Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization Fails When RBAC Role Name Differs from LDAP Group Name #4454

Open
4 tasks done
ahmettortumlu opened this issue May 27, 2024 · 2 comments
Open
4 tasks done
Labels
status/triage Issues pending maintainers triage type/bug Something isn't working

Comments

@ahmettortumlu
Copy link

ahmettortumlu commented May 27, 2024

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running master-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

If RBAC role name is different from LDAP group name, authorization is not working.

Expected behavior

I could give independent names to RBAC roles. Currently, I have to assign the same name to roles with LDAP groups.

Your installation details

I am using kubernetes helm charts for installation. version: 0.7.5 and appVersion: v0.7.1

Here is my helm values yaml:


replicaCount: 1

image:
  registry: registry.address
  repository: provectuslabs/kafka-ui
  tag: "v0.7.1"

service:
  type: NodePort
  port: 80
  targetPort: 80

probes:
  useHttpsScheme: false

autoscaling:
  enabled: false

ingress:
  enabled: false

networkPolicy:
  enabled: false

serviceAccount:
  create: false

env: 
   - name: KAFKA_CONFIG_SANITIZER_ENABLED
     value: "false"

volumeMounts:
  - mountPath: /security-files/
    name: truststore

volumes:
  - name: truststore
    secret:
      secretName: truststore

yamlApplicationConfig:
  auth:
    type: LDAP
  spring:
    ldap:
      admin-password: admin123
      admin-user: adminuser
      base: some=parameters
      group-filter-search-base: (some=parameters)
      urls: ldap://ldap-address
      user-filter-search-base: some=parameters
      user-filter-search-filter: (sAMAccountName={0})      
  oauth2:
    ldap:
      activeDirectory: true
      aсtiveDirectory:
        domain: mydomain.com      
  kafka:
    clusters:
      - bootstrapServers: broker:9092
        kafkaConnect:
          - address: connect-cluster:8083
        name: example-cluster-1
        properties:
          sasl:
            jaas.config:
              org.apache.kafka.common.security.scram.ScramLoginModule required
              username=admin-user password=admin-password;
            mechanism: SCRAM-SHA-512
          security.protocol: SASL_SSL
        readOnly: false

        ssl:
          truststoreLocation: /security-files/truststore.jks
          truststorePassword: secret123


  rbac:
    roles:
      - name: kafka-ui-ldap-group
        subjects:
          - provider: ldap
            type: group
            value: kafka-ui-ldap-group
        clusters:
          - example-cluster-1
        permissions:
          - resource: topic
            value: .*
            actions: [view, messages_read]

          - resource: consumer
            value: .*
            actions: [view]

If rbac.roles.name != rbac.role.subjects.value it fails :)

Steps to reproduce

Deploy kafka-ui with LDAP groups authantication method and do not give same value to rbac role name with LDAP group name.

Screenshots

No response

Logs

No response

Additional context

No response

@ahmettortumlu ahmettortumlu added status/triage Issues pending maintainers triage type/bug Something isn't working labels May 27, 2024
Copy link

Hello there ahmettortumlu! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

@germanosin
Copy link
Contributor

Me and @Haarolean no longer support this repo, don't you mind to post this to https://github.com/kafbat/kafka-ui

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/triage Issues pending maintainers triage type/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants