13 Configuring "Host" Based ACLs for Kafka Feed
The Kafka Feed supports optional "host" based ACLs for the external consumer application. This allows an external application to connect from a specific client machine with a designated IP address. The client application can run inside a POD in a Kubernetes cluster where OCNADD is deployed or in a different cluster. Since PODs lack static IP addresses, the "host" based ACLs are optional for Kafka feeds. The client machine hosting the external Kafka application can also be a separate virtual machine in the customer's cloud environment; in this case, a static IP address can be assigned to the client VM running the external Kafka consumer application.
The Kafka Feed configuration includes a "hostname" field, which is optional and currently only supports a single "IP address". The default behavior of the Kafka feed is to allow all hosts for the Kafka feeds. This default behavior applies when the user leaves the Host Name field blank or provides a wildcard character "*".
The Host Name field can be one of the following:
- IPv4 address of the host where the consumer application is running.
- Blank or wildcard character * (This permits all host IPs).
Note:
- Pod/VM hostname-based ACLs are not currently supported in Kafka.
- IPv6 is not supported.
- Configuring a specific host IP ACL is recommended when a static IP is used for the client machine.
- Avoid configuring the host IP for cloud-native client applications running in the K8s cluster, as PODs receive dynamic IP assignments.
13.1 Adding network IP "Host" ACLs in Kafka Feed
The Kafka authorization process first verifies the client's network IP before granting authorization for the specific client IP address configured in the host-based ACLs. In such scenarios, configuring the ACL for the Network IP address is also required, and this can be done using the steps provided below:
- Obtain the specific client IP.
- Determine the Network IP address based on the client IP subnet.
- Access any pod within the OCNADD deployment, such as 'kafka-broker-0', using the
following
command:
kubectl exec -it kafka-broker-0 -n <namespace> -- bash - Run the following curl commands to configure the network IP "Host"
ACLs, replacing '<Network IP>' with the IP obtained from step
2.
curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/clientKeyStore.p12:$KEYSTORE_PASS --request POST 'https://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{ "principal": "joe", "hostName": "<Network IP>", "resourceType": "TOPIC", "resourceName": "MAIN", "aclOperation": "READ" }' curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/clientKeyStore.p12:$KEYSTORE_PASS --request POST 'https://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{ "principal": "joe", "hostName": "<Network IP>", "resourceType": "GROUP", "resourceName": "demofeed", "aclOperation": "READ" }' - Use the following curl command to verify the network IP "Host"
ACLs:
curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/clientKeyStore.p12:$KEYSTORE_PASS --request GET 'https://ocnaddadminservice.<mgmt-namespace>:9181/ocnadd-admin/v2/<workerGroup>/acls'Example output, with Feed Name: demofeed, ACL user: joe, Host Name:10.1.1.15, Network IP:10.1.1.0["(pattern=ResourcePattern(resourceType=GROUP, name=demofeed, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.0, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=GROUP, name=demofeed, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=TOPIC, name=MAIN, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.0, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=TOPIC, name=MAIN, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))"]
13.2 Deleting network IP "Host" ACLs in Kafka Feed
Note:
The steps should be executed on the specific worker group on which the Kafka feed support is present.- Access any pod within the OCNADD deployment, such as 'kafka-broker-0', using the
following
command:
kubectl exec -it kafka-broker-0 -n <namespace> -- bash - Run the following curl commands to delete the network IP "Host" ACLs,
replacing '<Network IP>' with the appropriate
IP:
curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/clientKeyStore.p12:$KEYSTORE_PASS --request DELETE 'https://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{ "principal": "joe", "hostName": "<Network IP>", "resourceType": "TOPIC", "resourceName": "MAIN", "aclOperation": "READ" }' curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/clientKeyStore.p12:$KEYSTORE_PASS --request DELETE 'https://ocnaddconfiguration:12590/ocnadd-configuration/v2/<workerGroup>/client-acl' --header 'Content-Type: application/json' --data-raw '{ "principal": "joe", "hostName": "<Network IP>", "resourceType": "GROUP", "resourceName": "demofeed", "aclOperation": "READ" }' - Run the following curl command to verify the deletion of the network IP
"Host"
ACLs:
curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/clientKeyStore.p12:$KEYSTORE_PASS --request GET 'https://ocnaddadminservice.<mgmt-namespace>:9181/ocnadd-admin/v2/<workerGroup>/acls'Example output, with Feed Name: demofeed, ACL user: joe, Host Name:10.1.1.15["(pattern=ResourcePattern(resourceType=GROUP, name=demofeed, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=TOPIC, name=MAIN, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))"]Here, 'Network IP:10.1.1.0' has been deleted.