Requests (UXPROD-790)

[UXPROD-2931] NFR: Increase security of Kafka for Remote storage Created: 02/Mar/21  Updated: 21/Jun/21  Resolved: 21/Jun/21

Status: Closed
Project: UX Product
Components: None
Affects versions: None
Fix versions: R2 2021
Parent: Requests

Type: New Feature Priority: P2
Reporter: Stephanie Buck Assignee: Stephanie Buck
Resolution: Done Votes: 0
Labels: NFR, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
is defined by MODRS-62 Kafka security improvement Closed
Relates
relates to UXPROD-2929 NFR: Increase security of Kafka for D... Closed
Epic Link: Requests
Front End Estimate: Very Small (VS) < 1day
Front-End Confidence factor: Low
Back End Estimate: Large < 10 days
Development Team: Firebird
PO Rank: 0
Cap Plan Fix Version (DO NOT CHANGE): R2 2021

 Description   

Current situation or problem: Remote storage its transactions are direct Kafka connections.

There were some concerns raised in the community regarding how secure the direct connection will be. To address these concerns, the new solution was designed: https://folio-org.atlassian.net/wiki/display/DD/Temporary+Kafka+security+solution.
The solution was reviewed and approved by the Security group and Tech Council.

Multi-tenancy on Kafka's side is implemented for the modules differently, so it will take time to make the changes in them that unify the multi-tenancy approach.
However, the direct Kafka connections should be secured in R1, so a simplified version of the solution is proposed for now.

In scope 

  • Add module-level Kafka user credentials support to Remote storage. The credentials should be provided to all producers and consumers of a module with other Kafka client settings. Changes in PubSub are required since once Kafka authentication and authorization are enabled, the PubSub will need to pass through them as well.
  • Add TLS support to the same modules.
    Same here, the settings should be provided to all producers and consumers of a module with other Kafka client settings.

How it could be implemented:

  • ModuleDescriptor should be updated to include the new Kafka settings: TLS, and, for now, user credentials (the credentials later could be injected to container a different way, for instance, as EnvironmentVariables)
  • Update a class that represents Kafka config
  • Update a class(es) that creates and assigns the config to Kafka producers and consumers
  • Test the updates

Out of scope
This work is also needed for ElasticSearch and Data import, but those applications/modules are managed by other dev teams

Proposed solution/How it could be implemented:

  • ModuleDescriptor should be updated to include the new Kafka settings: TLS, and, for now, user credentials (the credentials later could be injected to container a different way, for instance, as EnvironmentVariables)
  • Update a class that represents Kafka config
  • Update a class(es) that creates and assigns the config to Kafka producers and consumers
  • Test the updates

Links to additional info
https://folio-org.atlassian.net/wiki/display/DD/Temporary+Kafka+security+solution.

Questions



 Comments   
Comment by Ann-Marie Breaux (Inactive) [ 04/Mar/21 ]

Reviewed at Tech Council this week; decided that the work does not need to be done until R2 2021/Juniper

Comment by Khalilah Gambrell [ 03/Jun/21 ]

Stephanie Buck, can this feature be moved to In Progress?

Generated at Fri Feb 09 00:28:01 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.