RBAC - Service accounts prefix filter a primary criteria is not correct when config has topic filter.

[damien-malescot]

Describe the bug In PR 418 service account take now precedence over all if configured. But if we have service account AND topic managed in configuration filter is not correct.

To Reproduce New code in PR 418 :

// regardless. Filtering by service account will always take precedence if defined
    if (haveServiceAccountPrefixFilters() || resourceName.equals("*")) {
      return matchesServiceAccountPrefixList(principle);
    }

If we have an RBAC right like this in cluster :

       Principal       |      Role      | ResourceType |          Name          | PatternType
+----------------------+----------------+--------------+------------------------+-------------+
  Group:G_FOO_BAR_READ | DeveloperWrite | Topic        | d.customers.example.my-topic.1| LITERAL

Create a new topoology file :

context: "d"
source: "foo"
projects:
  - name: "bar"
    consumers:
      - principal: "Group:G_FOO_BAR_READ"
    topics:
      - name: "my-topic.1"
        plan: "one-partition"

with configs

topology.topic.managed.prefixes.0=d.foo.bar
topology.service.accounts.managed.prefixes.0="Group:G_FOO_BAR_READ"

After execution first binding is delete

       Principal       |     Role      | ResourceType |   Name    | PatternType
+----------------------+---------------+--------------+-----------+-------------+
  Group:G_FOO_BAR_READ | DeveloperRead | Topic        | d.foo.bar | PREFIXED
  Group:G_FOO_BAR_READ | ResourceOwner | Group        | *         | LITERAL

In fact, binding match service account but topic is not is this file, so julieops delete this binding.

topology.topic.managed.prefixes is not used in this case to filter serviceaccount AND topic matching.

Expected behavior Service account should not always take precedence if configured.

Additional context JulieOps master branch

[purbon]

Thanks again @damien-malescot for your list of interesting issues, I'm really grateful for your help and interest on making JulieOps a bit better. If I understand you better, you are proposing to have something like this kind of filter (if maching):

• if (serviceAccount.Filter.IsDefined and topicName.Filter.IsDefined) -> serviceAccount AND topicName
• if (serviceAccount.Filter.IsDefined) -> serviceAccount
• if (topicName.Filter.IsDefined) -> topicName

In this order, for AccessControlManager.

would that be accurate map of your suggestion here?

[ludovic-boutros]

Hi @purbon, indeed that should fix this bug. Julie should only manage service account for the defined topic filters if any.

Thanks.

[purbon]

Fair enough! Let me shot your way a proposal PR and let me know if that fits it, ok?

[purbon]

@ludovic-boutros @damien-malescot as shared, I have created #521 as the proposed amend for this. Does this paint your thoughts and proposals in the issue?