search

kafbat / kafka-ui

Open-Source Web UI for managing Apache Kafka clusters
http://ui.docs.kafbat.io
Apache License 2.0
527 stars 57 forks source link

RBAC for ACL Management #288

Open joelpavlovsky opened 5 months ago

joelpavlovsky commented 5 months ago

Issue submitter TODO list

Is your proposal related to a problem?

Today we can set the ACL RBAC action only for view & edit, and we don't have the option to set the value or some specific ACL action (e.g. ACL type, Resource type).

### Current RBAC role config
        - resource: acl
          actions: [view, edit]

Describe the feature you're interested in

We need the ability to set actions & values for each RBAC role and ACL resource/type Resource type

actions:

value: (for custom_acl, edit & view, filter by resource type)

For Example:

### Requested RBAC role config
        - resource: acl
          value: ["TOPIC", "GROUP"]
          actions: [view, edit, custom_acl, producer_acl, consumer_acl]

Describe alternatives you've considered

No response

Version you're running

v1.0.0

Additional context

No response

github-actions[bot] commented 5 months ago

Hi joelpavlovsky! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

Haarolean commented 5 months ago

Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper.

joelpavlovsky commented 5 months ago

Thank you for your response.

The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes.

My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions.

joelpavlovsky commented 5 months ago

Thank you for your response.

The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes.

My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions.

On Thu, May 2, 2024, 01:11 Roman Zabaluev @.***> wrote:

Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper.

— Reply to this email directly, view it on GitHub https://github.com/kafbat/kafka-ui/issues/288#issuecomment-2089219491, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO3VNE5URLLU7COFAIZBKV3ZAFSANAVCNFSM6AAAAABGGBDJQOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBZGIYTSNBZGE . You are receiving this because you authored the thread.Message ID: @.***>