search

kafka-ops / julie

A solution to help you build automation and gitops in your Apache Kafka deployments. The Kafka gitops!
MIT License
421 stars 114 forks source link

fix/feature: make service accounts prefix filter a primary criteria when available to filter the list of access control rules #418

Closed purbon closed 2 years ago

purbon commented 2 years ago

close #381

damien-malescot commented 2 years ago

Hi,

In this PR you have added this first condition

    if (haveServiceAccountPrefixFilters() || resourceName.equals("*")) {
      return matchesServiceAccountPrefixList(principle);
    }

But if we have an RBAC right like this : 

       Principal       |      Role      | ResourceType |          Name          | PatternType
+----------------------+----------------+--------------+------------------------+-------------+
  Group:G_FOO_BAR_READ | DeveloperWrite | Topic        | d.customers.example.my-topic.1| LITERAL

Create a new topoology file : 

context: "d"
source: "foo"
projects:
  - name: "bar"
    consumers:
      - principal: "Group:G_FOO_BAR_READ"
    topics:
      - name: "my-topic.1"
        plan: "one-partition"

with configs

topology.topic.managed.prefixes.0=d.foo.bar
topology.service.accounts.managed.prefixes.0="Group:G_FOO_BAR_READ"

After execution first binding is delete

       Principal       |     Role      | ResourceType |   Name    | PatternType
+----------------------+---------------+--------------+-----------+-------------+
  Group:G_FOO_BAR_READ | DeveloperRead | Topic        | d.foo.bar | PREFIXED
  Group:G_FOO_BAR_READ | ResourceOwner | Group        | *         | LITERAL

In fact, binding match account service but topic is not is this file, so julieops delete this binding.

topology.topic.managed.prefixes is not used in this case to filter account AND topic matching.

purbon commented 2 years ago

@damien-malescot, would you be so nice to please open an issue for this? thanks a lot.