Remove cyrus-sasl runtime dependency by dropping gssapi feature

sionsmith · claude · sionsmith · commit 2fa88f4458e9 · 2026-02-27T07:29:32.000Z
The gssapi feature on rdkafka pulled in cyrus-sasl as a dynamic library
dependency, causing dyld errors on macOS when cyrus-sasl wasn't installed
via Homebrew. Since gssapi is only needed for Kerberos authentication,
and SASL/SCRAM and SASL/PLAIN are built into librdkafka natively, this
removes it from the default build. Kerberos users can opt in by building
from source with the gssapi feature re-enabled — documented in
docs/configuration.md.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -21,7 +21,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y cmake libssl-dev libsasl2-dev pkg-config
+          sudo apt-get install -y cmake libssl-dev pkg-config
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -62,7 +62,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y cmake libssl-dev libsasl2-dev pkg-config
+          sudo apt-get install -y cmake libssl-dev pkg-config
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
diff --git a/.github/workflows/semver-check.yml b/.github/workflows/semver-check.yml
@@ -18,7 +18,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y cmake libssl-dev libsasl2-dev pkg-config
+          sudo apt-get install -y cmake libssl-dev pkg-config
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -31,7 +31,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y cmake libssl-dev libsasl2-dev pkg-config
+          sudo apt-get install -y cmake libssl-dev pkg-config
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
@@ -69,7 +69,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y cmake libssl-dev libsasl2-dev pkg-config
+          sudo apt-get install -y cmake libssl-dev pkg-config
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
@@ -107,7 +107,7 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y cmake libssl-dev libsasl2-dev pkg-config
+          sudo apt-get install -y cmake libssl-dev pkg-config
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ rust-version = "1.75"
 
 [workspace.dependencies]
 # Kafka
-rdkafka = { version = "0.38", features = ["cmake-build", "ssl", "gssapi"] }
+rdkafka = { version = "0.38", features = ["cmake-build", "ssl"] }
 
 # Arrow ecosystem
 arrow = { version = "54", features = ["csv", "json", "prettyprint"] }
diff --git a/Dockerfile b/Dockerfile
@@ -8,7 +8,6 @@ WORKDIR /build
 RUN apt-get update && apt-get install -y \
     cmake \
     libssl-dev \
-    libsasl2-dev \
     pkg-config \
     && rm -rf /var/lib/apt/lists/*
 
