Page MenuHomePhabricator
Create Task
Maniphest T250146

Add Authentication/Encryption to Kafka Jumbo's clients
Open, Stalled, MediumPublic
Actions

Description

Tracking task to list all the work to do to add encryption/authentication to Kafka Jumbo clients. The motivations are multiple:

  • PII data in transit from various links should be encrypted. Cross-DC links are especially problematic since we consider them not trusted.
  • Consumers should trust a Kafka topic broker using TLS, to avoid any man of the middle attack.
  • Consumers of PII data should be authenticated via TLS or SASL/GSS-API/Kerberos (the latter seems the best option).

Related Objects
Search...

Event Timeline

elukey triaged this task as High priority.Apr 14 2020, 10:51 AM
elukey created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2020, 10:51 AM
elukey added a subtask: T248980: Move netflow to TLS encryption/authentication via librdkafka.Apr 14 2020, 10:51 AM
elukey added a subtask: Restricted Task.Apr 14 2020, 10:55 AM
elukey added a parent task: Restricted Task.
Ottomata renamed this task from Add Authentication/Encryption to Kafka Jumbo's consumer to Add Authentication/Encryption to Kafka Jumbo's clients.Apr 14 2020, 1:12 PM
Ottomata updated the task description. (Show Details)
jbond subscribed.Apr 14 2020, 1:16 PM
elukey added a subtask: Restricted Task.Apr 17 2020, 1:06 PM
Nuria closed subtask T248980: Move netflow to TLS encryption/authentication via librdkafka as Resolved.Apr 27 2020, 8:34 PM
Nuria closed subtask T250147: Add TLS encryption support to Kafkatee and enable it where possible as Resolved.May 4 2020, 6:55 PM
Nuria closed subtask T250250: Add TLS to Kafka Mirror Maker as Resolved.May 4 2020, 7:12 PM
Nuria closed subtask T250149: Enable TLS encryption from Eventgate to Kafka as Resolved.May 4 2020, 7:22 PM
Ottomata moved this task from Incoming to Security Maturity and Data Privacy on the Analytics board.May 11 2020, 3:53 PM
elukey changed the task status from Open to Stalled.May 18 2020, 4:17 PM

Status update: we added encryption to various Kafka Jumbo clients (netflow, eventgate-analytics, kafkatee, mirror-maker, etc..) but we are still not able to move forward with authentication due to T250148 (complex task that will probably mean to replace Camus for data ingestion from Kafka to HDFS).

elukey added a subtask: T252560: [Spike] Explore goblin as an alternative to camus .May 18 2020, 4:32 PM
elukey closed subtask T250148: Establish if Camus can support TLS encryption + Authentication to Kafka with a minimal code change as Declined.Jun 16 2020, 8:45 AM
Nuria closed subtask Restricted Task as Resolved.Sep 28 2020, 5:42 PM
elukey removed elukey as the assignee of this task.Jun 1 2021, 8:08 AM
odimitrijevic added a project: Data-Engineering.Jan 6 2022, 2:20 AM
odimitrijevic moved this task from Incoming (new tickets) to Security & Governance on the Data-Engineering board.Jan 6 2022, 2:24 AM
odimitrijevic removed a project: Analytics.Jan 11 2022, 11:22 PM
JArguello-WMF moved this task from Security & Governance to Incoming (new tickets) on the Data-Engineering board.Jun 29 2023, 11:44 PM
JArguello-WMF moved this task from Incoming (new tickets) to Radar (External Teams) on the Data-Engineering board.Jun 29 2023, 11:51 PM
BTullis edited projects, added Data-Platform-SRE; removed Data-Engineering.Jul 14 2023, 11:26 PM
Gehel lowered the priority of this task from High to Medium.Dec 7 2023, 1:52 PM
Gehel moved this task from Incoming to Misc on the Data-Platform-SRE board.
Gehel moved this task from Misc to Security on the Data-Platform-SRE board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits