Hi Amila, Sorry for the late reply. I did some research regarding your question. Yes, client authentication is achieved using mutual SSL. As far as I know, there isn't any management APIs in Kafka to apply ACLs and uploading certificates. But [1] <https://github.com/simplesteph/kafka-security-manager> This may help us to do that. I am still not sure about the functionalities of this tool. I will update you soon.
[1] https://github.com/simplesteph/kafka-security-manager On Thu, Aug 6, 2020 at 12:46 PM Amila De Silva <ami...@wso2.com> wrote: > Hi Ziyam, > > Thanks for the clarification. As I understand [1],Client Authentication is > achieved through Mutual SSL, which means that when creating a subscription > each client app should be able to upload their certificate, isn't it? And > are there any management APIs in Kafka that allows applying ACLs and > uploading certificates, or do we plan to do it manually? > > [1] > https://kafka.apache.org/20/documentation/streams/developer-guide/security.html > > On Wed, Aug 5, 2020 at 3:39 PM Ziyam Santhosh (Intern) <zi...@wso2.com> > wrote: > >> Hi Amila! >> Basically Kafka topics and streams have their own security policies >> applied through certificates which determine what users can do with those >> topics such as read-only or read and write authorities. Our developer >> portal will be the issuer of these certificates. These certificates will be >> issued to people who have a valid subscription to the API. >> >> On Wed, Aug 5, 2020 at 8:04 AM Nuwan Dias <nuw...@wso2.com> wrote: >> >>> [Adding Frank and Vanji] >>> >>> On Tue, Aug 4, 2020 at 5:05 PM Amila De Silva <ami...@wso2.com> wrote: >>> >>>> Hi Ziyam, >>>> >>>> On Tue, Aug 4, 2020 at 1:48 PM Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> [Adding Frank and Vanji] >>>>> >>>>> On Tue, Aug 4, 2020 at 1:26 PM Ziyam Santhosh (Intern) <zi...@wso2.com> >>>>> wrote: >>>>> >>>>>> Introduction to AsyncAPI specification >>>>>> >>>>>> *Nowadays, AsyncAPI is one of the most popular topics in the world of >>>>>> event-driven APIs. Earlier, There was a need for a tool to specify and >>>>>> document the event-driven APIs where OpenAPI specifications are >>>>>> restricted >>>>>> only to document REST APIs. Then after, AsyncAPI specification was >>>>>> introduced to document the specifications for event-driven APIs. There >>>>>> are >>>>>> many similarities between OpenAPI specifications and AsyncAPI >>>>>> specifications because AsyncAPI was inspired by OpenAPI. Keywords can be >>>>>> mentioned as one of the major differences between them. (Eg: The >>>>>> endpoints >>>>>> of the REST API are called as paths and endpoints of Event-driven API are >>>>>> called as channels).*Why AsyncAPI for WSO2 API Manager? >>>>>> >>>>>> *AsyncAPI specification helps to understand the defined APIs for both >>>>>> humans and machines. This makes it more special to be used by most of the >>>>>> developers. Enabling the usage of AsyncAPI specifications in WSO2 API >>>>>> manager will help our developers and consumers to easily work with >>>>>> event-driven APIs within our product.*Objectives of the project >>>>>> >>>>>> 1. >>>>>> >>>>>> Users will be able to use existing Websocket or Kafka endpoints >>>>>> to create event-driven APIs by importing their AsyncAPI >>>>>> specifications. >>>>>> 2. >>>>>> >>>>>> Application developers will be able to subscribe to those >>>>>> event-driven APIs and be allowed to consume WebSockets and Kafka >>>>>> streams. >>>>>> >>>>>> Importing AsyncAPI specifications >>>>>> >>>>>> *API Manager already supports WebSockets. After the implementation of >>>>>> this project, A WebSocket can be easily created by importing its AsyncAPI >>>>>> specification. Kafka is a distributed streaming platform which helps to >>>>>> build event-driven applications. These applications may have event-driven >>>>>> APIs. These APIs which are created using Kafka protocols can be described >>>>>> using AsyncAPI specifications. By importing these specifications into the >>>>>> APIM, we can enable the application developers to consume Kafka streams >>>>>> by >>>>>> subscribing to these APIs. This will be a new feature for our APIM.* >>>>>> Subscribing to event-driven APIs >>>>>> >>>>>> When an application developer subscribes to consume a WebSocket API, >>>>>> that particular WebSocket API’s proxy will be created in our API Gateway. >>>>>> So the gateway endpoint of that API will be used by the consumer. But, >>>>>> when >>>>>> a consumer subscribes for a Kafka endpoint API, there won’t be any >>>>>> mediator >>>>>> like API gateway between them. The Kafka endpoint itself will be used by >>>>>> the consumer. Still, not all Kafka Streams are free to use. There are >>>>>> security policies for some Kafka Streams which require certificates to >>>>>> use >>>>>> those streams. WSO2 APIM will be the provider of those certificates for >>>>>> our >>>>>> consumers to subscribe to the Kafka streams. >>>>>> >>>>> So if this was correctly understood, only WebSocket APIs will be >>>> secured and Throttled through the Gateway, Kafka Streams are only >>>> registered as APIs to make them more discoverable (and maybe Kafka Streams >>>> are only exposed as internal APIs). Application on DevPortal is only needed >>>> when consuming the WebSocket API. >>>> If the above is correct, the part about APIM providing certificates to >>>> consume Kafka streams isn't clear. Can you please explain that a bit? >>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> Regards,-- >>>>>> *Ziyam Santhosh* >>>>>> Software Engineering Intern | WSO2 >>>>>> >>>>>> Email: zi...@wso2.com >>>>>> Mobile: +94752204021 >>>>>> Web: http://wso2.com >>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Nuwan Dias* | Senior Director | WSO2 Inc. >>>>> (m) +94 777 775 729 | (e) nuw...@wso2.com >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>> >>>> >>>> -- >>>> *Amila De Silva* >>>> Software Architect | Associate Director, Engineering - WSO2 Inc. >>>> (m) +94 775119302 | (e) ami...@wso2.com >>>> <http://wso2.com/signature> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>> >>> >>> -- >>> *Nuwan Dias* | Senior Director | WSO2 Inc. >>> (m) +94 777 775 729 | (e) nuw...@wso2.com >>> >> >> >> -- >> *Ziyam Santhosh* >> Software Engineering Intern | WSO2 >> >> Email: zi...@wso2.com >> Mobile: +94752204021 >> Web: http://wso2.com >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > *Amila De Silva* > Software Architect | Associate Director, Engineering - WSO2 Inc. > (m) +94 775119302 | (e) ami...@wso2.com > <http://wso2.com/signature> > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- *Ziyam Santhosh* Software Engineering Intern | WSO2 Email: zi...@wso2.com Mobile: +94752204021 Web: http://wso2.com [image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
