kafka-security-manager icon indicating copy to clipboard operation
kafka-security-manager copied to clipboard

Published 20 hours ago verified publisher icon conduktor

Google Secret Manager as Source

Open brunodomenici opened this issue 4 years ago • 1 comments

Hi,

I do have an internal need to implement Google Secret Manager as Source. I've already implemented the source and I'd like to contribute to the project, if your guys are interested 😄

The idea is to have many secrets as needed (because we have a 64kb payload limit) in GCP with the contents of ACL and filter by labels (optional), for example:

  • secret-acl-test:
User:alice,Topic,LITERAL,foo,Read,Allow,*
User:bob,Group,bar,PREFIXED,Write,Deny,12.34.56.78
User:peter,Cluster,LITERAL,kafka-cluster,Create,Allow,*
  • secret-acl-tes2:
User:alice,Topic,LITERAL,foo,Read,Allow,*
User:jeff,Group,bar,PREFIXED,Write,Deny,12.34.56.78
User:john,Cluster,LITERAL,kafka-cluster,Create,Allow,*

We query all secrets, apply the filter and return the string with all ACLs (with header):

KafkaPrincipal,ResourceType,PatternType,ResourceName,Operation,PermissionType,Host

User:alice,Topic,LITERAL,foo,Read,Allow,*
User:bob,Group,bar,PREFIXED,Write,Deny,12.34.56.78
User:peter,Cluster,LITERAL,kafka-cluster,Create,Allow,*
User:alice,Topic,LITERAL,foo,Read,Allow,*
User:jeff,Group,bar,PREFIXED,Write,Deny,12.34.56.78
User:john,Cluster,LITERAL,kafka-cluster,Create,Allow,*

Config:

New config section:

  gcp-secret-manager {
    projectid = ${?SOURCE_GCP_PROJECTID}
    label_filter = ${?SOURCE_GCP_LABEL_FILTER}
  }

Let me know if you are interested, I can open the PR.

Thanks and nice project!

brunodomenici avatar Jun 03 '20 08:06 brunodomenici

Yes that would be lovely ! Just please make sure to document this properly in the PR :)

Cheers

On Wed, Jun 3 2020 at 9:36 AM, Bruno Domenici < [email protected] > wrote:

Hi,

I do have an internal need to implement Google Secret Manager as Source. I've already implemented the source and I'd like to contribute to the project, if your guys are interested 😄

The idea is to have many secrets as needed (because we have a 64kb payload limit) in GCP with the contents of ACL and filter by labels (optional), for example:

  • secret-acl-test :

User:alice,Topic,LITERAL,foo,Read,Allow,*

User:bob,Group,bar,PREFIXED,Write,Deny,12.34.56.78

User:peter,Cluster,LITERAL,kafka-cluster,Create,Allow,*

  • secret-acl-tes2 :

User:alice,Topic,LITERAL,foo,Read,Allow,*

User:jeff,Group,bar,PREFIXED,Write,Deny,12.34.56.78

User:john,Cluster,LITERAL,kafka-cluster,Create,Allow,*

We query all secrets, apply the filter and return the string with all ACLs (with header):

KafkaPrincipal,ResourceType,PatternType,ResourceName,Operation,PermissionType,Host User:alice,Topic,LITERAL,foo,Read,Allow,*

User:bob,Group,bar,PREFIXED,Write,Deny,12.34.56.78

User:peter,Cluster,LITERAL,kafka-cluster,Create,Allow,*

User:alice,Topic,LITERAL,foo,Read,Allow,*

User:jeff,Group,bar,PREFIXED,Write,Deny,12.34.56.78

User:john,Cluster,LITERAL,kafka-cluster,Create,Allow,*

Config:

New config section:

gcp-secret-manager {

projectid = ${?SOURCE_GCP_PROJECTID}

label_filter = ${?SOURCE_GCP_LABEL_FILTER}

}

Let me know if you are interested, I can open the PR.

Thanks and nice project!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub ( https://github.com/simplesteph/kafka-security-manager/issues/81 ) , or unsubscribe ( https://github.com/notifications/unsubscribe-auth/AE7CW2JDWW5M4TFXUKNX6GLRUYDSBANCNFSM4NROKS5A ).

simplesteph avatar Jun 03 '20 08:06 simplesteph