Versions Compared

Version Old Version 9 New Version 10
Changes made by

Dima Tkachenko

Dima Tkachenko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. what are the options for defining boundaries of internal network and providing this information to PRB plugin

  2. what are the ways to inject the plugin into Kong request processing flow

    1. is it possible to execute run the plugin just right after Kong has found a route

    2. will the selected route be available to the plugin

...

Drawio sketch
mVer2
simple0
zoom1
inComment0
pageId177012740
custContentId206766106
diagramDisplayNameauthorize-time-calls-for-system-user
lbox1
contentVer35
revision35
baseUrlhttps://folio-org.atlassian.net/wiki
diagramName1715787765999-kong-with-intranet-access-plugin
pCenter0
width1164.5
links
tbstyle
height625

...

The diagram contains mod-scheduler to run scheduled jobs, and some business module, named “Module A”. Module A provides regular interface /regular-url-A along with _timer interface /timer-url-A. Detailed information about Module A interfaces contained as usual in its Module Descriptor.

  1. At first Tenant Entitlement manager (MTE) enables an application with Module A for a tenant. During this process MTE gets Module Descriptor of Module A and

a. creates routes in Kong for all module’s public interfaces from "provides" section of Module Descriptor and all _timer interfaces so that they are also become available for routing by API Gateway

b. creates resources in Keycloak but only for public interfaces of the module. There are not resources created for timer interfaces, so Keycloak is still not aware of any system interfaces and has no specific rules (permissions) to authorize access to those resources

c. enables mod-users-keycloak module for the tenant. During this process the module creates special system user, named like <tenant>-system-user (example diku2-system-user), with "System" role which grants access to all resources in the system

...

d. creates (via Kafka) scheduled jobs for Module A _timer endpoints in mod-scheduler. Scheduler associates the system user with jobs created from timer interfaces. As a result these jobs will be executed on behalf of the system user

Option 2

Have mod-scheduler send egress requests to it’s sidecar like every other module, and add a switch to the module-sidecar which indicates it should retrieve ALL bootstrap info at startup, and consume all discovery events.

...