Ghatage opened a new pull request #2429:
URL: https://github.com/apache/bookkeeper/pull/2429
This feature allows a predefined set of services to be 'whitelisted' to be
able
to access bookkeeper based on their client certificates.
Motivation
As BookKeeper and its supported services move to a cloud friendly service
based architecture, it becomes of utmost importance to monitor and allow only
certain qualified services to be able to access the data in BK.
We have TLS based authentication, however, any service with the rootCA can
access Bookkeeper clusters which is not desirable.
Changes
So this feature can be broken down into two parts:
Certificate and roles
Server configuration for authorized roles
Details:
Certificate and roles:
Here is an example of how the SUBJECT field of a final certificate for
Apache Pulsar running in the cloud would look like:
CN=apache.bookkeeper.org
O=apache-pulsar
OU=0:pulsar-broker-role;1:cluster-1
L=San Francisco
S=CA
C=US
This shows that this bookkeeper client certificate is owned by the
apache pulsar service has the role ‘pulsar-broker-role’ for entities in
‘cluster-1’.
Only those services with pulsar-broker-role should be able to access it.
We can add more fields separated by commas to increase the upstream
application clusters to be able to access this bookkeeper cluster.
For example: OU=0:herddb-readonlyNode,herddb-readwriteNode;1:herddb-cluster2
Such separation of access based on services is paramount to keeping this
secure as many upstream users of BookKeeper are financial institutions,
databases and other services.
Server configuration for authorized roles
Once we have a certificate whose SUBJECT field has the OU attribute with
the roles we want to authorize, on the Bookie side, we need to specify which
roles are allowed.
We make this happen by introducing a server configuration option called
‘authorizedRoles’.
Since we have only static options, this will be set in stone as long as
the bookie booted up with it.
If in case we need to change the allowed roles, we’ll need to stop the
bookie, update the configuration file and then restart the bookie.
We can have multiple roles which are authorized as the OU field can have
multiple comma separated values for roles.
This is a redo of stale PR #2355
Master Issue: #2354
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
