search

michelin / ns4kafka

Ns4Kafka brings namespaces on top of Kafka brokers, Kafka Connect and Schema Registry.
Apache License 2.0
71 stars 12 forks source link

Usage of AES encryption is not possible for connect-cluster grantees (who are not owner) #403

Closed MrDocx closed 3 months ago

MrDocx commented 3 months ago

Describe the bug

The issues concerns connect-clusters objects and, more specifically, permissions management. Owners of Connect clusters can authorize other namespaces to deploy connectors on their own Connect clusters by giving an ACL with the WRITE permission to the grantees. But grantees cannot use AES 256 encryption.

To Reproduce

Steps to reproduce the behavior:

  1. Create a namespace (firstNamespace) with :

    One connect-cluster (with AES configuration) ACL to declare that the namespace is the owner of the connect-cluster

  2. Create another namespace (secondNamespace)
  3. On firstNamespace: Create ACL to give WRITE permission to connect-cluster of secondNamespace
  4. On secondNamespace: It's possible to deploy a connector in the connect-cluster of firstNamespace but it's not possible to use AES256 encryption. So the secondNamespace can't secure your secrets.

Expected behavior

Owners of Connect clusters can authorize other namespaces to deploy connectors on their own Connect clusters by giving an ACL but now as a grantees I want to be able to encrypt secret on a connector with the configuration AES of the connect-cluster.

Environment (please complete the following information):

If known:

MrDocx commented 3 months ago

Sorry, that was a mistake on my part

(my bad)