search

kafka-ops / julie

A solution to help you build automation and gitops in your Apache Kafka deployments. The Kafka gitops!
MIT License
421 stars 114 forks source link

idempotent producer principals are not granted the rbac role DeveloperWrite on resource Cluster #408

Closed jplaroche-telus closed 2 years ago

jplaroche-telus commented 2 years ago

Describe the bug

Principals that need to produce messages with producer.idempotence=ture need to have, besides the DeveloperRead and DeveloperWrite on the Topic resource, the following role binding:

Principal Role ResourceType Name PatternType
User: DeveloperWrite Cluster kafka-cluster LITERAL

Otherwise when producing a message you will get the following Exception: org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.

JulieOps descriptor seems to support the idempotence: "true" for a producer's principal, example:

producers:
    - principal: "User:<my_producer_principal"
      idempotence: "true"

But I suspect it only works with ACL, not RBAC since the binding User:/DeveloperWrite/Cluster was not created when I ran JulieOps.

To Reproduce

Steps to reproduce the behavior:

Define a producer and a principal with idempotence: "true" in the JulieOps descriptor

Run JulieOps

Check that you can create a message with the following command:

kafka-console-producer --bootstrap-server :9092 --producer.config producer.properties -topic

where producer.properties is:

sasl.mechanism=PLAIN
security.protocol=SASL_SSL
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="<my_producer_principal>"  password="<my_producer_principal_passwor>";
ssl.truststore.location=/var/ssl/private/kafka_broker.truststore.jks
ssl.truststore.password=<my_truststore_password>
enable.idempotence=true
max.in.flight.requests.per.connection=1
acks=all

Expected behavior

We should be able to create messages, but we get org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.

Screenshots If applicable, add screenshots to help explain your problem.

Runtime (please complete the following information):

Additional context Add any other context about the problem here.

jplaroche-telus commented 2 years ago

Suggested fix:

com.purbon.kafka.topology.roles.rbac/RBACBindingsBuilder.java

in public List buildBindingsForProducers method:

      if (producer.getIdempotence().isPresent()  && producer.getIdempotence().get().equals(Boolean.TRUE)) {
        binding =
            apiClient.bind(
                producer.getPrincipal(), DEVELOPER_WRITE, "kafka-cluster", "Cluster", LITERAL);
        bindings.add(binding);
      }
purbon commented 2 years ago

Hi @jplaroche-telus this should be fixed with the merge of #414 thanks a lot for your report. BTW, this was a literally small fix, and you gratefully provided a fix already in your comments. Next time, don't hesitate to send a PR ;-), all contributors are very much welcome.

jplaroche-telus commented 2 years ago

Noted, thank you.

From: Pere Urbón @. Sent: December 9, 2021 10:30 AM To: kafka-ops/julie @.> Cc: Jean-Philippe Laroche @.>; Mention @.> Subject: Re: [kafka-ops/julie] idempotent producer principals are not granted the rbac role DeveloperWrite on resource Cluster (Issue #408)

Hi @jplaroche-telushttps://github.com/jplaroche-telus this should be fixed with the merge of #414https://github.com/kafka-ops/julie/pull/414 thanks a lot for your report. BTW, this was a literally small fix, and you gratefully provided a fix already in your comments. Next time, don't hesitate to send a PR ;-), all contributors are very much welcome.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/kafka-ops/julie/issues/408#issuecomment-989959320, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APZUUQPSWTK26XMXXML34Y3UQDDQZANCNFSM5JSC4D4Q.