| Kafka / Message Queue Security |
| of interest: Temporary Kafka security solution See also TC 2021-03-03 Meeting Minutes - Discussion of potential Kafka software bus security solutions for FOLIO. In FOLIO, Elasticsearch and Data Import use Kafka, other modules want to use it too, hence the proposal.
- Out of the box, ZooKeeper has some options
- FOLIO should have a single authN/Z solution for all its components of it.
Some of the options:
mTLS An approach NOT recommended is to have to issue your own certificate security for each kafka broker
SASL//GSSAPI (Kerb) not in place for FOLIo currently.
SASL/PLAIN (usernames / passwords)
SASL/SCRAM-SHA 256 / 512 - considered the preferred AuthN approach for a temporary solution, because it’s secure enough, easier to leverage, not requiring any add’l components to be added to FOLIO nor custom logic.
- But it requires the use of ZooKeeper with Kafka - no option there. Distributed configuration store, storing info about Kafka to ensure it stays HA.
- This may indeed be the best approach of the available options. This won’t be able to be put in for Iris, but maybe in release 2 in June. This proposal talks about how FOLIO would use Kafka, not about how the processes used would be designed or secured.
- It’s recommended that you don’t expose your Kafka env’t to the rest of the world, you need highly secured infrastructure to host it. This proposal is not quite complete yet. How handle multitenancy, for example?
- Kafka itself is not secured by default, needs to be on your own private internal network, unless you put in a lot of work.
- Either way, this solution itself would take a lot of work to set up.
SASL/OAUTHBEARER - the Kafka out-of-the box solution; shouldn’t be used in prod.
There are some reasonable comments already on the document about the shortage of FOLIO developer resources, as well as concerns about putting in any temporary solution.
|