Uploaded image for project: 'UX Product'
  1. UX Product
  2. UXPROD-2931

NFR: Increase security of Kafka for Remote storage

    XMLWordPrintable

Details

    • Very Small (VS) < 1day
    • Low
    • Large < 10 days
    • Firebird
    • 0
    • R2 2021

    Description

      Current situation or problem: Remote storage its transactions are direct Kafka connections.

      There were some concerns raised in the community regarding how secure the direct connection will be. To address these concerns, the new solution was designed: https://wiki.folio.org/display/DD/Temporary+Kafka+security+solution.
      The solution was reviewed and approved by the Security group and Tech Council.

      Multi-tenancy on Kafka's side is implemented for the modules differently, so it will take time to make the changes in them that unify the multi-tenancy approach.
      However, the direct Kafka connections should be secured in R1, so a simplified version of the solution is proposed for now.

      In scope 

      • Add module-level Kafka user credentials support to Remote storage. The credentials should be provided to all producers and consumers of a module with other Kafka client settings. Changes in PubSub are required since once Kafka authentication and authorization are enabled, the PubSub will need to pass through them as well.
      • Add TLS support to the same modules.
        Same here, the settings should be provided to all producers and consumers of a module with other Kafka client settings.
      •  

      How it could be implemented:

      • ModuleDescriptor should be updated to include the new Kafka settings: TLS, and, for now, user credentials (the credentials later could be injected to container a different way, for instance, as EnvironmentVariables)
      • Update a class that represents Kafka config
      • Update a class(es) that creates and assigns the config to Kafka producers and consumers
      • Test the updates

      Out of scope
      This work is also needed for ElasticSearch and Data import, but those applications/modules are managed by other dev teams

      Proposed solution/How it could be implemented:

      • ModuleDescriptor should be updated to include the new Kafka settings: TLS, and, for now, user credentials (the credentials later could be injected to container a different way, for instance, as EnvironmentVariables)
      • Update a class that represents Kafka config
      • Update a class(es) that creates and assigns the config to Kafka producers and consumers
      • Test the updates

      Links to additional info
      https://wiki.folio.org/display/DD/Temporary+Kafka+security+solution.

      Questions

      TestRail: Results

        Attachments

          Issue Links

            is defined by

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODRS-62 Kafka security improvement

            • TBD - To be determined
            • Closed
            relates to

            New Feature - New feature requests UXPROD-2929 NFR: Increase security of Kafka for Data Import and PubSub

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Activity

              People

                stephaniesbuck Stephanie Buck
                stephaniesbuck Stephanie Buck
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases