Demonstrate Conduktor Self-Service capabilities using three applications:
Order app: owning all resources starting with order-. BI app: own all resources starting with bi, also show-cases that we can own more than one topic-prefix, which is useful when there is no strict topic naming standard on the clusters. (JDBC) sink-connector app: this application is just a consumer and does not own any resources. It's owners can still request access to topics being owned by other applications.
Run the following:
./start.sh
./add_connect.sh
./add_self_serve.sh
source setup_admin_cli.sh
Open two other terminal windows and run
source setup_bi_cli.sh
conduktor apply -f resources/self-serve/bi-app-resources
and
source setup_order_cli.sh
# apply resources but skip intentionally failing resources
for file in $(find resources/self-serve/order-app-resources -type f ! -name 'failing*')
do conduktor apply -f $file
done
So now we have admin, bi-app and order-app in separate terminals.
Next we will demonstrate how teams can own their data and projects within a federated control framework, eliminating operational bottlenecks and enabling teams to deliver value faster.
Navigate to the Application Catalog in the Console UI.
Each application has a name, description and an owner group. If we open BI app and navigate to the instances tab, we can see all resources owned by BI Project Owner group are prefixed with bi-
Logout and log back in with bob as the user and bob-secret as the password.
Go to Topics to see the topics bob has access to.
Notice that bob has access to all the topics that are part of the BI App, and also has been granted some READ only access to the order-validated topic from the Order App team. Navigate to the Produce tab and click Generate once and try to produce the message, you will see that Bob does not have the permissions to do so.
Let's take a look at the bi-app.yaml under the platform team resources directory and view the resources that have been defined by the platform team. You will see that this also inherits a default-dev-topic policy. Let's take a look at that file.
Try to create a topic by navigating to the Topics tab and call it bob, you will see that this fails. As part of the delegation the owner can only create topics in his namespace (starting with bi-)
Prepare to create a topic called bi-bob
Will it work?
Wait for guesses before clicking.
No! There is actually an additional policy restricting acceptable topic configurations.
Fix the topic spec by setting retention.ms under advanced configuration, insert a value between 604800000 and 2419000000 and create the topic.
Ok... But what about permission delegation?
Go to your IDE and display ./resources/self-serve/bi-app-resources/groups.yaml
As a Project Owner, you can invite your colleagues or groups to access your application.
No need to ask a central team for access rights.
Projects can autonomously decide who can do what within their micro universe, of course within the boundaries laid out by a central governance team.
As a Project Owner, you can also make a request to access other projects' topics. You remember we had an Order application?
Navigate to Topic Catalog -> order-rejected and click the subscribe button. Subscribe on behalf of the bi-app using the bi-app-dev application instance and press the copy YAML button.
We can request access for the bi-app-dev application instance to get read access to the order-rejected topic, using a git-ops approach.
Switch to your IDE and display the three folders under resources/self-serve representing the different teams; bi-app team, order-app team and the platform team.
Now bob can open a pull request in the Order Team's repo to request access, in the spirit of Infrastructure as Code.
Create a file resources/self-serve/order-app-resources/bi-app-permissions.yamland paste the YAML and save the file.
Let's say bob gets impatient and tries to apply this file himself. The middle terminal is using an API key from the bi-app-dev app instance.
From the middle terminal logged into bi-app-dev, run
conduktor apply -f resources/self-serve/order-app-resources/bi-app-dev-permissions.yaml
The bi-app-dev application instance doesn't have permission to change resources belonging to order-app-dev. Let's try again with the right permissions.
From the rightmost terminal logged into order-app-dev, run
conduktor apply -f resources/self-serve/order-app-resources/bi-app-dev-permissions.yaml
Now the resource has been created. Let's go back to Console and see that bob, as a member of
Go to Topics and see that bob now can see the order-rejected topic.
(Optional) Delete the permission and refresh to see the topic disappear. From the right terminal, run
conduktor delete -f resources/self-serve/order-app-resources/bi-app-dev-permissions.yaml