Add Role based grain placement

2025-09-18 20:17:28 +07:00
parent 530dd83daa
commit c2f3734021
16 changed files with 404 additions and 18 deletions
--- a/assets/Todo-Security.md
+++ b/assets/Todo-Security.md
@@ -0,0 +1,189 @@
+# 🔒 Orleans Cluster Security Implementation Checklist
+
+## **Phase 1: Network Infrastructure Security** ⚡
+
+### **1.1 Network Configuration**
+- [ ] **Set up private network** (10.x.x.x or 192.168.x.x range)
+- [ ] **Configure VPN** between trading and compute servers
+- [ ] **Assign static IPs** to both servers
+- [ ] **Document network topology** and IP assignments
+
+### **1.2 Firewall Configuration**
+- [ ] **Trading Server Firewall Rules:**
+  - [ ] Allow PostgreSQL port (5432) from compute server
+  - [ ] Allow Orleans silo port (11111) from compute server
+  - [ ] Allow Orleans gateway port (30000) from compute server
+  - [ ] Block all other incoming connections
+- [ ] **Compute Server Firewall Rules:**
+  - [ ] Allow PostgreSQL port (5432) from trading server
+  - [ ] Allow Orleans silo port (11121) from trading server
+  - [ ] Allow Orleans gateway port (30010) from trading server
+  - [ ] Block all other incoming connections
+- [ ] **Database Server Firewall Rules:**
+  - [ ] Allow PostgreSQL port (5432) from both servers only
+  - [ ] Block all other incoming connections
+
+## **Phase 2: Orleans Configuration Security** ⚙️
+
+### **2.1 Environment Variables**
+- [ ] **Trading Server Environment:**
+  ```bash
+  export SILO_ROLE=Trading
+  export EXTERNAL_IP=192.168.1.100
+  export TASK_SLOT=1
+  export POSTGRESQL_ORLEANS="Host=db-server;Database=orleans;Username=user;Password=secure_password"
+  ```
+- [ ] **Compute Server Environment:**
+  ```bash
+  export SILO_ROLE=Compute
+  export EXTERNAL_IP=192.168.1.101
+  export TASK_SLOT=2
+  export POSTGRESQL_ORLEANS="Host=db-server;Database=orleans;Username=user;Password=secure_password"
+  ```
+
+### **2.2 Code Configuration Updates**
+- [ ] **Add NetworkingOptions security:**
+  ```csharp
+  .Configure<NetworkingOptions>(options =>
+  {
+      options.OpenTelemetryTraceParent = false;
+  })
+  ```
+- [ ] **Enhance MessagingOptions:**
+  ```csharp
+  .Configure<MessagingOptions>(options =>
+  {
+      options.ResponseTimeout = TimeSpan.FromSeconds(60);
+      options.DropExpiredMessages = true;
+      options.MaxMessageBodySize = 4 * 1024 * 1024;
+      options.ClientSenderBuckets = 16;
+  })
+  ```
+- [ ] **Add cluster membership security:**
+  ```csharp
+  .Configure<ClusterMembershipOptions>(options =>
+  {
+      options.EnableIndirectProbes = true;
+      options.ProbeTimeout = TimeSpan.FromSeconds(10);
+      options.DefunctSiloCleanupPeriod = TimeSpan.FromMinutes(1);
+      options.DefunctSiloExpiration = TimeSpan.FromMinutes(2);
+  })
+  ```
+
+## **Phase 3: Database Security** 🗄️
+
+### **3.1 PostgreSQL Security**
+- [ ] **Create dedicated Orleans user:**
+  ```sql
+  CREATE USER orleans_user WITH PASSWORD 'secure_password';
+  GRANT ALL PRIVILEGES ON DATABASE orleans TO orleans_user;
+  ```
+- [ ] **Enable SSL/TLS for PostgreSQL:**
+  ```bash
+  # In postgresql.conf
+  ssl = on
+  ssl_cert_file = 'server.crt'
+  ssl_key_file = 'server.key'
+  ```
+- [ ] **Configure pg_hba.conf:**
+  ```bash
+  # Only allow connections from specific IPs
+  host    orleans    orleans_user    192.168.1.100/32    md5
+  host    orleans    orleans_user    192.168.1.101/32    md5
