13 Configuring "Host" Based ACLs for Kafka Feed

The Kafka feed supports optional "host"-based ACLs for the external consumer application. This allows an external application to connect from a specific client machine with a specific IP address. The client application can be running inside a POD in a Kubernetes cluster where OCNADD is deployed, or in a different cluster. Since PODs do not have static IP addresses, "host"-based ACLs are optional for Kafka feeds. The client machine hosting the external Kafka application can also be a separate virtual machine in the customer cloud environment; in this case, a static IP address can be assigned to the client VM running the external Kafka consumer application.

The Kafka feed configuration has a hostname field, which is optional and currently supports only a single IP address. The default behavior of the Kafka feed is to allow all hosts to access the Kafka feeds. This default behavior applies when the user leaves the hostname field blank or provides a wildcard character *.

The hostname field can be either of the following:

  • IPv4 address of the host where the consumer application is running
  • Blank or wildcard character * (this allows all host IPs)

Note:

  • Pod/VM hostname-based ACLs are not yet supported in Kafka.
  • IPv6 is not supported.
  • Configuring a specific host IP ACL is recommended only when a static IP is used for the client machine.
  • The host IP should not be configured for cloud-native client applications running in the Kubernetes cluster, since the PODs have dynamic IP assignments.

13.1 Adding network IP "Host" ACLs in Kafka Feed

Kafka authorizes the client network IP before authorizing the specific client IP address configured in the host-based ACLs. In such cases, an ACL for the network IP address must also be configured using the steps below.

Note:

These steps should be run on the specific worker group where Kafka feed support is being enabled.
  1. Get the specific client IP.
  2. Determine the network IP address based on the client IP subnet.
  3. Access any management gateway Pod from the OCNADD deployment, for example, ocnaddmanagementgateway-x-x-x:
    kubectl exec -it ocnaddmanagementgateway-x-x-x -n <mgmt-ns> -- bash
  4. Run the following curl commands to configure the host network IP ACLs, replacing <Network IP> with the IP from step 2:
    curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request POST 'https://ocnaddmanagementgateway.ddmgmt:12889/ocnadd-configuration/v3/client-acl?mediationGroup=<mediationGroup>' --header 'Content-Type: application/json' --data-raw '{
    "principal": "joe",
    "hostName": "<Network IP>",
    "resourceType": "TOPIC",
    "resourceName": "MAIN",
    "aclOperation": "READ"
}'

curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request POST 'https://ocnaddmanagementgateway.ddmgmt:12889/ocnadd-configuration/v3/client-acl?mediationGroup=BLR:ddworker1:dd-mediation-ns:dd-mediation-cluster' --header 'Content-Type: application/json' --data-raw '{
    "principal": "joe",
    "hostName": "<Network IP>",
    "resourceType": "GROUP",
    "resourceName": "demofeed",
    "aclOperation": "READ"
}'
  5. Verify the ACLs using the following curl command:
    curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request GET 'https://ocnaddmediationgateway.<mediation-namespace>:12890/ocnadd-admin/v2/<mediationGroup>/acls'

    Example:

    curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request GET 'https://ocnaddmediationgateway.dd-mediation-ns:12890/ocnadd-admin/v2/BLR:ddworker1:dd-mediation-ns:dd-mediation-cluster/acls'

    Example output:

    With Feed Name: demofeed, ACL user: joe, Host Name: 10.1.1.15, Network IP: 10.1.1.0
    ["(pattern=ResourcePattern(resourceType=GROUP, name=demofeed, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.0, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=GROUP, name=demofeed, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=TOPIC, name=MAIN, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.0, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=TOPIC, name=MAIN, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))"]

13.2 Deleting network IP "Host" ACLs in Kafka Feed

Follow the steps below to delete specific host network IP ACLs.

Note:

The steps should be executed on the specific mediation group where Kafka feed support is present.
  1. Access any management gateway Pod from the OCNADD deployment, for example, ocnaddmanagementgateway-x-x-x:
    kubectl exec -it ocnaddmanagementgateway-x-x-x -n <mgmt-ns> -- bash
  2. Run the following curl commands to delete the host network IP ACLs, replacing <Network IP> with the IP to be deleted:
    curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request DELETE 'https://ocnaddmanagementgateway.ddmgmt:12889/ocnadd-configuration/v3/client-acl?mediationGroup=<mediationGroup>' --header 'Content-Type: application/json' --data-raw '{
    "principal": "joe",
    "hostName": "<Network IP>",
    "resourceType": "TOPIC",
    "resourceName": "MAIN",
    "aclOperation": "READ"
}'

curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request DELETE 'https://ocnaddmanagementgateway.ddmgmt:12889/ocnadd-configuration/v3/client-acl?mediationGroup=BLR:ddworker1:dd-mediation-ns:dd-mediation-cluster' --header 'Content-Type: application/json' --data-raw '{
    "principal": "joe",
    "hostName": "<Network IP>",
    "resourceType": "GROUP",
    "resourceName": "demofeed",
    "aclOperation": "READ"
}'
  3. Verify that the host network IP ACL has been deleted using the following curl command:
    curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request GET 'https://ocnaddmediationgateway.<mediation-namespace>:12890/ocnadd-admin/v2/<mediationGroup>/acls'

    Example:

    curl -k --location --cert-type P12 --cert /var/securityfiles/keystore/serverKeyStore.p12:$OCNADD_SERVER_KS_PASSWORD --request GET 'https://ocnaddmediationgateway.dd-mediation-ns:12890/ocnadd-admin/v2/BLR:ddworker1:dd-mediation-ns:dd-mediation-cluster/acls'

    Example output:

    With Feed Name: demofeed, ACL user: joe, Host Name: 
    10.1.1.15
    ["(pattern=ResourcePattern(resourceType=GROUP, name=demofeed, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))","(pattern=ResourcePattern(resourceType=TOPIC, name=MAIN, patternType=LITERAL), entry=(principal=User:joe, host=10.1.1.15, operation=READ, permissionType=ALLOW))"]

    Here, the Network IP: 10.1.1.0 has been deleted.