BE: Auth: Support GCP IAM Auth (#1013)

Muchembi · germanosin · web-flow · commit b768df601464 · 2025-05-01T12:41:09.000Z
Co-authored-by: German Osin &lt;german.osin@gmail.com&gt;
diff --git a/api/build.gradle b/api/build.gradle
@@ -62,6 +62,15 @@ dependencies {
     implementation libs.netty.common
     implementation libs.netty.handler
 
+
+    // Google Managed Service for Kafka IAM support
+    implementation (libs.google.managed.kafka.login.handler) {
+        exclude group: 'com.google.oauth-client', module: 'google-oauth-client'
+    }
+    implementation (libs.google.oauth.client) {
+        because("CVE Fix: It is excluded above because of a vulnerability")
+    }
+
     // Annotation processors
     implementation libs.lombok
     implementation libs.mapstruct
diff --git a/frontend/src/lib/constants.ts b/frontend/src/lib/constants.ts
@@ -94,6 +94,7 @@ export const AUTH_OPTIONS = [
   { value: 'SASL/LDAP', label: 'SASL/LDAP' },
   { value: 'SASL/AWS IAM', label: 'SASL/AWS IAM' },
   { value: 'SASL/Azure Entra', label: 'SASL/Azure Entra' },
+  { value: 'SASL/GCP IAM', label: 'SASL/GCP IAM' },
   { value: 'mTLS', label: 'mTLS' },
 ];
 
diff --git a/frontend/src/widgets/ClusterConfigForm/schema.ts b/frontend/src/widgets/ClusterConfigForm/schema.ts
@@ -144,6 +144,7 @@ const authPropsSchema = lazy((_, { parent }) => {
         awsProfileName: string(),
       });
     case 'SASL/Azure Entra':
+    case 'SASL/GCP IAM':
     case 'mTLS':
     default:
       return mixed().optional();
diff --git a/frontend/src/widgets/ClusterConfigForm/utils/getJaasConfig.ts b/frontend/src/widgets/ClusterConfigForm/utils/getJaasConfig.ts
@@ -11,6 +11,7 @@ const JAAS_CONFIGS = {
   'SASL/AWS IAM': 'software.amazon.msk.auth.iam.IAMLoginModule',
   'SASL/Azure Entra':
     'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule',
+  'SASL/GCP IAM': 'com.google.cloud.hosted.kafka.auth.GcpLoginCallbackHandler',
 };
 
 type MethodName = keyof typeof JAAS_CONFIGS;
diff --git a/frontend/src/widgets/ClusterConfigForm/utils/transformFormDataToPayload.ts b/frontend/src/widgets/ClusterConfigForm/utils/transformFormDataToPayload.ts
@@ -272,6 +272,15 @@ export const transformFormDataToPayload = (data: ClusterConfigFormValues) => {
           'sasl.jaas.config': getJaasConfig('SASL/Azure Entra', {}),
         };
         break;
+      case 'SASL/GCP IAM':
+        config.properties = {
+          'security.protocol': securityProtocol,
+          'sasl.mechanism': 'OAUTHBEARER',
+          'sasl.client.callback.handler.class':
+            'com.google.cloud.hosted.kafka.auth.GcpLoginCallbackHandler',
+          'sasl.jaas.config': getJaasConfig('SASL/GCP IAM', {}),
+        };
+        break;
       case 'mTLS':
         config.properties = {
           'security.protocol': 'SSL',
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -133,3 +133,7 @@ netty-handler = { module = 'io.netty:netty-handler', version.ref = 'netty' }
 
 # test scope
 bouncycastle-bcpkix = { module = 'org.bouncycastle:bcpkix-jdk18on', version = '1.80' }
+
+# Google Managed Service for Apache Kafka support
+google-managed-kafka-login-handler = {module = 'com.google.cloud.hosted.kafka:managed-kafka-auth-login-handler', version = '1.0.5'}
+google-oauth-client = { module = 'com.google.oauth-client:google-oauth-client', version = '1.39.0' }
