Filter: load JSON definitions and policies from file #7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
robobario
commented
Jun 22, 2023
...us-filter/src/test/java/io/strimzi/kafka/topicenc/kroxylicious/TopicEncryptionVaultTest.java
Outdated
Show resolved
Hide resolved
|
I've now refactored the tests, splitting them into tests covering Produce Encryption and Fetch Decryption, testing each side in isolation. This combined with adding tests for per-topic encryption policies would catch the issues fixed by commit #de60abe. The tests were working because of the hardcoded wildcard policy combined with the metadata request failure caching an empty string. We found a name for the topic (empty string), and that got the wildcard policy applied to it, test passes ✔️ |
SamBarker
reviewed
Jun 30, 2023
...ylicious-filter/src/main/java/io/strimzi/kafka/topicenc/kroxylicious/FetchDecryptFilter.java
Show resolved
Hide resolved
|
To catch a comment from the demos, @SamBarker pointed out that it would be good if we could get credentials into the key manager definition file (like the vault token) in a kubernetes friendly way. So instead of directly in our JSON file, refer to a secret file or environment variable. Captured in #8 |
robobario
commented
Jul 2, 2023
SamBarker
approved these changes
Jul 2, 2023
...ylicious-filter/src/main/java/io/strimzi/kafka/topicenc/kroxylicious/FetchDecryptFilter.java
Outdated
Show resolved
Hide resolved
...ylicious-filter/src/main/java/io/strimzi/kafka/topicenc/kroxylicious/FetchDecryptFilter.java
Show resolved
Hide resolved
kroxylicious-filter/src/test/java/io/strimzi/kafka/topicenc/kroxylicious/KafkaAssertions.java
Outdated
Show resolved
Hide resolved
kroxylicious-filter/src/test/java/io/strimzi/kafka/topicenc/kroxylicious/TestCrypter.java
Outdated
Show resolved
Hide resolved
...us-filter/src/test/java/io/strimzi/kafka/topicenc/kroxylicious/VaultFetchDecryptionTest.java
Outdated
Show resolved
Hide resolved
...us-filter/src/test/java/io/strimzi/kafka/topicenc/kroxylicious/VaultFetchDecryptionTest.java
Outdated
Show resolved
Hide resolved
kroxylicious-filter/src/test/java/io/strimzi/kafka/topicenc/kroxylicious/kms/MockKms.java
Show resolved
Hide resolved
This was referenced Jul 3, 2023
robobario
force-pushed
the
full-configuration
branch
2 times, most recently
from
95f8325
to
12c5372
Compare
Why: At apiVersion 10, the MetadataRequest is only allowed to take null topic ids. So it responds with an error when we set the id. We need to be at apiVersion 12. We were also missing a guard to prevent caching in this error condition which allowed an empty topic name to be put in the cache on error. Resulting in no decryption being applied. Signed-off-by: Robert Young <[email protected]>
Why: We want users to have access to the full Smorgasbord of configuration including different encryption policies per-topic and support for multiple KMS implementations. With this change the Kroxylicious Filter will require configuration to point to the two JSON files. This gives us the closest integration with the encryption module because `JsonPolicyLoader.loadTopicPolicies` works in terms of File objects and does some useful work like validating and associating policies and KMS implementations. In future, if we want to be able to embed the KMS definitions and topic policies in the Filter configuration it might be nice if `JsonPolicyLoader` had another method like: `List<TopicPolicy> loadTopicPolicies(List<TopicPolicy> topicPolicies, Map<String, KmsDefinition> kmsDefs)` that did the same work without the dependency on loading JSON from File. Signed-off-by: Robert Young <[email protected]>
robobario
force-pushed
the
full-configuration
branch
from
41bf474
to
264af3c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why:
We want users to have access to the full Smorgasbord of configuration including different encryption policies per-topic and support for multiple KMS implementations.
With this change the Kroxylicious Filter will require configuration to point to the two JSON files. This gives us the closest integration with the encryption module because
JsonPolicyLoader.loadTopicPoliciesworks in terms of File objects and does some useful work like validating and associating policies and KMS implementations.example Kroxylicious configuration
In future, if we want to be able to embed the KMS definitions and topic policies in the Filter configuration it might be nice if
JsonPolicyLoaderhad another method like:List<TopicPolicy> loadTopicPolicies(List<TopicPolicy> topicPolicies, Map<String, KmsDefinition> kmsDefs)that did the same work without the dependency on loading JSON from File.Implements #3