...
plugin development in Kong requires knowledge of Lua language but Eureka team has limited experience with it
Option 1.2
At the moment scheduler executes jobs created from timer interfaces on behalf of a system user which is granted access to all the resources in the system. This system user is automatically created during tenant entitlement process by mod-users-keycloak. Also a sidecar doesn’t perform any authorization checks when it receives a request to call a timer endpoint of the module, even though authorization context contains system user’s token.
The idea is to continue using this system user but enable authorization checks on in sidecar for timer endpoints. This way only users with granted access will be allowed to call timer interfaces. In case of the existing system user, it already has access to all resources including timer ones, so authorization will be successful. On the other hand, if a timer interface is called by an arbitrary user, without proper rights, then the request will be rejected by sidecar as forbidden.
The following diagram displays main components and actors involved in the flow (note that most of the interactions are already in place)
| Drawio sketch | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Folio modules and their sidecars are deployed inside a clu
Option 2
Have mod-scheduler send egress requests to it’s sidecar like every other module, and add a switch to the module-sidecar which indicates it should retrieve ALL bootstrap info at startup, and consume all discovery events.
...