[UXPROD-2929] NFR: Increase security of Kafka for Data Import and PubSub - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: New Feature
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: None
Fix Version/s: R2 2021
Component/s: None
Labels:

Template:

UXPROD features
Epic Link:
Batch Importer (Bib/Acq)
Front End Estimate:
Very Small (VS) < 1day
Front-End Confidence factor:
Medium
Back End Estimate:
Large < 10 days
Development Team:
Folijet
Calculated Total Rank:
PO Rank:
113
Cap Plan Fix Version (DO NOT CHANGE):
R2 2021

Description

Next step: abreaux plan a meeting the week of 19 April with team leads and POs and Vasily to discuss implementation, and draft spikes and stories

Latest documentation: https://wiki.folio.org/pages/viewpage.action?spaceKey=FOLIJET&title=Enabling+SSL+and+ACL+for+Kafka

Current situation or problem: In Iris, Data import has migrated most of its transactions (but not all) to direct Kafka connections instead of mod-pubsub.

There were some concerns raised in the community regarding how secure the direct connection will be. To address these concerns, the new solution was designed: https://wiki.folio.org/display/DD/Temporary+Kafka+security+solution.
The solution was reviewed and approved by the Security group and Tech Council.

Multi-tenancy on Kafka's side is implemented for the modules differently, so it will take time to make the changes in them that unify the multi-tenancy approach.
However, the direct Kafka connections should be secured in R1, so a simplified version of the solution is proposed for now.

In scope

Add module-level Kafka user credentials support to Data import and PubSub modules. The credentials should be provided to all producers and consumers of a module with other Kafka client settings. Changes in PubSub are required since once Kafka authentication and authorization are enabled, the PubSub will need to pass through them as well.
Add TLS (Transport Layer Security) support to the same modules. Same here, the settings should be provided to all producers and consumers of a module with other Kafka client settings.

Out of scope
This work is also needed for ElasticSearch and Remote Storage, but those applications/modules are managed by other dev teams

Proposed solution/How it could be implemented:

ModuleDescriptor should be updated to include the new Kafka settings: TLS, and, for now, user credentials (the credentials later could be injected to container a different way, for instance, as EnvironmentVariables)
Update a class that represents Kafka config
Update a class(es) that creates and assigns the config to Kafka producers and consumers
Test the updates

Links to additional info
https://wiki.folio.org/display/DD/Temporary+Kafka+security+solution

Questions

TestRail: Results

Attachments

Issue Links

defines

UXPROD-47 Batch Importer (Bib/Acq)

Analysis Complete

is cloned by

UXPROD-2935 NFR: Increase security of Kafka for mod-search

Closed

is defined by

MODDATAIMP-435 Review DevOps work, test, and create additional stories, if needed

Closed

MODPUBSUB-171 Provide properties for Kafka security in kafka-wrapper

Closed

MODPUBSUB-182 Provide properties for Kafka security in mod-pubsub

Closed

is duplicated by

MODPUBSUB-54 SPIKE: Design Security for pub-sub

Closed

relates to

UXPROD-2931 NFR: Increase security of Kafka for Remote storage

Closed

(1 is duplicated by, 1 relates to)

Activity

People

Assignee:: Ann-Marie Breaux

Reporter:: Ann-Marie Breaux

Front End Estimator:: Ann-Marie Breaux

Back End Estimator:: Oleksii Kuzminov

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 02/Mar/21 5:12 PM

Updated:: 12/Jul/21 2:43 PM

Resolved:: 12/Jul/21 2:43 PM

NFR: Increase security of Kafka for Data Import and PubSub