diff --git a/api/build.gradle b/api/build.gradle index ca51f8b21..563da52ab 100644 --- a/api/build.gradle +++ b/api/build.gradle @@ -62,6 +62,15 @@ dependencies { implementation libs.netty.common implementation libs.netty.handler + + // Google Managed Service for Kafka IAM support + implementation (libs.google.managed.kafka.login.handler) { + exclude group: 'com.google.oauth-client', module: 'google-oauth-client' + } + implementation (libs.google.oauth.client) { + because("CVE Fix: It is excluded above because of a vulnerability") + } + // Annotation processors implementation libs.lombok implementation libs.mapstruct diff --git a/frontend/src/lib/constants.ts b/frontend/src/lib/constants.ts index 0249c23a4..b04c21c17 100644 --- a/frontend/src/lib/constants.ts +++ b/frontend/src/lib/constants.ts @@ -94,6 +94,7 @@ export const AUTH_OPTIONS = [ { value: 'SASL/LDAP', label: 'SASL/LDAP' }, { value: 'SASL/AWS IAM', label: 'SASL/AWS IAM' }, { value: 'SASL/Azure Entra', label: 'SASL/Azure Entra' }, + { value: 'SASL/GCP IAM', label: 'SASL/GCP IAM' }, { value: 'mTLS', label: 'mTLS' }, ]; diff --git a/frontend/src/widgets/ClusterConfigForm/schema.ts b/frontend/src/widgets/ClusterConfigForm/schema.ts index cc32e6c12..5385a3961 100644 --- a/frontend/src/widgets/ClusterConfigForm/schema.ts +++ b/frontend/src/widgets/ClusterConfigForm/schema.ts @@ -144,6 +144,7 @@ const authPropsSchema = lazy((_, { parent }) => { awsProfileName: string(), }); case 'SASL/Azure Entra': + case 'SASL/GCP IAM': case 'mTLS': default: return mixed().optional(); diff --git a/frontend/src/widgets/ClusterConfigForm/utils/getJaasConfig.ts b/frontend/src/widgets/ClusterConfigForm/utils/getJaasConfig.ts index 0a9b914ea..1575e9e05 100644 --- a/frontend/src/widgets/ClusterConfigForm/utils/getJaasConfig.ts +++ b/frontend/src/widgets/ClusterConfigForm/utils/getJaasConfig.ts @@ -11,6 +11,7 @@ const JAAS_CONFIGS = { 'SASL/AWS IAM': 'software.amazon.msk.auth.iam.IAMLoginModule', 'SASL/Azure Entra': 'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule', + 'SASL/GCP IAM': 'com.google.cloud.hosted.kafka.auth.GcpLoginCallbackHandler', }; type MethodName = keyof typeof JAAS_CONFIGS; diff --git a/frontend/src/widgets/ClusterConfigForm/utils/transformFormDataToPayload.ts b/frontend/src/widgets/ClusterConfigForm/utils/transformFormDataToPayload.ts index d26709547..9ff593874 100644 --- a/frontend/src/widgets/ClusterConfigForm/utils/transformFormDataToPayload.ts +++ b/frontend/src/widgets/ClusterConfigForm/utils/transformFormDataToPayload.ts @@ -272,6 +272,15 @@ export const transformFormDataToPayload = (data: ClusterConfigFormValues) => { 'sasl.jaas.config': getJaasConfig('SASL/Azure Entra', {}), }; break; + case 'SASL/GCP IAM': + config.properties = { + 'security.protocol': securityProtocol, + 'sasl.mechanism': 'OAUTHBEARER', + 'sasl.client.callback.handler.class': + 'com.google.cloud.hosted.kafka.auth.GcpLoginCallbackHandler', + 'sasl.jaas.config': getJaasConfig('SASL/GCP IAM', {}), + }; + break; case 'mTLS': config.properties = { 'security.protocol': 'SSL', diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 0f26e9cd9..ea645012f 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -133,3 +133,7 @@ netty-handler = { module = 'io.netty:netty-handler', version.ref = 'netty' } # test scope bouncycastle-bcpkix = { module = 'org.bouncycastle:bcpkix-jdk18on', version = '1.80' } + +# Google Managed Service for Apache Kafka support +google-managed-kafka-login-handler = {module = 'com.google.cloud.hosted.kafka:managed-kafka-auth-login-handler', version = '1.0.5'} +google-oauth-client = { module = 'com.google.oauth-client:google-oauth-client', version = '1.39.0' }