Page MenuHomePhabricator
Create Task
Maniphest T92602

Secure inter-datacenter web request log (Kafka) traffic
Closed, ResolvedPublic
Actions

Description

The Kafka development team seems to have only begun discussing this recently, in 3Q 2014:
https://cwiki.apache.org/confluence/display/KAFKA/Security

To secure this traffic using IPsec would mean defining SAs on Varnish nodes (Kafka producers) in ESAMS and ULSFO, as well as on the Kafka brokers. IPsec would not be required between Kafka brokers and consumers (Hadoop workers) because at this time that traffic flow is strictly intra-datacenter at EQIAD.

Implementation would involve modifying the ipsec role to reference Hiera keys which enumerate Varnish nodes (including misc and parsoid caches), and extending enumeration of remote IPsec hosts on Varnish nodes to include Kafka brokers.

Details

SubjectRepoBranchLines +/-
kafka::server: allow ipsec trafficoperations/puppetproduction+13 -0
Revert "ipsec-for-kafka: limit to kafka1012 + cp4011 for testing"operations/puppetproduction+10 -24
ipsec-for-kafka: limit to kafka1012 + cp4011 for testingoperations/puppetproduction+24 -10
apply ipsec associations to kafka brokersoperations/puppetproduction+48 -19
Customize query in gerrit

Related Objects
Search...

Event Timeline

Gage created this task.Mar 13 2015, 5:36 AM
Gage raised the priority of this task from to Needs Triage.
Gage updated the task description. (Show Details)
Gage added projects: Interdatacenter-IPsec, acl*sre-team, Analytics-Clusters.
Gage added subscribers: Gage, Ottomata.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2015, 5:36 AM
Gage mentioned this in T92603: Monitor IPsec status.Mar 13 2015, 5:36 AM
Gage triaged this task as Medium priority.Mar 30 2015, 4:05 PM
Gage set Security to None.
BBlack mentioned this in T81543: Enable IPSec between datacenters.May 3 2015, 11:19 PM
Ottomata added a parent task: T98161: Build Kafka 0.8.1.1 package for Jessie and upgrade Brokers to Jessie..May 5 2015, 4:15 PM
Ottomata removed a parent task: T98161: Build Kafka 0.8.1.1 package for Jessie and upgrade Brokers to Jessie..
Ottomata added a subtask: T98161: Build Kafka 0.8.1.1 package for Jessie and upgrade Brokers to Jessie..
Ottomata closed subtask T98161: Build Kafka 0.8.1.1 package for Jessie and upgrade Brokers to Jessie. as Declined.Jul 31 2015, 2:09 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptJul 31 2015, 2:09 PM
Ottomata added a subtask: T106581: Build 0.8.2.1 Kafka package and upgrade Kafka brokers.Jul 31 2015, 2:10 PM
BBlack added a parent task: T81543: Enable IPSec between datacenters.Aug 3 2015, 4:06 PM
BBlack removed a parent task: T81543: Enable IPSec between datacenters.Aug 27 2015, 3:01 AM
BBlack added a project: Traffic.
Ottomata added a comment.Aug 27 2015, 1:35 PM

FYI, our Kafka upgrade and expansion is complete. All Kafka brokers are now Jessie, so I think this can proceed.

kevinator closed subtask T106581: Build 0.8.2.1 Kafka package and upgrade Kafka brokers as Resolved.Aug 29 2015, 12:19 AM
faidon subscribed.Sep 6 2015, 8:53 PM

Kafka upstream is getting TLS/SSL support pretty soon. Last rumour I heard is 0.8.3 (due in October) for Kafka proper. librdkafka already has support for it in master which will be released with the next release I think. It should also require no modifications to varnishkafka. I'm not sure what's the status with other libraries we use or may want to use in the future, especially if they're not layered on top of librdkafka.

I don't think it makes much sense to go for IPsec at this point — let's just go for TLS directly.

faidon added a parent task: T111653: Encrypt all the things.Sep 6 2015, 8:59 PM
BBlack subscribed.Dec 7 2015, 5:12 PM

Due to scheduling constraints and the new-ness of the TLS-capable release of kafka, we're going to rely on IPSec for this for now and revisit TLS for it later. Patches will be incoming this week.

gerritbot subscribed.Dec 15 2015, 1:35 PM

Change 259240 had a related patch set uploaded (by BBlack):
apply ipsec associations to kafka brokers

https://gerrit.wikimedia.org/r/259240

gerritbot added a project: Patch-For-Review.Dec 15 2015, 1:35 PM
gerritbot added a comment.Dec 15 2015, 1:54 PM

Change 259240 merged by BBlack:
apply ipsec associations to kafka brokers

https://gerrit.wikimedia.org/r/259240

gerritbot added a comment.Dec 15 2015, 3:41 PM

Change 259263 had a related patch set uploaded (by BBlack):
ipsec-for-kafka: limit to kafka1012 cp4011 for testing

https://gerrit.wikimedia.org/r/259263

gerritbot added a comment.Dec 15 2015, 3:47 PM

Change 259263 merged by BBlack:
ipsec-for-kafka: limit to kafka1012 cp4011 for testing

https://gerrit.wikimedia.org/r/259263

gerritbot added a comment.Dec 15 2015, 4:58 PM

Change 259280 had a related patch set uploaded (by BBlack):
Revert "ipsec-for-kafka: limit to kafka1012 cp4011 for testing" Revert "post-merge fixup for 8b9dfe360"

https://gerrit.wikimedia.org/r/259280

gerritbot added a comment.Dec 15 2015, 4:59 PM

Change 259280 merged by BBlack:
Revert "ipsec-for-kafka: limit to kafka1012 cp4011 for testing"

https://gerrit.wikimedia.org/r/259280

gerritbot added a comment.Dec 15 2015, 5:44 PM

Change 259290 had a related patch set uploaded (by BBlack):
kafka::server: allow ipsec traffic

https://gerrit.wikimedia.org/r/259290

gerritbot added a comment.Dec 15 2015, 5:44 PM

Change 259290 merged by BBlack:
kafka::server: allow ipsec traffic

https://gerrit.wikimedia.org/r/259290

BBlack closed this task as Resolved.Dec 15 2015, 7:00 PM
BBlack claimed this task.
BBlack mentioned this in T121561: Encrypt Kafka traffic, and restrict access via ACLs.
BBlack moved this task from Backlog to Done on the Traffic board.Jan 13 2016, 3:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits