search

kafka-ops / julie

A solution to help you build automation and gitops in your Apache Kafka deployments. The Kafka gitops!
MIT License
421 stars 114 forks source link

RBACProvider Issue: Resources must be specified for role DeveloperManage #362

Closed DanielMabbett closed 3 years ago

DanielMabbett commented 3 years ago

Describe the bug I will admit, this is probably my own doing from my previous PR: https://github.com/kafka-ops/julie/commit/a2e79d0fe160443d84b2dd1ff32c6f4e4714d2f0

Basically, it doesn't work using DeveloperManage built-in role for my Julie custom roles.

I will try to spend some time on this but it's worth adding a ticket for people to see it's known.

To Reproduce Steps to reproduce the behavior:

  1. Create a roles.yaml with "DeveloperManage" in it 
    
---
roles:
- name: "developerManage"
acls:
  - resourceType: "Topic"
    resourceName: "{{topic}}"
    patternType: "LITERAL"
    host: "*"
    role: "DeveloperManage"

2. Create a topology.yaml file with a call to this custom role:

context: "" source: "" projects:


3. Run dryRun or Apply

```log
java.io.IOException: java.io.IOException: Something happened with the connection, response status code: 400 body: {"error_code":40002,"message":"Resources must be specified for role DeveloperManage"}
    at com.purbon.kafka.topology.clients.JulieHttpClient.doRequest(JulieHttpClient.java:223) ~[julie-ops.jar:?]
    at com.purbon.kafka.topology.clients.JulieHttpClient.doPost(JulieHttpClient.java:162) ~[julie-ops.jar:?]
    at com.purbon.kafka.topology.api.mds.MDSApiClient.bindRequest(MDSApiClient.java:103) ~[julie-ops.jar:?]
    at com.purbon.kafka.topology.roles.RBACProvider.createBindings(RBACProvider.java:29) ~[julie-ops.jar:?]
    at com.purbon.kafka.topology.actions.access.CreateBindings.execute(CreateBindings.java:28) ~[julie-ops.jar:?]
    at com.purbon.kafka.topology.actions.BaseAccessControlAction.run(BaseAccessControlAction.java:30) ~[julie-ops.jar:?]
    at com.purbon.kafka.topology.ExecutionPlan.execute(ExecutionPlan.java:112) ~[julie-ops.jar:?]
    at com.purbon.kafka.topology.ExecutionPlan.run(ExecutionPlan.java:90) [julie-ops.jar:?]
    at com.purbon.kafka.topology.JulieOps.run(JulieOps.java:248) [julie-ops.jar:?]
    at com.purbon.kafka.topology.JulieOps.run(JulieOps.java:265) [julie-ops.jar:?]
    at com.purbon.kafka.topology.CommandLineInterface.processTopology(CommandLineInterface.java:207) [julie-ops.jar:?]
    at com.purbon.kafka.topology.CommandLineInterface.run(CommandLineInterface.java:156) [julie-ops.jar:?]
    at com.purbon.kafka.topology.CommandLineInterface.main(CommandLineInterface.java:146) [julie-ops.jar:?]
Caused by: java.io.IOException: Something happened with the connection, response status code: 400 body: {"error_code":40002,"message":"Resources must be specified for role DeveloperManage"}
    at com.purbon.kafka.topology.clients.JulieHttpClient.doRequest(JulieHttpClient.java:212) ~[julie-ops.jar:?]
    ... 12 more
[ERROR] 2021-10-21 08:37:32.165 [main] ExecutionPlan - Something happen running action {
  "Operation" : "com.purbon.kafka.topology.actions.access.CreateBindings",
  "Bindings" : [ {
    "resourceType" : "TOPIC",
    "resourceName" : "test.topic",
    "host" : "*",
    "operation" : "DeveloperManage",
    "principal" : "User:test-user",
    "pattern" : "LITERAL",
    "scope" : {
      "clusters" : {
        "kafka-cluster" : "myclusterid"
      },
      "resources" : [ {
        "name" : "test.topic",
        "patternType" : "LITERAL",
        "resourceType" : "Topic"
      } ]
    }
  } ]
}
  1. See error

Expected behavior Should just follow the same role assignment/binding creation process as "DeveloperRead" or "DeveloperWrite"

Screenshots None

Runtime (please complete the following information):

Additional context None

purbon commented 3 years ago

Hi @DanielMabbett , thanks a lot for your report. I have done some test with the latest version (master branch) and I am as of now unable to replicate your issue. What I did was.

1.- Compile the local jar (no docker interferences) - this is might the be the only difference with you.

Use this roles file:

---
roles:
  - name: "app"
    acls:
      - resourceType: "Topic"
        resourceName: "{{topic}}"
        patternType: "PREFIXED"
        host: "*"
        role: "ResourceOwner"
      - resourceType: "Topic"
        resourceName: "sourceTopic"
        patternType: "LITERAL"
        host: "*"
        role: "DeveloperRead"
  - name: "other"
    acls:
      - resourceType: "Topic"
        resourceName: "{{topic}}"
        patternType: "LITERAL"
        host: "*"
        role: "DeveloperManage"

use this topology:

---
context: "context"
source: "source"
projects:
  - name: "foo"
    other:
      - principal: "User:foo"
        topic: "my-topic"
    consumers:
      - principal: "User:App0"
      - principal: "User:App1"
    streams:
      - principal: "User:App0"
        topics:
          read:
            - "topicA"
            - "topicB"
          write:
            - "topicC"
            - "topicD"
    connectors:
      - principal: "User:Connect1"
        connectors:
          - "jdbc-sync"
          - "ibmmq-source"
        topics:
          read:
            - "topicA"
            - "topicB"
      - principal: "User:Connect2"
        topics:
          write:
            - "topicC"
            - "topicD"
    schemas:
      - principal: "User:App0"
        subjects:
          - "transactions"
      - principal: "User:App1"
        subjects:
          - "contracts"
    rbac:
      - ResourceOwner:
        - principal: "User:Foo"
      - SecurityAdmin:
        - principal: "User:Boo"
    topics:
      - name: "foo"
        config:
          replication.factor: "1"
          num.partitions: "1"
      - dataType: "avro"
        name: "bar"
        config:
          replication.factor: "1"
          num.partitions: "1"
  - name: "bar"
    topics:
      - dataType: "avro"
        name: "bar"
        config:
          replication.factor: "1"
          num.partitions: "1"

The DeveloperManage binding is created as expected.

... redacted
_confluent-metrics
__confluent.support.metrics
List of ACLs:
my-topic
'TOPIC', 'my-topic', '*', 'DeveloperManage', 'User:foo', 'LITERAL'
List of Principles:
... redacted...
 confluent iam rolebinding list --princi
pal "User:foo" --kafka-cluster-id q7Yfl76DTiufYhhSmPzGvQ
  Principal |      Role       | ResourceType |   Name   | PatternType
+-----------+-----------------+--------------+----------+-------------+
  User:foo  | DeveloperManage | Topic        | my-topic | LITERAL

I would love to help out, but as of now I am having this under investigation. It certainly looks like it is not a problem of the statement generation.

Do you mind helping me out with:

1.- What is your execution flow? can you list the operations you do before reaching out to this situation? 2.- Do you mind pasting here as well your current state? might be the file is the easiest one.

Looking forward to hear from you.

DanielMabbett commented 3 years ago

You are completely correct! I have managed to get this now working. Sorry for wasting time.

purbon commented 3 years ago

no wasting, glad it is working for you.