Uploaded image for project: 'UX Product'
  1. UX Product
  2. UXPROD-2935

NFR: Increase security of Kafka for mod-search

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: P2
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: R2 2021
    • Component/s: None
    • Labels:
      None
    • Template:
      UXPROD features
    • Epic Link:
    • Back End Estimate:
      Small < 3 days
    • Confidence factor:
      Medium
    • Estimation Notes and Assumptions:
      Assuming Kafka configuration on reference/rancher environments out of the scope.
    • Development Team:
      Falcon
    • Calculated Total Rank:
      0
    • PO Rank:
      0
    • Cap Plan Fix Version (DO NOT CHANGE):
      R2 2021

      Description

      Current situation or problem:
      There were some concerns raised in the community regarding how secure the direct connection will be. To address these concerns, the new solution was designed: https://wiki.folio.org/display/DD/Temporary+Kafka+security+solution.
      The solution was reviewed and approved by the Security group and Tech Council.

      Multi-tenancy on Kafka's side is implemented for the modules differently, so it will take time to make the changes in them that unify the multi-tenancy approach.
      However, the direct Kafka connections should be secured in R1, so a simplified version of the solution is proposed for now.

      In scope

      • Add module-level Kafka user credentials support to mod-search. The credentials should be provided to all producers and consumers of a module with other Kafka client settings.
      • Add TLS support to the same modules. Same here, the settings should be provided to all producers and consumers of a module with other Kafka client settings.

      Out of scope
      This work is also needed for Data Import and Remote Storage, but those applications/modules are managed by other dev teams

      Proposed solution/How it could be implemented:

      • ModuleDescriptor should be updated to include the new Kafka settings: TLS, and, for now, user credentials (the credentials later could be injected to container a different way, for instance, as EnvironmentVariables)
      • Update a class that represents Kafka config
      • Update a class(es) that creates and assigns the config to Kafka producers and consumers
      • Test the updates

      Links to additional info
      https://wiki.folio.org/display/DD/Temporary+Kafka+security+solution.

      Additional information:
      On TC meeting on March 3rd, 2021 it was decided that this work will be in scope for R2.

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                magdaz Magda Zacharska
                Reporter:
                abreaux Ann-Marie Breaux
                Back End Estimator:
                Bohdan Suprun Bohdan Suprun
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases