Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add protected namespaces possibility #497

Merged
merged 3 commits into from
Jan 22, 2025
Merged

Add protected namespaces possibility #497

merged 3 commits into from
Jan 22, 2025

Conversation

ThomasCAI-mlv
Copy link
Collaborator

@ThomasCAI-mlv ThomasCAI-mlv commented Dec 17, 2024
edited
Loading

I propose the concept of protected namespaces.
The idea is to add an extra layer of security to protect sensitive data produced by given namespaces, so that only a protected namespace can consume data from another protected namespace. The public namespaces will not be able to consume data produced by protected namespaces.

In ns4kafka, this protection will be at the ACL level:

  • ✅ Protected namespace can grant ACL to another protected namespace
  • ❌ Protected namespace cannot grant ACL to a public namespace
  • ✅ Public namespace can grant ACL to a protected namespace
  • ✅ Public namespace can grant ACL to another public namespace
  • ❌ Protected namespace cannot create public ACL (giving access to all other namespaces of the cluster)

Other info:

  • Namespaces are considered protected if their config spec.protectionEnabled is true
  • Namespaces will be public by default.
  • For Michelin D2 data use case, it would provide an extra security in addition to the usage of Oauth2 on Confluent Cloud (which replaces API key & API secret auth).

@ThomasCAI-mlv ThomasCAI-mlv self-assigned this Dec 17, 2024
@ThomasCAI-mlv ThomasCAI-mlv marked this pull request as draft December 17, 2024 16:46
@ThomasCAI-mlv ThomasCAI-mlv added the feature This issue adds a new feature label Dec 17, 2024
@ThomasCAI-mlv ThomasCAI-mlv changed the title Add secured namespaces concept Add secured namespaces possibility Dec 17, 2024
@ThomasCAI-mlv ThomasCAI-mlv marked this pull request as ready for review December 18, 2024 14:33
loicgreffier
loicgreffier reviewed Jan 14, 2025
View reviewed changes
Copy link
Collaborator

@loicgreffier loicgreffier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ThomasCAI-mlv Looks good for me overall. Some minor improvements.

Regarding the wording, what do you think about public namespace and private (or protected) namespace?

src/main/java/com/michelin/ns4kafka/controller/acl/AclController.java Outdated Show resolved Hide resolved
src/main/java/com/michelin/ns4kafka/model/Namespace.java Outdated Show resolved Hide resolved
src/main/java/com/michelin/ns4kafka/util/FormatErrorUtils.java Outdated Show resolved Hide resolved
src/main/java/com/michelin/ns4kafka/controller/acl/AclController.java Outdated Show resolved Hide resolved
@ThomasCAI-mlv ThomasCAI-mlv changed the title Add secured namespaces possibility Add protected namespaces possibility Jan 21, 2025
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

loicgreffier
loicgreffier approved these changes Jan 22, 2025
View reviewed changes
Copy link
Collaborator

@loicgreffier loicgreffier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ThomasCAI-mlv LGTM 😀

@loicgreffier loicgreffier merged commit 2e90479 into master Jan 22, 2025
4 checks passed
@loicgreffier loicgreffier deleted the feat/secured-namespace branch January 22, 2025 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loicgreffier loicgreffier loicgreffier approved these changes

Assignees

@ThomasCAI-mlv ThomasCAI-mlv

Labels
feature This issue adds a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ThomasCAI-mlv @loicgreffier