Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Post Messages to Kafka Stream with Resource Principal Authentication using OCI Functions

Introduction

Discover the seamless synergy between Oracle Cloud Infrastructure (OCI) Functions and OCI Streaming in orchestrating real-time data pipelines. In this tutorial, we will explore a secure and efficient approach to message production, leveraging Oracle resource principal authentication method and the singleton design pattern. Learn how resource principal authentication simplifies security management by seamlessly authenticating serverless functions with OCI Streaming services, while the singleton pattern optimizes resource utilization and enhances message production efficiency. We delve into the convergence of OCI Functions and OCI Streaming, empowering developers to architect robust and scalable event-driven solutions effortlessly.

OCI Streaming: OCI has an array of tools for handling data in the cloud, with OCI Streaming being one such service tailored for high-throughput, real-time data streams. By leveraging OCI Streaming, developers can construct scalable and dependable data pipelines that efficiently ingest, process, and distribute data streams.

OCI Functions: OCI Functions is a fully managed, multi-tenant, highly scalable, on-demand, Functions-as-a-Service platform. It is built on enterprise-grade OCI and powered by the Fn Project open source engine. Use OCI Functions (sometimes abbreviated as Functions, and formerly known as Oracle Functions) when you want to focus on writing code to meet business needs.

Resource Principal Authentication: You can use a resource principal to authenticate and access OCI resources. The resource principal consists of a temporary session token and secure credentials that enables the OCI Functions to authenticate itself to other OCI services, such as OCI Streaming.

Note:

• This tutorial is designed solely for educational and study purposes. It provides an environment for learners to experiment and gain practical experience in a controlled setting. It is crucial to note that the security configurations and practices employed in this tutorial might not be suitable for real-world scenarios.
• Security considerations for real-world applications are often far more complex and dynamic. Therefore, before implementing any of the techniques or configurations demonstrated here in a production environment, it is essential to conduct a comprehensive security assessment and review. This review should encompass all aspects of security, including access control, encryption, monitoring, and compliance, to ensure that the system aligns with the organization’s security policies and standards.
• Security should always be a top priority when transitioning from a lab environment to a real-world deployment.

Objectives

• Seamlessly produce messages into a streaming topic within an OCI stream pool using OCI Functions. Leveraging Oracle resource principal authentication method and implementing the singleton design pattern in Java, we will guide you through the process of securely authenticating serverless functions with Kafka API and optimizing resource utilization for efficient message production.

Prerequisites

• Oracle Cloud Infrastructure

  • Oracle account with admin level access permissions.

  • A compartment to create your resources.

    Note: Note the compartment name and compartment ID.

  • VCN with a private subnet. For more information, see Creating a Virtual Cloud Network.

  • Stream pool on the private subnet from your VCN. For more information, see Creating a Stream Pool.

  • Stream called my-pvt-topic, created on the above stream pool. For more information, see Creating a Stream.

• Local machine environment

  • An Oracle Linux compute instance on the private subnet. This is important for accessing resources on the private subnet, such as OCI Streaming and Functions that will be deployed during this tutorial.

  • An OCI Bastion host to connect to the Oracle Linux compute instance and perform tasks for the tutorial. For more information, see Bastion Overview.

  • Local Oracle Cloud Infrastructure Command Line Interface (OCI CLI) setup. For more information, see Installing the CLI.

  • Local Docker to be able to build images, if you are using Oracle Linux, see Docker : Install Docker on Oracle Linux 8 (OL8).

  • Local FN CLI to be able to deploy your function to OCI: Installing the Fn Project CLI

Task 1: Set up Dynamic Groups

Go to your domain, click Dynamic Groups and create the following groups.

• Group Name: MyFunctions.

ALL {resource.type = 'fnfunc', resource.compartment.id = 'pasteYourCompartmentOCID'}

Task 2: Create Policies

Go to Policies and create the following policies.

• Policy Name: FunctionsPolicies.

Allow dynamic-group MyFunctions to {STREAM_INSPECT, STREAM_READ, STREAM_CONSUME, STREAM_PRODUCE} in compartment YOUR-COMPARTMENT-NAME
Allow dynamic-group MyFunctions to read repos in compartment YOUR-COMPARTMENT-NAME

Task 3: Create OCI Container Registry

1. Go to Developer Services, click Container registry and create a private repository for the Fn image.

   Name: lab/fn-java-streaming.

   

2. Check the repositories and take a note of the Namespace.

   

3. Open the terminal shell where you have OCI CLI and Docker installed, and proceed with the log in on the registry. Check what is the correct URL for your region. In this tutorial, we are using Brazil East (Sao Paulo) where the registry URL is gru.ocir.io.

   docker login gru.ocir.io
   Username: <your container namespace>/youruser
   Password: YOUR_AUTH_TOKEN_CREATED_EARLIER
   

   

Task 4: Create the Java OCI Functions to receive the Message and Publish to the OCI Streaming Topic

Note Make sure you select your private subnet, the same subnet of your stream pool.

1. Go to Developer Services, under Functions, click Applications and then click Create application.

   

2. Create a few configurations to store OCI Streaming settings.

   Note This configuration variables are used inside this tutorial Java sample code to be able to produce messages to your stream, make sure you pass the correct ones from your environment.

   Secret Name	Value
   BOOTSTRAP_SERVERS	paste your Stream Pool Bootstrap servers on port 9092
   STREAM_POOL_OCID	paste your Stream Pool OCID
   STREAM_TOPIC_NAME	paste your Stream Name

   

3. Go to the terminal shell where you have Docker, OCI CLI, Fn Project CLI installed and run the following commands to initialize the function.

   Note: If you followed the tasks, your Docker log in command has already been executed by now, if not, proceed with the Docker log in steps in Task 3.

   fn create context oci-cloud --provider oracle
   fn use context oci-cloud
   fn update context oracle.compartment-id PASTE_YOUR_COMPARTMENT_OCID
   fn update context api-url https://functions.sa-saopaulo-1.oraclecloud.com
   fn update context registry gru.ocir.io/PASTE_YOUR_REGISTRY_NAMESPACE/lab
   

   Note: In this tutorial, we are using Brazil East(Sao Paulo) region, if you are using a different region, you need to change the api-url and registry locations.

4. Get the Java function sample code from here: fn-java-streaming.zip and unzip it on your bastion console shell machine.

   # check your file is there
   ls -lrt
   # unzip the file
   unzip fn-java-streaming.zip
   

   

   This simple Java code project will produce a message to the topic called my-pvt-topic from your stream pool. It will use the Fn configuration values created in step 3.

   • HelloFunction.java.

     

   • KafkaProducerSingleton.java.

     

5. Build the new code and deploy the function.

   cd fn-java-streaming
   ls -lrt
   fn deploy --app fn-lab
   

   

   

6. Invoke the function.

   # Invoke the function to check if it is working as expected.
   echo -n 'Hello from OSS' | fn invoke fn-lab fn-java-streaming
   

   

   Note: The first call may take upto 1 minute to call the function.

Related Links

• Installing the OCI CLI

• Creating a Virtual Cloud Network (VCN)

• Creating a Stream

• Creating a Stream Pool

Acknowledgments

• Author - Joao Tarla (Oracle LAD A-Team Solution Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Post Messages to Kafka Stream with Resource Principal Authentication using OCI Functions

F93745-01

February 2024

Copyright © 2024, Oracle and/or its affiliates.