Ansieng 4748 jolokia ep #2194
Ansieng 4748 jolokia ep #2194
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds Jolokia access control functionality to secure Jolokia endpoints, particularly for Kafka Controller components during ZooKeeper to KRaft migration. The changes introduce new configuration options for managing Jolokia access control policies and enhance the migration playbook with proper security handling.
- Adds new variables for configuring Jolokia access control with options for custom or default XML policies
- Implements validation logic to ensure proper security configuration when Jolokia is enabled
- Enhances ZK to KRaft migration playbook with endpoint validation and temporary policy deployment/restoration
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| roles/variables/defaults/main.yml | Adds new Jolokia access control configuration variables for global and Kafka Controller-specific settings |
| roles/kafka_controller/templates/kafka_jolokia.properties.j2 | Updates Jolokia properties template to include access control policy configuration |
| roles/kafka_controller/templates/jolokia_access_control_default.xml | Provides default restrictive access control XML policy for Jolokia endpoints |
| roles/common/tasks/config_validations.yml | Implements comprehensive validation logic for Jolokia access control configuration |
| playbooks/ZKtoKraftMigration.yml | Enhances migration playbook with endpoint validation and temporary policy management |
| molecule/zookeeper-digest-rhel/molecule.yml | Updates test configuration to include Jolokia access control settings |
| molecule/mtls-debian12/molecule.yml | Updates test configuration to include Jolokia access control settings |
| password={{kafka_controller_jolokia_password}} | ||
| {% endif %} | ||
| {% if kafka_controller_jolokia_access_control_enabled|bool %} | ||
| policy={{ lookup('file', kafka_controller_jolokia_access_control_file_src_path) | replace('\n', '') | replace(' ', '') }} |
There was a problem hiding this comment.
The policy configuration line removes all newlines and spaces from the XML file, which will likely break XML structure and make it invalid. XML requires proper formatting with spaces and newlines for valid parsing.
| policy={{ lookup('file', kafka_controller_jolokia_access_control_file_src_path) | replace('\n', '') | replace(' ', '') }} | |
| policy={{ lookup('file', kafka_controller_jolokia_access_control_file_src_path) }} |
| - import_playbook: kafka_controller.yml | ||
| tags: migrate_to_dual_write | ||
|
|
||
| #todo:should check if we can hit the jolokia endppint or not, if no the fail and print the error message, continue on yes |
There was a problem hiding this comment.
There's a typo in 'endppint' which should be 'endpoint'.
| #todo:should check if we can hit the jolokia endppint or not, if no the fail and print the error message, continue on yes | |
| #todo:should check if we can hit the jolokia endpoint or not, if no then fail and print the error message, continue on yes |
playbooks/ZKtoKraftMigration.yml
Outdated
|
|
||
| - name: Backup Current Jolokia Access Control XML (if exists) | ||
| copy: | ||
| src: "{{ kafka_controller_jolokia_access_control_dest_path }}" |
There was a problem hiding this comment.
The variable 'kafka_controller_jolokia_access_control_dest_path' is used but not defined in the visible code. This will cause the task to fail.
playbooks/ZKtoKraftMigration.yml
Outdated
|
|
||
| - name: Deploy Temporary Migration-Specific Jolokia Access Control XML | ||
| template: | ||
| src: jolokia_migration_temp.xml.j2 |
There was a problem hiding this comment.
The template 'jolokia_migration_temp.xml.j2' is referenced but this file is not included in the PR changes, which will cause the template task to fail.
| kafka_controller_jolokia_enabled: true | ||
| kafka_controller_jolokia_access_control_enabled: true | ||
| kafka_controller_jolokia_access_control_custom_file_enabled: true | ||
| kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_migration_temp.xml.j2" |
There was a problem hiding this comment.
The path references 'jolokia_migration_temp.xml.j2' which is not included in the PR changes and likely doesn't exist, causing test failures.
| kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_migration_temp.xml.j2" | |
| # kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_migration_temp.xml.j2" |
molecule/mtls-debian12/molecule.yml
Outdated
| jolokia_access_control_enabled: true | ||
| kafka_controller_jolokia_access_control_enabled: true | ||
| kafka_controller_jolokia_access_control_custom_file_enabled: true | ||
| kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_migration_temp.xml.j2" |
There was a problem hiding this comment.
