Make the Kafka rules more generic.

[manalibhutiyani]

Currently we have Kafka policy rules which are pretty low-level and pertaining to the Kafka protocol. This will be difficult/unnecessary for users. Instead of having apiKEY and everything relating to produce/fetch keys whitelisted, we should have a more generic produce topic / consume topic rule and leave the kafka protocol key handling to the cilium daemon.

Parent : #2594

Proposed structure:

// PortRuleKafka is a list of Kafka protocol constraints. All fields are
// optional, if all fields are empty or missing, the rule will match all
// Kafka messages.
type PortRuleKafka struct {
	// APIVersion is the version matched against the api version of the
	// Kafka message. If set, it has to be a string representing a positive
	// integer.
	//
	// If omitted or empty, all versions are allowed.
	//
	// +optional
	APIVersion string `json:"apiVersion,omitempty"`

	// APIKey is a case-insensitive string matched against the key of a
	// request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al
	// Reference: https://kafka.apache.org/protocol#protocol_api_keys
	//
	// If omitted or empty, all keys are allowed.
	//
	// +optional
	APIKey string `json:"apiKey,omitempty"`

	// ClientID is the client identifier as provided in the request.
	//
	// From Kafka protocol documentation:
	// This is a user supplied identifier for the client application. The
	// user can use any identifier they like and it will be used when
	// logging errors, monitoring aggregates, etc. For example, one might
	// want to monitor not just the requests per second overall, but the
	// number coming from each client application (each of which could
	// reside on multiple servers). This id acts as a logical grouping
	// across all requests from a particular client.
	//
	// If omitted or empty, all client identifiers are allowed.
	//
	// +optional
	ClientID string `json:"clientID,omitempty"`

	// Topic is the topic name contained in the message. If a Kafka request
	// contains multiple topics, then all topics must be allowed or the
	// message will be rejected.
	//
	// This constraint is ignored if the matched request message type
	// doesn't contain any topic. Maximum size of Topic can be 249
	// characters as per recent Kafka spec and allowed characters are
	// a-z, A-Z, 0-9, -, . and _
	// Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10
	// version the length was changed from 255 to 249. For compatibility
	// reasons we are using 255
	//
	// If omitted or empty, all topics are allowed.
	//
	// +optional
	Topic string `json:"topic,omitempty"`

	// Role is a case-insensitive string and describes a group of API keys
	// necessary to perform certain higher level Kafka operations such as "produce"
	// or "consume". An APIGroup automatically expands into all APIKeys required
	// to perform the specified higher level operation.
	//
	// The following values are supported:
	//  - "produce": Allow producing to the topics specified in the rule
	//  - "consume": Allow consuming from the topics specified in the rule
	//
	// This field is incompatible with the APIKey field, either APIKey or Role
	// may be specified.
	//
	// If omitted or empty, the field has no effect and the logic of the APIKey
	// field applies.
	//
	// +optional
	Role string `json:"Role,omitempty"`

	// --------------------------------------------------------------------
	// Private fields. These fields are used internally and are not exposed
	// via the API.

	// apiKeyInt is the integer representation of APIKey
	apiKeyInt KafkaRole

	// apiVersionInt is the integer representation of APIVersion
	apiVersionInt *int16
}
type KafkaRole []int16

The user can only specify either Role or APIKey. apiKeyInt of type KafkaRole is the private cached value which will either have a single element when APIKey is specified or a list of allowed elements if Role is specified. These allowed elements are basically a blowup of all the needed/supporting apiKeys for produce and consume. Rest of the logic stays the same.

[manalibhutiyani]

Proposal:

// optional, if all fields are empty or missing, the rule will match all
// Kafka messages.
type PortRuleKafka struct {

	// Action is a case-insensitive string matched against the
	// kafka action, e.g. "produce" or "consume"
	//
	// If omitted or empty, all actions are allowed.
	//
	// +optional
	Action string `json:"action,omitempty"`

	// Topic is the topic name contained in the message. If a Kafka request
	// contains multiple topics, then all topics must be allowed or the
	// message will be rejected.
	//
	// This constraint is ignored if the matched request message type
	// doesn't contain any topic. Maximum size of Topic can be 249
	// characters as per recent Kafka spec and allowed characters are
	// a-z, A-Z, 0-9, -, . and _
	// Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10
	// version the length was changed from 255 to 249. For compatibility
	// reasons we are using 255
	//
	// If omitted or empty, all topics are allowed.
	//
	// +optional
	Topic string `json:"topic,omitempty"`

	// --------------------------------------------------------------------
	// Private fields. These fields are used internally and are not exposed
	// via the API.

	// action is the integer representation of Action (0 for invalid,
	// 1 for produce and 2 for consume)
	actionInt *int16
}

[manalibhutiyani]

@tgraf @rlenglet : Thoughts?

[tgraf]

I think we should keep the existing fields to allow for full control and add a new field which then expands automatically.

	// APIGroup is a case-insensitive string and describes a group of API keys
        // necessary to perform certain higher level Kafka operations such as "produce"
        // or "consume". An APIGroup automatically expands into all APIKeys required
        // to perform the specified higher level operation.
        //
        // The following values are supported:
        //  - "produce": Allow producing to the topics specified in the rule
        //  - "consume": Allow consuming from the topics specified in the rule
	// 
        // This field is incompatible with the APIKey field, either APIKey or APIGroup
        // may be specified.
	//
	// If omitted or empty, the field has no effect and the logic of the APIKey
        // field applies.
	//
	// +optional
	APIGroup string `json:"apiGroup,omitempty"`

[rlenglet]

Agree with @tgraf about defining an extra field.

However, I'd choose another name for the APIGroup. How about Role? ClientRole?
Then I'd specify the values of that field as:

• producer (to be consistent with the name of Kafka's Producer API)
• consumer (to be consistent with the name of Kafka's Consumer API)
• broker
• controller
  etc.

Also specify the semantics of the combination of APIVersion/APIKey and Role: is it a conjunction / union of the rule's APIVersion+APIKey and the expansion of the Role? or does APIVersion+APIKey restrict the Role?

[manalibhutiyani]

I am not sure how broker and controller will behave? What kind of action is applied for broker/controller from clients app pods? Also adding @danwent in the discussion.

[tgraf]

However, I'd choose another name for the APIGroup. How about Role? ClientRole?

I'm fine with Role as well as long as it is clear how it interacts with the other fields such as Topic.

[jrfastab]

@rlenglet I think if APIVersion/APIKey/Role are specified its a logical AND operation over the keys. So for example if

APIVersion = 1
APIKey = 0
Role = "producer"

Then we would not match cases with APIKey = 1. If the user wants a logical OR operation on the keys then we need a new symbol to specify this in the config IMO. But the default should be the more restrictive AND operation.

Also "Role" in this context is a higher level concept right? Does it really belong in the low-level rule matching data structure. Perhaps "roles" should generate a low-level config. This gives us the flexibility to create role templates as needed.

[rlenglet]

@jrfastab I'm ok about logical AND. And we're on the same page re: each Role being expanded into a lower-level config (a set of APIKey + optional APIVersion) rules implicitly behind the scene. We can start with just producer and consumer, and define new ones in new Cilium version, e.g. broker and controller once we have a better idea of the kinds of requests they send.

I think the expansion of roles can be done in the pkg.policy repository when resolving policies.