cockroachdb
diff --git a/‎pkg/BUILD.bazel
+1 b/‎pkg/BUILD.bazel
+1
diff --git a/‎pkg/ccl/changefeedccl/BUILD.bazel
+2-9 b/‎pkg/ccl/changefeedccl/BUILD.bazel
+2-9
diff --git a/‎pkg/ccl/changefeedccl/changefeed_test.go
+3-3 b/‎pkg/ccl/changefeedccl/changefeed_test.go
+3-3
diff --git a/‎pkg/ccl/changefeedccl/changefeedbase/BUILD.bazel
+2 b/‎pkg/ccl/changefeedccl/changefeedbase/BUILD.bazel
+2
diff --git a/‎pkg/ccl/changefeedccl/changefeedbase/options.go
-3 b/‎pkg/ccl/changefeedccl/changefeedbase/options.go
-3
diff --git a/‎pkg/ccl/changefeedccl/changefeedbase/sink_url.go
+128 b/‎pkg/ccl/changefeedccl/changefeedbase/sink_url.go
+128
diff --git a/‎pkg/ccl/changefeedccl/kafkaauth/BUILD.bazel
+30 b/‎pkg/ccl/changefeedccl/kafkaauth/BUILD.bazel
+30
diff --git a/‎pkg/ccl/changefeedccl/kafkaauth/doc.go
+9 b/‎pkg/ccl/changefeedccl/kafkaauth/doc.go
+9
@@ -877,6 +877,7 @@ GO_TARGETS = [
     "//pkg/ccl/changefeedccl/changefeedvalidators:changefeedvalidators",
     "//pkg/ccl/changefeedccl/checkpoint:checkpoint",
     "//pkg/ccl/changefeedccl/checkpoint:checkpoint_test",
+    "//pkg/ccl/changefeedccl/kafkaauth:kafkaauth",
     "//pkg/ccl/changefeedccl/kvevent:kvevent",
     "//pkg/ccl/changefeedccl/kvevent:kvevent_test",
     "//pkg/ccl/changefeedccl/kvfeed:kvfeed",
 
@@ -28,7 +28,6 @@ go_library(
         "retry.go",
         "scheduled_changefeed.go",
         "schema_registry.go",
-        "scram_client.go",
         "sink.go",
         "sink_cloudstorage.go",
         "sink_external_connection.go",
@@ -58,6 +57,7 @@ go_library(
         "//pkg/ccl/changefeedccl/changefeedpb",
         "//pkg/ccl/changefeedccl/changefeedvalidators",
         "//pkg/ccl/changefeedccl/checkpoint",
+        "//pkg/ccl/changefeedccl/kafkaauth",
         "//pkg/ccl/changefeedccl/kvevent",
         "//pkg/ccl/changefeedccl/kvfeed",
         "//pkg/ccl/changefeedccl/resolvedspan",
@@ -166,7 +166,6 @@ go_library(
         "//pkg/util/tracing",
         "//pkg/util/uuid",
         "@com_github_apache_pulsar_client_go//pulsar",
-        "@com_github_aws_aws_msk_iam_sasl_signer_go//signer",
         "@com_github_cockroachdb_apd_v3//:apd",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_logtags//:logtags",
@@ -183,12 +182,7 @@ go_library(
         "@com_github_twmb_franz_go//pkg/kerr",
         "@com_github_twmb_franz_go//pkg/kgo",
         "@com_github_twmb_franz_go//pkg/kversion",
-        "@com_github_twmb_franz_go//pkg/sasl",
-        "@com_github_twmb_franz_go//pkg/sasl/oauth",
-        "@com_github_twmb_franz_go//pkg/sasl/plain",
-        "@com_github_twmb_franz_go//pkg/sasl/scram",
         "@com_github_twmb_franz_go_pkg_kadm//:kadm",
-        "@com_github_xdg_go_scram//:scram",
         "@com_google_cloud_go_pubsub//:pubsub",
         "@com_google_cloud_go_pubsub//apiv1",
         "@com_google_cloud_go_pubsub//apiv1/pubsubpb",
@@ -198,8 +192,6 @@ go_library(
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//credentials/insecure",
         "@org_golang_google_grpc//status",
-        "@org_golang_x_oauth2//:oauth2",
-        "@org_golang_x_oauth2//clientcredentials",
         "@org_golang_x_oauth2//google",
     ],
 )
@@ -375,6 +367,7 @@ go_test(
         "@com_github_twmb_franz_go//pkg/kgo",
         "@com_github_twmb_franz_go//pkg/kversion",
         "@com_github_twmb_franz_go//pkg/sasl",
+        "@com_github_twmb_franz_go//pkg/sasl/plain",
         "@com_github_twmb_franz_go_pkg_kadm//:kadm",
         "@com_google_cloud_go_pubsub//apiv1",
         "@com_google_cloud_go_pubsub//apiv1/pubsubpb",
 