The path references 'jolokia_migration_temp.xml.j2' which is not included in the PR changes and likely doesn't exist, causing test failures.
| kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_migration_temp.xml.j2" | |
| kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_access_control.xml.j2" |
roles/variables/defaults/main.yml
Outdated
| kafka_controller_jolokia_access_control_enabled: "{{ jolokia_access_control_enabled }}" | ||
|
|
||
| ### Boolean to use custom Jolokia access control file for Kafka Controller. Inherits from global setting | ||
| kafka_controller_jolokia_access_control_custom_file_enabled: "{{ jolokia_access_control_custom_file_enabled }}" |
There was a problem hiding this comment.
why do we have this variable for kraft specifically and not other components ?
we can take a call but I think it should either be in all components or not for any component specific.
There was a problem hiding this comment.
Having only one var and not for each component will make it easier to handle. So I think we can remove this kafka controller prefix and use it in all components
| @@ -0,0 +1,24 @@ | |||
| <?xml version="1.0" encoding="utf-8"?> | |||
| <!-- | |||
| Jolokia Access Control Policy for ANSIENG-4748 | |||
There was a problem hiding this comment.
we will be writing this file in user env so no need to write internal ticket number in this file
| - "'kafka_controller' in group_names" | ||
| - kafka_controller_jolokia_enabled|bool | ||
| - kafka_controller_jolokia_access_control_enabled|bool | ||
| - kafka_controller_jolokia_access_control_custom_file_enabled is not defined or kafka_controller_jolokia_access_control_custom_file_enabled is none |
There was a problem hiding this comment.
we have this var defined in defaults so it should never be not defined. So this can be removed.
Also we are we setting default null as default so is this kafka_controller_jolokia_access_control_custom_file_enabled is none true for kafka_controller_jolokia_access_control_custom_file_enabled: null ?
|
|
||
| - name: Set Default Jolokia Access Control File Path - Kafka Controller | ||
| set_fact: | ||
| kafka_controller_jolokia_access_control_file_src_path: "roles/kafka_controller/templates/jolokia_access_control_default.xml" |
There was a problem hiding this comment.
this is not a validation so we can move it to roles/variables/tasks
playbooks/ZKtoKraftMigration.yml
Outdated
| - name: Test Jolokia Migration Endpoint Access (Basic Auth) | ||
| uri: | ||
| url: "{{ 'https' if kafka_controller_jolokia_ssl_enabled|bool else 'http' }}://localhost:{{kafka_controller_jolokia_port}}/jolokia/read/kafka.controller:type=KafkaController,name=ZkMigrationState" | ||
| validate_certs: false |
There was a problem hiding this comment.
we should combine this and no auth into a single task
|
|
||
| - name: Success - Jolokia Endpoint is Accessible | ||
| debug: | ||
| msg: | |
There was a problem hiding this comment.
Can you please attach the result of curl request to jolokia endpoint when the access control.xml file doesnt have the mbean for allowing this request
There was a problem hiding this comment.
"json": {"error": "java.lang.Exception : Reading attribute Verbose is forbidden for MBean kafka.controller:name=ZkMigrationState,type=KafkaController", "redirected": false, "status": 403, "transfer_encoding": "chunked", "url": "http://127.0.0.1:7777/jolokia/read/kafka.controller:name=ZkMigrationState,type=KafkaController"}
roles/variables/defaults/main.yml
Outdated
| kafka_controller_jolokia_access_control_custom_file_enabled: "{{ jolokia_access_control_custom_file_enabled }}" | ||
|
|
||
| ### Full path on Ansible Controller to custom Jolokia access control XML file for Kafka Controller. Inherits from global setting | ||
| kafka_controller_jolokia_access_control_file_src_path: "{{ jolokia_access_control_file_src_path }}" |
There was a problem hiding this comment.
where is the task to move this file to cp node from ansible controller node ?
| jolokia_password: pass | ||
|
|
||
| # Enable Jolokia access control for security | ||
| jolokia_access_control_enabled: true |
There was a problem hiding this comment.
this and above test both are validating same case but we dont have any case for access control enabled false
There was a problem hiding this comment.
it's by default false only, so we need to check for jolokia_access_control_custom_file_enabled true and false, which i have added tc in pr - https://github.com/confluentinc/cp-ansible/pull/2197/files
…ath at correct place
…ath at correct place
Description
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
Fixes # (issue)
Type of change
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Checklist: