search

kafbat / kafka-ui

Open-Source Web UI for managing Apache Kafka clusters
https://kafbat.io
Apache License 2.0
1.07k stars 140 forks source link

RBAC: group type subject for oauth provider (integration with GitLab) #1031

Closed eanikindfi closed 3 weeks ago

eanikindfi commented 3 weeks ago

Issue submitter TODO list

Is your proposal related to a problem?

Implement group type subject for oauth provider to enchase security and provide more stable production solution.

Describe the feature you're interested in

According to official documentation oauth provider has only 2 types of subjects: user and role. It would be great to add group type.

Our current configuration with user type subjects through helm-chart:

yamlApplicationConfig:
  auth:
    type: OAUTH2
    oauth2:
      client:
        gitlab:
          clientId: my_id
          clientSecret: my_secret
          client-name: GitLab
          client-authentication-method: client_secret_post
          authorization-grant-type: authorization_code
          authorization-uri: https://my-gitlab.com/oauth/authorize
          issuer-uri: https://my-gitlab.com
          jwk-set-uri: https://my-gitlab.com/oauth/discovery/keys
          user-name-attribute: name
          provider: oauth
          redirect-uri: https://my-kafka.net/login/oauth2/code/gitlab
          scope: openid
          token-uri: https://my-gitlab.com/oauth/token
          custom-params:
            type: oauth
            roles-field: groups
  rbac:
    roles:
      - name: "admins"
        clusters:
          - my-kafka
        subjects:
          - provider: oauth
            type: user
            value: "Paul Atreides"
          - provider: oauth
            type: user
            value: "Viktor Krum"
          - provider: oauth
            type: user
            value: "Razputin Aquato"
        permissions:
        - resource: applicationconfig
          actions: all
        - resource: clusterconfig
          actions: all
        - resource: topic
          value: ".*"
          actions: all
        - resource: consumer
          value: ".*"
          actions: all
        - resource: schema
          value: ".*"
          actions: all
        - resource: connect
          value: ".*"
          actions: all
        - resource: ksql
          actions: all
        - resource: acl
          actions: [ view ]

It works fine but in theory you can face a security violation where GitLab user with the same name will get an access to Kafbat.

Describe alternatives you've considered

Create a specific GitLab provider with this type of subject and maybe some other types.

Version you're running

v1.1.0 (4cf17a0)

Additional context

helm-chart version = 1.5.0

github-actions[bot] commented 3 weeks ago

Hi eanikindfi! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

Haarolean commented 3 weeks ago

where GitLab user with the same name

To prevent this, replace the user-name-attribute value with the field matching the email, not the username. Docs: https://ui.docs.kafbat.io/configuration/authentication/oauth2

It would be great to add group type.

There's no semantic difference between roles and groups in this case, set the field to whatever you need and we'll extract it as long as it's in a supported format.

Let me know if you have any further questions.