@@ -5593,7 +5593,7 @@ func TestChangefeedErrors(t *testing.T) {
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `param sasl_handshake must be a bool`,
-		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_handshake=maybe`,
+		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_user=x&sasl_password=y&sasl_handshake=maybe`,
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `sasl_enabled must be enabled to configure SASL handshake behavior`,
@@ -5625,14 +5625,14 @@ func TestChangefeedErrors(t *testing.T) {
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `sasl_client_id is only a valid parameter for sasl_mechanism=OAUTHBEARER`,
-		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_client_id=a`,
+		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_client_id=a`,
 	)
 	sqlDB.ExpectErrWithTimeout(
 		t, `sasl_enabled must be enabled to configure SASL mechanism`,
 		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_mechanism=SCRAM-SHA-256`,
 	)
 	sqlDB.ExpectErrWithTimeout(
-		t, `param sasl_mechanism must be one of SCRAM-SHA-256, SCRAM-SHA-512, OAUTHBEARER, PLAIN or AWS_MSK_IAM`,
+		t, `param sasl_mechanism must be one of AWS_MSK_IAM, OAUTHBEARER, PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512`,
 		`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_mechanism=unsuppported`,
 	)
 	sqlDB.ExpectErrWithTimeout(
 
@@ -7,6 +7,7 @@ go_library(
         "errors.go",
         "options.go",
         "settings.go",
+        "sink_url.go",
         "target.go",
     ],
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/changefeedccl/changefeedbase",
@@ -20,6 +21,7 @@ go_library(
         "//pkg/sql/catalog/descpb",
         "//pkg/sql/pgwire/pgcode",
         "//pkg/sql/pgwire/pgerror",
+        "//pkg/util",
         "//pkg/util/iterutil",
         "//pkg/util/metamorphic",
         "@com_github_cockroachdb_errors//:errors",
 
@@ -239,9 +239,6 @@ const (
 	Topics = `topics`
 )
 
-// Support additional mechanism on top of the default SASL mechanism.
-const SASLTypeAWSMSKIAM = "AWS_MSK_IAM"
-
 func makeStringSet(opts ...string) map[string]struct{} {
 	res := make(map[string]struct{}, len(opts))
 	for _, opt := range opts {
 