+  ```
+
+### **3.2 Connection String Security**
+- [ ] **Use encrypted connection strings** (Azure Key Vault, AWS Secrets Manager)
+- [ ] **Rotate database passwords** regularly
+- [ ] **Monitor database access logs**
+
+## **Phase 4: Application Security** 🛡️
+
+### **4.1 Logging & Monitoring**
+- [ ] **Add security event logging:**
+  ```csharp
+  .ConfigureLogging(logging =>
+  {
+      logging.AddFilter("Orleans", LogLevel.Information);
+      logging.AddFilter("Microsoft.Orleans", LogLevel.Warning);
+  })
+  ```
+- [ ] **Set up cluster health monitoring**
+- [ ] **Configure alerting for cluster membership changes**
+- [ ] **Log all grain placement decisions**
+
+### **4.2 Access Control**
+- [ ] **Implement server authentication** (optional)
+- [ ] **Add grain-level authorization** (if needed)
+- [ ] **Set up audit logging** for sensitive operations
+
+## **Phase 5: Advanced Security (Optional)** 🔐
+
+### **5.1 TLS/SSL Encryption**
+- [ ] **Generate SSL certificates** for Orleans communication
+- [ ] **Configure TLS in Orleans:**
+  ```csharp
+  .Configure<NetworkingOptions>(options =>
+  {
+      options.UseTls = true;
+      options.TlsCertificate = "path/to/certificate.pfx";
+  })
+  ```
+- [ ] **Set up certificate rotation** process
+
+### **5.2 Container Security (if using Docker)**
+- [ ] **Use non-root users** in containers
+- [ ] **Scan container images** for vulnerabilities
+- [ ] **Implement container network policies**
+- [ ] **Use secrets management** for sensitive data
+
+## **Phase 6: Testing & Validation** ✅
+
+### **6.1 Security Testing**
+- [ ] **Test cluster connectivity** between servers
+- [ ] **Verify firewall rules** are working correctly
+- [ ] **Test failover scenarios** (server disconnection)
+- [ ] **Validate grain placement** is working correctly
+- [ ] **Test database connection security**
+
+### **6.2 Performance Testing**
+- [ ] **Load test** the cluster with both server types
+- [ ] **Monitor network latency** between servers
+- [ ] **Test grain migration** between servers
+- [ ] **Validate load balancing** is working
+
+## **Phase 7: Documentation & Maintenance** 📚
+
+### **7.1 Documentation**
+- [ ] **Document network architecture**
+- [ ] **Create security runbook**
+- [ ] **Document troubleshooting procedures**
+- [ ] **Create incident response plan**
+
+### **7.2 Ongoing Maintenance**
+- [ ] **Set up regular security audits**
+- [ ] **Schedule password rotation**
+- [ ] **Monitor security logs**
+- [ ] **Update Orleans and dependencies** regularly
+- [ ] **Review and update firewall rules**
+
+## **Priority Levels** 🎯
+
+- **🔴 Critical (Do First):** Network configuration, firewall rules, database security
+- **🟡 Important (Do Second):** Orleans configuration updates, monitoring
+- **🟢 Optional (Do Later):** TLS encryption, advanced access control
+
+## **Estimated Timeline** ⏱️
+
+- **Phase 1-2:** 1-2 days (Network + Orleans config)
+- **Phase 3:** 1 day (Database security)
+- **Phase 4:** 1 day (Application security)
+- **Phase 5:** 2-3 days (Advanced security)
+- **Phase 6:** 1-2 days (Testing)
+- **Phase 7:** Ongoing (Documentation & maintenance)
+
+**Total: 6-9 days for complete implementation**
+
+---
+
+**Note:** Start with Phases 1-3 for basic security, then add advanced features as needed. The most critical items are network isolation and database security.