Skip to content

Azure Entra Support #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 19, 2024
Merged

Azure Entra Support #18

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
54b4528
Documented Azure Entra authentication
Aug 1, 2024
d6a758c
Updated Entra documentation credential section
Aug 13, 2024
6859f72
Updated Entra documentation credential section
Aug 13, 2024
fdc453c
Merge pull request #1 from tnewman-at-gm/Feature/Azure-entra
Aug 26, 2024
7a077e2
Fixed SASL Azure callback handler
Aug 27, 2024
1c016f0
Merge pull request #2 from tnewman-at-gm/Feature/Azure-entra
Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions configuration/authentication/azure-entra.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
description: How to configure Azure Entra Authentication
---

# Azure Entra

## Overview
Kafbat UI comes with an OAuth Callback Handler for
[Azure Event Hubs for Kafka](https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/migrate-kafka-to-passwordless-connection?tabs=azure-portal%2Csign-in-azure-cli%2Cjava-kafka%2Capp-service%2Cassign-role-service-connector).

The Callback Handler uses the
[Default Azure Credential](https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential) for authentication,
providing support for all commonly used Entra credentials.

Pre-requisites:
1. An Event Hub Namespace in the standard, premium or dedicated tiers.
2. An Event Hub.
3. Entra Credentials for an Entra Identity with a role assignment allowing
sending to and receiving from Event Hub, such as Azure Event Hubs Data Owner.

## Examples

Please replace `<EVENT HUB NAMESPACE NAME>` with the name of your Event Hub namespace.

Prior to starting Kafbat UI, authenticate with Azure Entra using any of the supported
Azure Credential types (Environment Variable, Managed Identity, Azure CLI, etc.).
See [Default Azure Credential](https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential)
for additional configuration required based on the credential type.

As an example, after authenticating with the Azure CLI using `az login` Kafbat UI will
automatically connect to Event Hubs using CLI credentials.

### Docker

```bash
docker run -p 8080:8080 \
-e KAFKA_CLUSTERS_0_NAME=local \
-e KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=<EVENT HUB NAMESPACE NAME>.servicebus.windows.net:9093 \
-e KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL \
-e KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=OAUTHBEARER \
-e KAFKA_CLUSTERS_0_PROPERTIES_SASL_CLIENT_CALLBACK_HANDLER_CLASS=io.kafbat.ui.config.auth.azure.AzureEntraLoginCallbackHandler \
-e KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG="org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;" \
-d ghcr.io/kafbat/kafka-ui
```

### application.yaml
```yaml
kafka:
clusters:
- bootstrapServers:<EVENT HUB NAMESPACE NAME>.servicebus.windows.net:9093
name: local
properties:
security.protocol: SASL_SSL
sasl.mechanism: OAUTHBEARER
sasl.jaas.config:
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
sasl.client.callback.handler.class: io.kafbat.ui.config.auth.azure.AzureEntraLoginCallbackHandler
readOnly: false
```