Application security:
When a stream processing application is deployed on a stream analytics platform involving a stream store, the application access to the data goes through several access control checks. These checks depend on several factors:
1) the way the stream store and analytics platform is deployed ( both networking and access control )
2) the way the project is setup with members and permissions ( which determine whether an application can run )
3) the streams that the application requests access to ( both within the project and outside )
The networking aspect is simple to cover.
Most of the stream store and analytics components such as segmentstore and controller are deployed as services.
Services are of three types
1) Default aka type clusterIP where service traffic is allowed internal to the K8s cluster
2) NodePort where the static node configuration is proxied via dynamic ports for other pods
3) LoadBalancer where a NAT is provisioned
4) External name where a service is directly accessible over IP via the fully qualified DNS name
Regardless of how the service is provisioned, an ingress resource from K8s is dedicated to securing and provisioning external access with best practice.
That is why the networking is usually taken care of with Services for internal traffic and ingress for external access
The access control is provided with credentials separate for the stream store and for the stream analytics.
The stream store access is secured for all applications in the project in a uniform way but an application can provide the connector configuration with specific credentials such as username/password to connect to the stream store or optionally turn of other access related validations.
The credential used by the application is for the use of the data in the stream store. The credential used to deploy the application pertains to the stream store analytics projects and requires the project administrator to bless the user to deploy the application. Typically the user is made a project member where that role allows access to deploy and run the application.
No comments:
Post a Comment