Open angeloxx opened 2 years ago
Hello there angeloxx! 👋
Thank you and congratulations 🎉 for opening your very first issue in this project! 💖
In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀
@Haarolean I would like to work on this, but before i start i would like to know bit more information here. The design should align to another issue https://github.com/provectus/kafka-ui/issues/753.
@angeloxx It will be nice if you can provide bit more details, are you using any SSO to access kafka-ui ? How are your user groups are mapped to ACL's ?
@gaddam1987 unfortunately we can't implement this until we implement #753 which you mentioned.
@Haarolean I would like to solve this an easy way for now, as we need this sort of functionality.
Approach for SSO use case:
User -> Will have many groups (I will assume that there is one-one mapping for group to an ACL in kafka).
As a start we only support display of topics and and other stuff connected to one group. And in the ui on the top will have a drop down of all the groups the user has access to. When he change the group we will clear all the cache stored (based on https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/context/ApplicationEvent.html) and reload this com.provectus.kafka.ui.service.ClustersStorage.kafkaClusters
in thread safe way.
Credentials for each role need to be supplied as part of config or can be fetched from a secret store.
@gaddam1987 feel free to raise a PR, we'll see if we can use this approach.
@Haarolean I have a working solution but its with lots of hacks as of now. But it's working though. I tested only oauth2 based sso using azure ad.
The main idea behind this is the actual role management in not handled by kafka-ui but kafka-ui allows multiple kafka credentials (not as part of application configuration) using a credential fetcher, for my use case it is aws secret manager but it can be extended to support multiple credentials fetcher with default is based on file.
I can create a pull request with the hacks but we can discuss whether the approach is good enough. They i can work on improving the final solution.
@gaddam1987 hey, if it's some custom solution which works just for you with a lot of hacks, we better not. I'd get #753 implemented first.
Hi, has there been any movement on this?
@jrote1 not yet, please vote for the issue so we can see what users are interested in the most
Is your proposal related to a problem?
In some environments the kafka cluster is integrated with external identity provider (Active Directory or LDAP) and Web UI (kafka-ui) should apply the same restriction/access level, in order to manage ACLs in a single point (the identity provider). On Kafka side is implemented SASL_SSL.
Describe the solution you'd like
It would be useful if Kafka-UI also support pass-thru autentication and use provided username/password to authenticate against the Kafka Cluster.
Describe alternatives you've considered
No alternatives available.
Additional context
In our scenario the Active Directory users (service users or developers/sysadmins) belongs to one or more groups, one for each Topic and simplified access level, eg. we have two groups for each topic (prefix_C_topic-name for consumers, prefix_P_topic-name for producer, with additional rights in order to describe topics and use consumer groups) and using terraform we provison topics and related ACLs.