@@ -25,7 +24,6 @@ FROM debian:bookworm-slim
 RUN apt-get update && apt-get install -y \
     ca-certificates \
     libssl3 \
-    libsasl2-2 \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
diff --git a/README.md b/README.md
@@ -265,7 +265,8 @@ K2I supports multiple Iceberg catalog backends:
 - Rust 1.85+ (for edition 2024)
 - CMake
 - OpenSSL development libraries
-- SASL development libraries
+
+> **Kerberos support:** If you need Kerberos (GSSAPI) authentication, add `"gssapi"` to the rdkafka features in `Cargo.toml` and install `cyrus-sasl` (`brew install cyrus-sasl` on macOS, `libsasl2-dev` on Debian/Ubuntu). See [Building with Kerberos Support](docs/configuration.md#building-with-kerberos-support) for details.
 
 ```bash
 # Clone the repository
diff --git a/dist-workspace.toml b/dist-workspace.toml
@@ -13,7 +13,7 @@ ci = "github"
 installers = ["shell", "homebrew"]
 # Target platforms to build apps for (Rust target-triple syntax)
 # Note: aarch64-unknown-linux-gnu removed - requires ARM runners not available for private repos
-# Note: x86_64-pc-windows-msvc removed - OpenSSL and SASL dependencies are complex on Windows
+# Note: x86_64-pc-windows-msvc removed - OpenSSL dependencies are complex on Windows
 targets = ["aarch64-apple-darwin", "x86_64-apple-darwin", "x86_64-unknown-linux-gnu"]
 # Path that installers should place binaries in
 install-path = "CARGO_HOME"
@@ -32,11 +32,9 @@ publish-jobs = ["homebrew"]
 [dist.dependencies.apt]
 cmake = { version = "*", targets = ["x86_64-unknown-linux-gnu"] }
 libssl-dev = { version = "*", targets = ["x86_64-unknown-linux-gnu"] }
-libsasl2-dev = { version = "*", targets = ["x86_64-unknown-linux-gnu"] }
 pkg-config = { version = "*", targets = ["x86_64-unknown-linux-gnu"] }
 
 [dist.dependencies.homebrew]
 cmake = { version = "*", targets = ["x86_64-apple-darwin", "aarch64-apple-darwin"] }
 openssl = { version = "*", targets = ["x86_64-apple-darwin", "aarch64-apple-darwin"] }
-cyrus-sasl = { version = "*", targets = ["x86_64-apple-darwin", "aarch64-apple-darwin"] }
 pkg-config = { version = "*", targets = ["x86_64-apple-darwin", "aarch64-apple-darwin"] }
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -135,6 +135,8 @@ Optional section for authenticated Kafka clusters.
 | `SCRAM-SHA-256` | Salted challenge-response (recommended) |
 | `SCRAM-SHA-512` | Stronger variant of SCRAM |
 
+> **Kerberos (GSSAPI):** Kerberos authentication is not included in the default build. To enable it, you must build k2i from source with the `gssapi` feature. See [Building with Kerberos Support](#building-with-kerberos-support) below.
+
 ---
 
 ## Iceberg Configuration
@@ -521,3 +523,58 @@ health_port = 8080
 log_level = "debug"
 log_format = "text"
 ```
+
+---
+
+## Building with Kerberos Support
+
+The default k2i binary supports SASL mechanisms `PLAIN`, `SCRAM-SHA-256`, and `SCRAM-SHA-512`. If your Kafka cluster requires **Kerberos (GSSAPI)** authentication, you need to build from source with the `gssapi` feature enabled.
+
+### Prerequisites
+
+Install the SASL development libraries:
+
+**macOS:**
+```bash
+brew install cyrus-sasl
+```
+
+**Debian/Ubuntu:**
+```bash
+sudo apt-get install libsasl2-dev
+```
+
+**RHEL/Fedora:**
+```bash
+sudo dnf install cyrus-sasl-devel
+```
+
+### Build
+
+Override the rdkafka features when building:
+
+```bash
+git clone https://github.com/osodevops/k2i.git
+cd k2i
+
+# Edit Cargo.toml to add "gssapi" to the rdkafka features:
+#   rdkafka = { version = "0.38", features = ["cmake-build", "ssl", "gssapi"] }
+
+cargo build --release -p k2i-cli
+```
+
+### Docker
+
+To build a Docker image with Kerberos support, add `libsasl2-dev` to the builder stage and `libsasl2-2` to the runtime stage in the Dockerfile, and add `"gssapi"` to the rdkafka features in `Cargo.toml` before building.
+
+### Configuration
+
+Once built with Kerberos support, configure GSSAPI authentication:
+
+```toml
+[kafka.security]
+protocol = "SASL_SSL"
+sasl_mechanism = "GSSAPI"
+```
+
+Ensure your Kerberos keytab and `krb5.conf` are properly configured on the host.
diff --git a/docs/deployment.md b/docs/deployment.md
@@ -59,7 +59,6 @@ WORKDIR /build
 RUN apt-get update && apt-get install -y \
     cmake \
     libssl-dev \
-    libsasl2-dev \
     pkg-config \
     && rm -rf /var/lib/apt/lists/*
 
@@ -75,7 +74,6 @@ FROM debian:bookworm-slim
 RUN apt-get update && apt-get install -y \
     ca-certificates \
     libssl3 \
-    libsasl2-2 \
     && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /build/target/release/k2i /usr/local/bin/k2i
