Closed balhar-jakub closed 3 weeks ago
There are plenty of areas that we can rebuild and verify piece by piece before fully replacing API Gateway with the Spring Cloud Gateway. Below I am trying to outline the areas that we could split as separate issues.
For the time being, we can keep the authentication and authorization in the current implementation and therefore transform the current Gateway to the Authentication and Authorization Service.
These are the areas that we currently support and are more or less supported by the SCG as well, it's just that we need to properly document how to approach them. And also they aren't per se required for the basic functionality.
It's a core part of the Gateway functionality as it is currently used to integrate all southbound services in an SSO with MFA experience of all of the Mainframe services. Therefore there are two important methods that are available for the northbound caller to authenticate (X509 and JWT token) and then there are five different ways to authenticate towards the southbound service. These methods are outlined below and can be implemented one by one.
Could be done in another service - Take into account time taken by HTTP request itself, This part still needs a bit more testing and verification. Using this approach could allow us to just repurpose current gateway to the AAS.
A more technical breakdown that was done by David in https://github.com/zowe/api-layer/issues/1769
The key section is copied below.
This approach facilitates safe process where migration can be done on fully working gateway.
Stories needed (10):
Breaking changes
Stories needed (18):
These stories can be front loaded before 1). They hold most of the risk. Compared to that, 1) is fairly low risk. If we are able to complete these reasonably fast, we are able to migrate for V2.
(following is optional)
Breaking changes
[SOLVED] External vs internal port
Auditing plugin will break
[SOLVED] Client with and without certificate switching
Seems like there is quite easy way to achieve this in the end. It is prototyped in the POC. I have tested it's stability for memory usage and thread counts and it's very stable.
Use Case
As an API ML engineer, I want to limit the number of old dependencies to prevent security breaches.
As a decision maker, I want to be certain that we use modern tools with limited risk of security issue.
Technical Requirements
Linked issues
3165
3109
3282
3088
3110
3111
3112