search

kafbat / kafka-ui

Open-Source Web UI for managing Apache Kafka clusters
http://ui.docs.kafbat.io
Apache License 2.0
607 stars 80 forks source link

Add support for opa authorization #455

Open mano1233 opened 4 months ago

mano1233 commented 4 months ago

Issue submitter TODO list

Is your proposal related to a problem?

No response

Describe the feature you're interested in

Add the ability to select the open policy agent option to use authorization inside Kafka-ui. This will allow policies to manage user interface approval outside the application configuration and allow the usage of extra data sources to manage permissions. It can also be used to configure the masking of data on a topic.

Describe alternatives you've considered

I Tried using the static RBAC to manage users. This causes some issues. The main one is that you must restart the application each time you change the permissions. Secondly, you can't enrich the decision-making using a third-party tool (like a metadata store) to specify the permissions on the user interface

Version you're running

2956664

Additional context

opa docs

github-actions[bot] commented 4 months ago

Hi mano1233! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

theonlyguyy commented 4 months ago

My organization is also in the process of migrating our authorization to OPA. We have started this move after the overhead of maintaining authorization rules in all of out applications. So far we have moved our Trino clusters to OPA, and are in the middle of transitioning out Kafka stack to OPA. We have looked to switch out Kafka management tool since our old one does not suite our requirement well. After testing many tools we decided to use Kafbat-Ui, but our only problem is the lack of support for OPA. Out idea is to have OPA policies the dictate authorization based on our data governance tool, and by doing that simplifying the overhead of authorization and have a single mechanism of managing it. To give some context on the current implementation in our environment, we are running Keycloack for Authentication, and OPA sidecar containers for the systems that support OPA. We have integrated out Kafbat-Ui with our Keycloack and would be happy if we could farther integrate it with OPA for our solution. Thank you in advance.

Haarolean commented 4 months ago

@theonlyguyy thanks for the additional feedback!