Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Protects the system at the application levels via Authentication

Description

Protects the system at the application levels via Authentication

Design is similar to how we are doing auth-n for Ops App. The key difference is than in Ops App every user is an individual whereas in Channel every user is a system user. We can have a common breakdown of [ ] and [ ].

Application or event logs will capture events that each component performs and should contain at least the following information: ● application / user ID Linked to [ ]

  1. Bulk Processor - Protecting by API Key using Key Auth Kong Plugin (Register the services in Kong in automated way or just document the automation steps - refer how Ops Web is the only part added to Kong / Keycloak realm) - Plugin annotations in respective ingresses - Done

  2. Postman Collection env variable for API Key and Integration Tests config. - Done

  3. Creating a (System) User in Keycloak (UI step - capture network log) (and perhaps linking with Kong consumer) - Done

  4. Creating the API key using user specific admin API in Kong or Konga UI - Done

  5. Kong has to work with DB here for Consumers to be handled as runtime configuration. - Done (Regression effort - OIDC, Request Transformer, CORS - Done) - Estimate: 2.5

  6. Integration Test: Setup steps - Create consumer via Kong API, enable keyAuth plugin, enabling keyAuth plugin for BP service (set API key config). Teardown - removing keyAuth plugin linkage for BP service. TC - call BP API, assert 200/202 or 401 response. - Estimate: 2 - Done

 

Assumption: Different Source BBs are being treated as different tenants for data scoping. From Kong event stream, putting client correlation ID and consumer/user ID into ES is out of scope.

Linked to [ ]

Design Document-



Revised Approach

  1. Enable db setup for exsiting kong setup.

  2. Search for relevant article/blog/community conversation with api-key, clientId and secret setup.

  3. Think from the requirement perspective and not techStack prospective.

Defaults :

security - disabled

Activity

Show:

Avik Ganguly July 21, 2023 at 2:32 PM

Integration tests should still run on every PR in CI even though security is disabled by default (Which helm chart to test non-defaults with?)

Danish Jamal July 19, 2023 at 7:39 AM

and
The solution for 5th point is to keep oidc plugin global flag as false, and enable it only for specific route.

cors and request-transformer global flag can be set to true.

Avik Ganguly July 10, 2023 at 10:30 AM
Edited

  1. # Kong ingress annotation should forward user ID to BP and CC services so that zeebeClient can publish it as zeebe variable. API Key should be common for Bulk Processor and Channel Connector. - Not Done (Moved out of must have priority as there are other must have stories to be completed in PI)

  2. BP needs config for Channel Connector Client Key & Client Secret as K8s secret. (Use service names for interservice communication instead of hostnames/ingress as contact points. - Somanath)

  3. (assumption)link Keycloak user (human) to Kong Consumer/API Key (bot) - Theory needs to be validated. Removing Keycloak parts from integration test.

  4. DB migration script should be ran automatically (map concept to hooks/post init script) - Should Have

  5. Bulk Processor needs config for Channel Connector API Key. Ops Web would also need configuration for Bulk Processor. - Reducing the scope from MVP to PoC

Danish Jamal July 10, 2023 at 10:02 AM
Edited

Error ReportingTitle: Kong is applying oidc plugin to each of the URL, causing the discovery url of keycloak to be accessible without auth.Pre-requisite:

  1. Kong deployed with db enabled.

  2. Enabled plugin oidc, request-transformer and cors using CRDs.

  3. Keycloak deployed and accessible using port-forward localhost. (username: admin, password: password/admin)

  4. Keycloak ingress annotation should not contain  any kong plugin.

Expected Behaviour:

  1. Hit keycloak url

  2. Admin console login prompt should come up.

  3. Enter admin and password.

  4. Should login into admin console.

Actual Behaviour

  1. Kong Error(http status code I dont remember)

  2. Kong proxy log

Avik Ganguly July 10, 2023 at 10:02 AM

Regression issue on Kong plugins described in Payments channel on 10th July.

Done

Details

Assignee

Reporter

Implementation Priority

Story Points

Time remaining

0m

Parent

Sprint

Created March 10, 2023 at 3:59 PM
Updated November 16, 2023 at 5:34 AM
Resolved September 2, 2023 at 10:09 AM