Support Azure Event Hubs Kafka with SASL OAUTHBEARER (Managed Identity) #1696
Description
Issue submitter TODO list
- I've searched for an already existing issues here
- I'm running a supported version of the application which is listed here and the feature is not present there
Is your proposal related to a problem?
Summary
Kafka UI cannot connect to Azure Event Hubs for Kafka when using OAuth Bearer authentication with Managed Identity (passwordless). The Kafka
Java client fails with:
java.io.IOException: No OAuth Bearer tokens in Subject's private credentials
because the default OAuthBearerLoginModule does not obtain tokens from Azure; a custom AuthenticateCallbackHandler is required, and the current
image does not provide one or a way to plug it in.
Environment
- Image:
ghcr.io/kafbat/kafka-ui:main(Kafbat Kafka UI) - Backend: Azure Event Hubs (Kafka-compatible API), port 9093, SASL_SSL + OAUTHBEARER
- Auth: Azure Managed Identity (Workload Identity on Kubernetes) — no connection string, no client secret
- JAAS:
KafkaClient { org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required; };
Problem
When configuring a cluster with:
security.protocol=SASL_SSLsasl.mechanism=OAUTHBEARER- JAAS config pointing to
OAuthBearerLoginModule
the Apache Kafka Java client expects an OAuth Bearer token to be supplied via the SASL login callback. The standard OAuthBearerLoginModule does
not fetch tokens from Azure (or any cloud provider). Something must implement AuthenticateCallbackHandler, obtain the token (e.g. from Azure
IMDS / Managed Identity or Azure Identity SDK), and pass it to the client via OAuthBearerTokenCallback. That handler must be:
- On the application classpath, and
- Set in the client config as
sasl.login.callback.handler.class.
Kafka UI’s stock image does not include such a handler. As a result, users who want to use Azure Event Hubs with managed identity only (no
connection string, no SAS key) cannot use Kafka UI out of the box.
Describe the feature you're interested in
Expected behavior
Either:
-
Kafka UI supports Azure Event Hubs with OAuth Bearer + Managed Identity without requiring a custom Docker image, e.g. by:
- shipping an optional Azure OAuth callback handler (and its dependencies) and documenting the required Kafka client properties (e.g.
sasl.login. callback.handler.class,AZURE_CLIENT_ID, etc.), or - providing a documented, supported way to plug in a custom handler (e.g. via classpath or config),
or
- shipping an optional Azure OAuth callback handler (and its dependencies) and documenting the required Kafka client properties (e.g.
-
The documentation clearly states that Azure Event Hubs with only Managed Identity (no connection string) is not supported and recommends
alternatives (e.g. connection string + SASL PLAIN for the UI, or a custom image).
Describe alternatives you've considered
Workaround (current)
We have to either:
- Build a custom image based on
ghcr.io/kafbat/kafka-uithat adds a JAR (and dependencies) implementing an Azure Managed Identity
AuthenticateCallbackHandler(e.g. from [Azure’s sample](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth/java/
managedidentity) or using Azure Identity SDK), then setKAFKA_CLUSTERS_0_PROPERTIES_SASL_LOGIN_CALLBACK_HANDLER_CLASSto that class, or - Use a connection string for Kafka UI only (SASL PLAIN with
$ConnectionStringand the connection string as password), which is not passwordless
and requires storing the connection string.
Feature request
- Option A: Add first-class support for Azure Event Hubs with Managed Identity: include an optional Azure OAuth callback handler (or dependency)
and document the Kafka client properties and environment variables (e.g.AZURE_CLIENT_ID, namespace, workload identity). - Option B: At minimum, document that OAUTHBEARER with cloud providers (Azure, GCP, etc.) may require a custom callback handler and a custom image,
and point to examples (e.g. Azure Event Hubs for Kafka Java OAuth sample).
Thank you for maintaining Kafka UI.
Version you're running
ghcr.io/kafbat/kafka-ui:main
Additional context
No response