search

confluentinc / cp-ansible

Ansible playbooks for the Confluent Platform
Apache License 2.0
40 stars 405 forks source link

mds is not superuser #712

Open AdamSzendrei opened 3 years ago

AdamSzendrei commented 3 years ago

I have the following hosts.yaml:

    rbac_enabled: true

    mds_super_user: mds
    mds_super_user_password: password
    kafka_broker_ldap_user: bro
    kafka_broker_ldap_password: password
    schema_registry_ldap_user: reg
    schema_registry_ldap_password: password
    ksql_ldap_user: ksql
    ksql_ldap_password: password
    control_center_ldap_user: cce
    control_center_ldap_password: password

    create_mds_certs: false
    token_services_public_pem_file: /vagrant/ssl/mds.publickey.pem
    token_services_private_pem_file: /vagrant/ssl/mds.tokenkeypair.pem

    kafka_broker_cluster_name: broker-cluster
    schema_registry_cluster_name: schema-registry-cluster
    ksql_cluster_name: ksql-cluster

    kafka_broker_principal: User:mds

    confluent_server_enabled: true
    kafka_broker_schema_validation_enabled: true

server.properties: super.users=User:mds;User:admin

but when I login with mds into Control Center I don't see the cluster. If I login with other ldap users I see the corresponding component (for instance with user bro I see the broker cluster).

With mds I get:

No clusters found
You need to configure Control Center so it knows how to connect to your Kafka cluster(s).

I checked the control center log files and I see the following:

[2021-07-02 14:05:10,513] INFO [qtp234988139-231] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/stream-monitoring HTTP/1.1" 200 55  78 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,518] INFO [qtp234988139-221] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/connect HTTP/1.1" 200 2  3 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,546] INFO [qtp234988139-108] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka HTTP/1.1" 200 2  26 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,572] INFO [qtp234988139-221] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/CLUSTER_MANAGEMENT HTTP/1.1" 200 55  54 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,573] INFO [qtp234988139-216] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/cluster_management HTTP/1.1" 200 55  132 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,590] INFO [qtp234988139-123] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/schema-registry HTTP/1.1" 200 2  112 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,591] INFO [qtp234988139-236] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/stream-monitoring HTTP/1.1" 200 55  34 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,592] INFO [qtp234988139-233] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka HTTP/1.1" 200 2  23 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,632] INFO [qtp234988139-215] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/metrics/maxtime HTTP/1.1" 200 2  28 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,633] INFO [qtp234988139-220] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/metrics/clusters/status HTTP/1.1" 200 2  27 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,634] INFO [qtp234988139-235] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/ksql HTTP/1.1" 200 2  113 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:14,377] WARN [control-center-heartbeat-0] misconfigured topic=_confluent-command config=segment.bytes value=1073741824 expected=134217728 (io.confluent.controlcenter.healthcheck.HealthCheck)
[2021-07-02 14:05:14,377] WARN [control-center-heartbeat-0] misconfigured topic=_confluent-command config=delete.retention.ms value=86400000 expected=259200000 (io.confluent.controlcenter.healthcheck.HealthCheck)

What did I missconfigure here? Or did I missunderstood something? I expected that if I login with mds user I will see all of the assigments and mds will have all necessary assigments.

JumaX commented 3 years ago

@AdamSzendrei Thanks for the question. MDS is a super user in the context of being able to setup permissions for other users on the Admin API. It is not a super user on say KSQL or Control Center, thus why you cannot login with it. Super Users in Confluent Platform are context specific.

So in order to login to Control Center, you would use the MDS user with the CLI, to setup permissions on another user that can Access Control Center.

AdamSzendrei commented 3 years ago

@JumaX Thanks for your answer. I thought if I'm using the above mentioned I get a running system "out of box".

I was surprised that for instance LDAP user bro doesn't have any assigments, but other LDAP users have. Actually I thought some of the assignments are missing, because some assignments - like in case of LDAP user cce, reg, ksql - have been created.

JumaX commented 3 years ago

@AdamSzendrei it's confusing, I agree. The challenge we have, is that by giving you a superuser that can access all services/systems out of the box is a big security issue. I've open a ticket to see if we can add this but make it more toggle-able.