@@ -0,0 +1,128 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package changefeedbase
+
+import (
+	"encoding/base64"
+	"net/url"
+	"strconv"
+
+	"github.com/cockroachdb/cockroach/pkg/util"
+	"github.com/cockroachdb/errors"
+)
+
+// SinkURL is a helper struct which for "consuming" URL query
+// parameters from the underlying URL.
+type SinkURL struct {
+	_ util.NoCopy
+	*url.URL
+	q url.Values
+}
+
+func (u *SinkURL) PeekParam(p string) string {
+	if u.q == nil {
+		u.q = u.Query()
+	}
+	v := u.q.Get(p)
+	return v
+}
+
+func (u *SinkURL) ConsumeParam(p string) string {
+	v := u.PeekParam(p)
+	u.q.Del(p)
+	return v
+}
+
+func (u *SinkURL) ConsumeParams(p string) []string {
+	if u.q == nil {
+		u.q = u.Query()
+	}
+	v := u.q[p]
+	u.q.Del(p)
+	return v
+}
+
+func (u *SinkURL) AddParam(p string, value string) {
+	if u.q == nil {
+		u.q = u.Query()
+	}
+	u.q.Add(p, value)
+}
+
+func (u *SinkURL) SetParam(p string, value string) {
+	if u.q == nil {
+		u.q = u.Query()
+	}
+	u.q.Set(p, value)
+}
+
+func (u *SinkURL) ConsumeBool(param string, dest *bool) (wasSet bool, err error) {
+	if paramVal := u.ConsumeParam(param); paramVal != "" {
+		wasSet, err := strToBool(paramVal, dest)
+		if err != nil {
+			return false, errors.Wrapf(err, "param %s must be a bool", param)
+		}
+		return wasSet, err
+	}
+	return false, nil
+}
+
+func (u *SinkURL) ConsumeBoolParam(param string) (bool, error) {
+	var b bool
+	_, err := u.ConsumeBool(param, &b)
+	return b, err
+}
+
+func (u *SinkURL) DecodeBase64(param string, dest *[]byte) error {
+	// TODO(dan): There's a straightforward and unambiguous transformation
+	//  between the base 64 encoding defined in RFC 4648 and the URL variant
+	//  defined in the same RFC: simply replace all `+` with `-` and `/` with
+	//  `_`. Consider always doing this for the user and accepting either
+	//  variant.
+	val := u.ConsumeParam(param)
+	err := DecodeBase64FromString(val, dest)
+	if err != nil {
+		return errors.Wrapf(err, `param %s must be base 64 encoded`, param)
+	}
+	return nil
+}
+
+func (u *SinkURL) RemainingQueryParams() (res []string) {
+	for p := range u.q {
+		res = append(res, p)
+	}
+	return
+}
+
+func (u *SinkURL) String() string {
+	if u.q != nil {
+		// If we changed query params, re-encode them.
+		u.URL.RawQuery = u.q.Encode()
+		u.q = nil
+	}
+	return u.URL.String()
+}
+
+func strToBool(src string, dest *bool) (wasSet bool, err error) {
+	b, err := strconv.ParseBool(src)
+	if err != nil {
+		return false, err
+	}
+	*dest = b
+	return true, nil
+}
+
+func DecodeBase64FromString(src string, dest *[]byte) error {
+	if src == `` {
+		return nil
+	}
+	decoded, err := base64.StdEncoding.DecodeString(src)
+	if err != nil {
+		return err
+	}
+	*dest = decoded
+	return nil
+}
@@ -0,0 +1,30 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "kafkaauth",
+    srcs = [
+        "doc.go",
+        "kafkaauth.go",
+        "sasl_msk.go",
+        "sasl_oauth.go",
+        "sasl_plain.go",
+        "sasl_scram.go",
+        "scram_client.go",
+    ],
+    importpath = "github.com/cockroachdb/cockroach/pkg/ccl/changefeedccl/kafkaauth",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/ccl/changefeedccl/changefeedbase",
+        "@com_github_aws_aws_msk_iam_sasl_signer_go//signer",
+        "@com_github_cockroachdb_errors//:errors",
+        "@com_github_ibm_sarama//:sarama",
+        "@com_github_twmb_franz_go//pkg/kgo",
+        "@com_github_twmb_franz_go//pkg/sasl",
+        "@com_github_twmb_franz_go//pkg/sasl/oauth",
+        "@com_github_twmb_franz_go//pkg/sasl/plain",
+        "@com_github_twmb_franz_go//pkg/sasl/scram",
+        "@com_github_xdg_go_scram//:scram",
+        "@org_golang_x_oauth2//:oauth2",
+        "@org_golang_x_oauth2//clientcredentials",
+    ],
+)
@@ -0,0 +1,9 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+// Package kafkaauth provides Kafka SASL authentication mechanisms for use with
+// the changefeed kafka sinks (v1 & v2). Most standard SASL mechanisms are
+// supported, and some custom ones as well.
+package kafkaauth
Original file line number	Diff line number	Diff line change
`@@ -5593,7 +5593,7 @@ func TestChangefeedErrors(t *testing.T) {`
`5593`	`5593`	`)`
`5594`	`5594`	`sqlDB.ExpectErrWithTimeout(`
`5595`	`5595`	t, `param sasl_handshake must be a bool`,
`5596`		- `CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_handshake=maybe`,
	`5596`	+ `CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_user=x&sasl_password=y&sasl_handshake=maybe`,
`5597`	`5597`	`)`
`5598`	`5598`	`sqlDB.ExpectErrWithTimeout(`
`5599`	`5599`	t, `sasl_enabled must be enabled to configure SASL handshake behavior`,
`@@ -5625,14 +5625,14 @@ func TestChangefeedErrors(t *testing.T) {`
`5625`	`5625`	`)`
`5626`	`5626`	`sqlDB.ExpectErrWithTimeout(`
`5627`	`5627`	t, `sasl_client_id is only a valid parameter for sasl_mechanism=OAUTHBEARER`,
`5628`		- `CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_client_id=a`,
	`5628`	+ `CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_client_id=a`,
`5629`	`5629`	`)`
`5630`	`5630`	`sqlDB.ExpectErrWithTimeout(`
`5631`	`5631`	t, `sasl_enabled must be enabled to configure SASL mechanism`,
`5632`	`5632`	`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_mechanism=SCRAM-SHA-256`,
`5633`	`5633`	`)`
`5634`	`5634`	`sqlDB.ExpectErrWithTimeout(`
`5635`		- t, `param sasl_mechanism must be one of SCRAM-SHA-256, SCRAM-SHA-512, OAUTHBEARER, PLAIN or AWS_MSK_IAM`,
	`5635`	+ t, `param sasl_mechanism must be one of AWS_MSK_IAM, OAUTHBEARER, PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512`,
`5636`	`5636`	`CREATE CHANGEFEED FOR foo INTO $1`, `kafka://nope/?sasl_enabled=true&sasl_mechanism=unsuppported`,
`5637`	`5637`	`)`
`5638`	`5638`	`sqlDB.ExpectErrWithTimeout(`
Original file line number	Diff line number	Diff line change
`@@ -239,9 +239,6 @@ const (`
`239`	`239`	Topics = `topics`
`240`	`240`	`)`
`241`	`241`
`242`		`-// Support additional mechanism on top of the default SASL mechanism.`
`243`		`-const SASLTypeAWSMSKIAM = "AWS_MSK_IAM"`
`244`		`-`
`245`	`242`	`func makeStringSet(opts ...string) map[string]struct{} {`
`246`	`243`	`res := make(map[string]struct{}, len(opts))`
`247`	`244`	`for _, opt := range opts {`