-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsequence-diagrams.uml
105 lines (97 loc) · 4.54 KB
/
sequence-diagrams.uml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
@startuml
skinparam monochrome true
title Securing Kafka brokers with Authorino
actor sysadmin
actor "Resource owner"
participant Producer
participant Consumer
participant "Kubernetes API"
participant Envoy
participant Authorino
participant Kafka
== Setup ==
sysadmin -> "Kubernetes API" : Setup Kafka authentication
note left: apiVersion: authorino.3scale.net/v1beta1\nkind: AuthConfig\nspec:\n host: edge.kafka.svc\n identity:\n - apiKey: {...}\n response:\n - wristband:\n issuer: https://authorino-authorino-oidc.kafka.svc:8083/kafka/authentication/wristband
"Kubernetes API" -> Authorino : Reconcile
Authorino -> Authorino : Cache authN config
sysadmin -> "Kubernetes API" : Setup Kafka authorization
note left: apiVersion: authorino.3scale.net/v1beta1\nkind: AuthConfig\nspec:\n host: auth.kafka.svc\n identity:\n - oidc:\n endpoint: https://authorino-authorino-oidc.kafka.svc:8083/kafka/authentication/wristband\n response:\n - json: {...}
"Kubernetes API" -> Authorino : Reconcile
Authorino -> Authorino : Cache authZ config
sysadmin -> "Kubernetes API" : Setup Kafka cluster
note left: apiVersion: kafka.strimzi.io/v1beta2\nkind: Kafka\nspec:\n authentication: https://authorino-authorino-oidc.kafka.svc:8083/kafka/authentication/wristband\n authorization: http://auth.kafka.svc:8000/check
"Kubernetes API" -> Kafka : Reconcile
Kafka -> Kafka : Start new cluster
Kafka -> Authorino : Fetch wristband JWKS
note left: GET https://authorino-authorino-oidc.kafka.svc:8083/kafka/authentication/wristband/.well-known/openid-connect/certs
Authorino -> Kafka
note right: JWKS
Kafka -> Kafka : Cache JWKS
== Share access ==
"Resource owner" -> "Kubernetes API" : Create producer API key
note left: kind: Secret\nannotations:\n kafka-auth/username: kafka-producer\n kafka-auth/resource: topic:demo\n kafka-auth/operations: "Create Describe Write"
"Kubernetes API" -> Authorino : Reconcile
Authorino -> Authorino : Cache producer API key
"Resource owner" -> Producer : Share API key
note right: <api-producer-api-key>
"Resource owner" -> "Kubernetes API" : Create consumer API key
note left: kind: Secret\nannotations:\n kafka-auth/username: kafka-consumer\n kafka-auth/resource: topic:demo\n kafka-auth/operations: "Describe Read"
"Kubernetes API" -> Authorino : Reconcile
Authorino -> Authorino : Cache consumer API key
"Resource owner" -> Consumer : Share API key
note right: <api-consumer-api-key>
newpage Produce
Producer -> Envoy : Request wristband
note right: GET http://edge.kafka.svc/token\nAuthorization: APIKEY <api-producer-ai-key>
Envoy -> Authorino : Authenticate
Authorino -> Authorino : Validate API key
Authorino -> Envoy : Supply wristband
note left: iss: https://authorino-authorino-oidc.kafka.svc:8083/kafka/authentication/wristband\npreferred_username: kafka-producer\nrsname: topic:demo\nscopes: Create Describe Write
Envoy -> Producer
Producer -> Kafka : Connect
note right: Wristband
Kafka -> Kafka : Verify/validate Wristband
Kafka -> Producer : OK
Producer -> Kafka : Produce message
note right: "Hello"
loop 10s
Kafka -> Envoy : Request authorization
note left: POST http://auth.kafka.svc/check\nAuthorization: Bearer <wristband>
Envoy -> Authorino : Authorize
Authorino -> Authorino : Verify/Validate wristband
Authorino -> Envoy : Supply permissions
note left: [{"rsname":"topic:demo","scopes":"Create Describe Write"}]
Envoy -> Kafka
Kafka -> Kafka : Cache permissions
end
Kafka -> Kafka : Check permissions
Kafka -> Kafka : Stream message
note right: "Hello"
Kafka -> Producer : ACK
newpage Consume
Consumer -> Envoy : Request wristband
note right: GET http://edge.kafka.svc/token\nAuthorization: APIKEY <api-consumer-ai-key>
Envoy -> Authorino : Authenticate
Authorino -> Authorino : Validate API key
Authorino -> Envoy : Supply wristband
note left: iss: https://authorino-authorino-oidc.kafka.svc:8083/kafka/authentication/wristband\npreferred_username: kafka-consumer\nrsname: topic:demo\nscopes: Describe Read
Envoy -> Consumer
Consumer -> Kafka : Connect
note right: Wristband
Kafka -> Kafka : Verify/validate Wristband
Kafka -> Consumer : OK
Consumer -> Kafka : Consume message
loop 10s
Kafka -> Envoy : Request authorization
note left: POST http://auth.kafka.svc/check\nAuthorization: Bearer <wristband>
Envoy -> Authorino : Authorize
Authorino -> Authorino : Verify/validate wristband
Authorino -> Envoy : Supply permissions
note left: [{"rsname":"topic:demo","scopes":"Describe Read"}]
Envoy -> Kafka
Kafka -> Kafka : Cache permissions
end
Kafka -> Kafka : Check permissions
Kafka -> Consumer : Consumer message
note left: "Hello"
@enduml