search

provectus / kafka-ui

Open-Source Web UI for Apache Kafka Management
Apache License 2.0
9.74k stars 1.18k forks source link

Support ALB Authentication with OIDC #1863

Open mkielar opened 2 years ago

mkielar commented 2 years ago

Is your proposal related to a problem?

I'm deploying Kafka UI on AWS ECS Fargate and exposing it via ALB. AWS ALBs have a way of performing authentication using AWS Cognito or 3rd party OpenID Connect. This way the access tokens are never sent to user browser, and only exchanged between the ALB and the Application. ALB uses a bunch of X-AMZN-OIDC-* headers to pass authentication information to the application, that the application would have to understand.

Describe the solution you'd like

We'd like to be able to configure SSO with Active AD on ALB level, and then have Kafka UI make sense of the tokens ALB sends.

Describe alternatives you've considered

For now we have two options:

  1. Enable the ALB Authentication and leave Kafka UI unauthenticated - whoever passes the ALB, can access all functionality in Kafka UI. This would work for now, until Kafka UI provides more fine-grained RBAC.
  2. Pass-through on ALB, and use SSO integration with Azure AD directly on Kafka UI.

Additional context

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
  2. https://github.com/raiffeisenbankinternational/aws-albheaders-authentication - I think this may come handy to implement Spring Boot configuration for it.
github-actions[bot] commented 2 years ago

Hello there mkielar! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

Haarolean commented 2 years ago

Hey, thanks for reaching out.

We'll consider implementing ALB headers support after we're done with #753.

SSO guide, if you haven't seen one yet.

Stay tuned!

wanisfahmyDE commented 2 years ago

Hey @mkielar, just wanted to share what worked for me. if you only care about authentication without RBAC, you can implement this directly on ALB + OIDC listener and limit on your IDP which groups or users would have access without kafka-ui being aware of it.

mkielar commented 2 years ago

@wanisfahmyDE I know it would, I'm currently using the solution as you described and it works great :).

What I'm hoping from this ticket, however, is to be able for Kafka UI to make sense of the X-AMZN-OIDC-* headers that ALB passes upstream and implement actual RBAC based on this. Currently I can either grant or deny access to Kafka UI by adding/removing people to AD Groups. What I'd like to do is have several groups in my AD, and depending on the group give people access to read / write data in the topics or even modify / delete topics, etc. Full RBAC.

mkielar commented 1 year ago

@Haarolean, I've seen https://github.com/provectus/kafka-ui/issues/753 is done for some time now. Are there any plans for this one to get get some traction?

Haarolean commented 1 year ago

@mkielar thanks for the reminder, I'll add this to the RBAC board.