Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature : ACL integration features #287

Merged
merged 26 commits into from
Dec 3, 2024

Conversation

uds5501
Copy link
Contributor

@uds5501 uds5501 commented Oct 21, 2024

Supporting SASL authentication

@uds5501 uds5501 force-pushed the feat/acl-integration-gopay branch from c500933 to 9f9b540 Compare October 21, 2024 11:47
@@ -95,6 +96,9 @@
(defn ssl-config []
(get-in config [:ziggurat :ssl]))

(defn sasl-config []
(get-in config [:ziggurat :sasl]))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem here with this approach of having a single sasl config is that we cannot have seperate ACL for each streams.
This needs to be implemented. The acl should be per stream as each stream can have different topics its reading from hence having separate ACL.

Copy link
Contributor Author

@uds5501 uds5501 Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • As discussed in the thread we are currently okay with keeping actor-level changes.
  • To support per-stream changes, (when required) the following plan should be done:
  1. Update streams-config-mapping-table to start setting ACL properties as well. (Currently it only picks up auto-offset reset configs) - not accommodating as part of this PR.
  2. Update the add-sasl-properties to putIfAbsent with actor level ACL if stream ACL is missing - updating this in next commit

project.clj Outdated Show resolved Hide resolved
project.clj Outdated
[cambium/cambium.logback.json "0.4.4"]
[ch.qos.logback/logback-classic "1.2.9"]
[cambium/cambium.logback.json "0.4.4" :exclusions [com.fasterxml.jackson.core/jackson-annotations com.fasterxml.jackson.core/jackson-databind]]
[ch.qos.logback/logback-classic "1.2.9" :exclusions [org.slf4j/slf4j-api]]
[ch.qos.logback.contrib/logback-json-classic "0.1.5"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are these excluded ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These exclusions were compiler's suggestions. can revert these.

@uds5501
Copy link
Contributor Author

uds5501 commented Oct 24, 2024

@Vruttant1403 please help re-review?

@uds5501 uds5501 requested a review from Vruttant1403 October 24, 2024 08:10
@uds5501 uds5501 force-pushed the feat/acl-integration-gopay branch from b9e182b to cf9594d Compare November 14, 2024 09:08
volumes:
- /tmp/ziggurat_kafka_cluster_data/zookeeper/data:/data
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why have we removed these. ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seemed redundant to mount this volume, will add back

jaas-config (get ssl-config-map :jaas)
mechanism (get ssl-config-map :mechanism)
protocol (get ssl-config-map :protocol)
login-callback-handler (get ssl-config-map :login-callback-handler)]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add what this is doing in the comments above here for context.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added above.

@@ -448,3 +487,34 @@
(testing "should return REPLACE_THREAD"
(let [r (handle-uncaught-exception :replace-thread t)]
(is (= r StreamsUncaughtExceptionHandler$StreamThreadExceptionResponse/REPLACE_THREAD))))))

(deftest start-streams-test-with-sasl-config
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

valid config test is only there for SASL_PLAINTEXT. have we checked if this works with SASL_SSL also as that is your usecase I believe right ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. We have verified this in the staging setups. As part of this MR we wanted to verify if SASL configs are being consumed correctly or not.
  2. To setup TLS for this will be another tedious task. For the testing suite a SASL_PLAINTEXT combination should be okay.

@uds5501 uds5501 requested a review from Vruttant1403 December 2, 2024 09:52
@Vruttant1403 Vruttant1403 merged commit 7e89b4f into gojek:master Dec 3, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants