# At Oracle ## Authorization Framework - ✅ ↳ Design a flexible Authorization framework - [ ] Flexible Model for Customer's Admin (sysadmin Role) - [ ] Both Asignee(owner of Admin Role) and Targets(On which it can be applied) are variable - [ ] Relationship i.e. who can do what; should be configurable - [ ] Dynamic groups - dynamicaly/implicitly assigned based on user attributes - [ ] Everyone with user.location SFO becomes part of a dynamic group SFO-users - [ ] Most used Scenatio: for creating email groups and security access etc - [ ] Workflow v/s non workflow (Inversion of control - "raise a request" route - unified flow) - [ ] e.g. Manager can raise a request for VPN password change for reportee - [ ] but Manager cannot raise a request for Laptop change, as it comes in request workflow - [ ] Should work with groups and hierarchy - [ ] Groups/Orgs have hierarchy in itself - [ ] Another notion of hierarchy is reportee relationship - [ ] Cycle detection in Orgs - [ ] Functionality/Capabilities like AllowManagerToViewAttribute should be configurable - [ ] Finite set of Authorization roles with ability to extend existing as well as new roles (30-40) - [ ] A Comprehensive Rule Engine - [ ] XML based, preloaded in mem - [ ] Having Schemas, and validators - [ ] Roles, Policy and Rules-Expression - [ ] with a GUI (java swing) - [ ] Whitelisting, i.e. default Deny, but then OR (|) between all policies - [ ] Cache validation/invalidation when Admin roles or membership changes - [ ] Having default AdminRoles like LoggedInUserRole - [ ] Implicitly get capability to change password for reportee (but not view password/secret) - [ ] If PasswordReset action -> Capability Update, Resource: TargetUser, Attribute: password - [ ] Policy -> Groups v/s Dynamic Groups v/s Implicit Admin Roles ## Shift Left ↲ LCM (Post release Lifecycle Improvements) ### K8S Infrastructure - [ ] Install and setup K8S on-prem (kubespray) - [ ] Developer Platform (Sharing workspaces and Observability) - [ ] Customised alerts with promQl and slack API's - [ ] fluent-d modification for parsing Java newlines - [ ] Repeat this on OCI Cloud (Terraform + Hosted services) ### J2EE Monolythic App to K8S - ✅ App server Optimisations - [x] Start time from 11 Minutes to 2 Minutes - [ ] Classloading deep dive - [ ] Merging multiple app(startup/initialization) listeners to one - [ ] Customisations + GUI modifications; maynot be needeed for Day-0 install - [x] ApplicationInitializationListener - Bootstrap Server - ✅ Simplifying LCM i.e. Install, Patch, Upgrade & re-configure - ✅ Decoupling hard bound ports of dependent services like SOA and BI Server - [ ] Allowing customer ability to dynamically change it later - [ ] Autodiscovery of lot of "Reasonable defaults" config values. - [ ] Extensive usage of J2EE Management Beans (repl) - To give hooks for managing lifecycle stuff. - ✅ Containerisation (Don't try to boil the ocean) - [x] Decoupling with installer - [ ] from UI based to command line installer - [ ] Installer had no API's just GUI - [ ] Lots of Managed beans calls and xml modifications on the go - [ ] J2EE security configuration (JAAS) and much more - [ ] IPC for multiple process/servers to sync and changes in startup module - [ ] post startup calls has dependency on server start-up - [x] Binary size reduction from 4Gb to 230 Mb - [ ] Using shared Library concept of J2EE Containers - [ ] Separating mountable storage with neccesary storage [connectors] - [x] Repository Creation (Database migrations) - [ ] admin v/s non admin mode ``[Not all problems could ever be solved]`` ### Kubernetes - ✅ Using J2EE Operator and CRD [Clusters + Servers + Domains + Apps + JDBC + Config] - [ ] Ability to do scale-in and scale-out using just a curl/webhok - [ ] Ability to run Managed beans with webhooks/curl ### Installer CLI - A golang based CLI to orchestrate everything - Single input via config-file and run the cli, it installs everything on K8S with Observability - Terraform - [ ] Get/Create `VCN/VPC Subnets and Rules/ACL, K8S cluster` and `node-pools` - [ ] Setup needed `DNS entry, Auth Roles, Keys, LoadBalancers` and `RDBMS` - [ ] Use golang cli to install the entire app on that K8S. - [ ] Internal Endpoints (non LB) for app management and LCM and utilities. # At Confluent ## Security in cp-ansible ### zookeeper to kafka and kafka to kafka security modes - ❎ Plaintext v/s ssl v/s mtls v/s SASL (Plain/SSL/Kerberos/) v/s OAuth v/s propogated Oauth - ❎ RBAC with a seperate Metadata Service - ❎ SSL certificates with mutiple options - [ ] Auto-generate everything - with default configs - with customer provided security configs - Customer priovided certs and keys - Customer provided Keystores and Truststores with cert/key alias - [ ] SASL - Plain - SSL - GSSAPI/kerberos - [ ] O-Auth - [ ] Managing and deploying a Connector plugin (ansible module) ### From zookeeper to kraft - ✅ New Install - ✅ Migrate a customer from no zookeeper to zookeeper based setup - ✅ IAAC - keep the input file just as your infrastructure should look like # Failures - ❎ Build issues - [ ] having no unit tests for build pipelines - ❎ Using pre-mature open source tool(promising and evolving) - fluentd, es-operator, traefik - ❎ Running Databases(StatefulSets) on Kubernetes - Elasticsearc and kafka - ❎ Changing a miniscule property or approach (how property is derived) - which has a very wide impact - without knowing entire the scope of problem.