Closed maltesander closed 1 year ago
Currently:
authentication:
method:
authenticationClass: ldap
Should be:
authentication:
- authenticationClass: ldap
not applicable?
Minor addition to the above: the airflow secret also contains credentials for a Redis connection (this is needed when using the CeleryExecutor
- currently the only implementation, soon to be augmented by a KubernetesExecutor
- as it queues the jobs to be distributed to the workers). This connection can/should also be removed from the secret, though it's not strictly a database connection. Maybe rename "Database connection" to "Sink Connection", "Backend connection" etc.?
After a discussion with @lfrancke we want to consolidate the way we handle encryption, authentication and authorization. This means having a unified global structure across all operators.
This will result in breaking changes for the released versions of ZooKeeper and Superset according to the feature tracker.
Problem
1. Mixing encryption and authentication
Currently Kafka and Zookeeper mix TLS encryption and authentication as follows (see the
client_authentication part
):This was ok for now since we did not support any other authentication methods.
Now if we want to support different authentication methods e.g. LDAP, this will get a little messy.
2. No global top level config
Other products do not use a "global" config. Authentication (LDAP) resides in the top level, OPA discovery configmap (authorization) as well. Example from superset:
This should be consistent across all operators.
Proposed solution
Therefore we propose the following clean "common" operator config (we need to discuss what we could move to operator-rs), where we clearly separate encryption, authentication and authorization:
Outcome
We decided to use the following spec (example represents mostly Trino/Superset, mixed with random fields). This should be properly refined in the sub tickets for each operator.
Since all operators are currently inconsistent, we decided to implement a final approach for the Druid operator. Druid because it has a clean slate regarding TLS and Authentication and is able to use OPA as well.
The final approach (concerning authentication) are the fields annotated with
(2)
. This is our most sophisticated approach and therefore will be prototyped on Druid.Furthermore all top level configuration parameters except version/image (Deepstorage, S3, Discovery configmaps etc.) should be moved under the clusterConfig top level.
Tasks
Note: Github Taskslist may break the order, check before pulling new tasks in!
Followups