Type: New Feature
Status: Closed (View Workflow)
Affects Version/s: None
Fix Version/s: R2 2021
Template:UXPROD features customfield_11200 44680
Back End Estimate:Small < 3 days
Estimation Notes and Assumptions:Assuming Kafka configuration on reference/rancher environments out of the scope.
Calculated Total Rank:0
Cap Plan Fix Version (DO NOT CHANGE):R2 2021
Current situation or problem:
There were some concerns raised in the community regarding how secure the direct connection will be. To address these concerns, the new solution was designed: https://wiki.folio.org/display/DD/Temporary+Kafka+security+solution.
The solution was reviewed and approved by the Security group and Tech Council.
Multi-tenancy on Kafka's side is implemented for the modules differently, so it will take time to make the changes in them that unify the multi-tenancy approach.
However, the direct Kafka connections should be secured in R1, so a simplified version of the solution is proposed for now.
- Add module-level Kafka user credentials support to mod-search. The credentials should be provided to all producers and consumers of a module with other Kafka client settings.
- Add TLS support to the same modules. Same here, the settings should be provided to all producers and consumers of a module with other Kafka client settings.
Out of scope
This work is also needed for Data Import and Remote Storage, but those applications/modules are managed by other dev teams
Proposed solution/How it could be implemented:
- ModuleDescriptor should be updated to include the new Kafka settings: TLS, and, for now, user credentials (the credentials later could be injected to container a different way, for instance, as EnvironmentVariables)
- Update a class that represents Kafka config
- Update a class(es) that creates and assigns the config to Kafka producers and consumers
- Test the updates
Links to additional info
On TC meeting on March 3rd, 2021 it was decided that this work will be in scope for R2.