon(cfg *sarama.Config, mechName sarama.SASLMechanism, handshake bool) {
+	cfg.Net.SASL.Enable = true
+	cfg.Net.SASL.Mechanism = mechName
+	cfg.Net.SASL.Handshake = handshake
+}