Open joaofrsilva opened 1 year ago
Haarolean
commented
1 year ago Hi, currently we do not support gitlab for RBAC. Probly it'd be possible after we implement #2844, otherwise I'll take a look and implement a separate one for gitlab. Stay tuned!
varkey
commented
1 year ago @Haarolean Is there any progress on RBAC with Gitlab? Similar to @EI-Joao, we are able to login with Gitlab SSO, but RBAC would definitely help us.
Haarolean
commented
1 year ago @varkey with our current bandwidth we have planned support for LDAP & generic oauth providers for the current release. It may work with gitlab as a generic provider, otherwise, it'll be a separate task in future releases.
Haarolean
commented
1 year ago The original issue is solvable thru #2844. Probably we need to explicitly support gitlab teams just like GitHub ones (#2751). Let's keep this issue for this purpose.
IIPOCTAK
commented
9 months ago Hello. I'm not sure if my problem should be here. But I didn't find something related to the gitlab anywhere. We are using GitLab as OAuth provider for some applications, kafka-ui in the list. Our configuration is:
---
kafka:
clusters:
- name: <cluster>
bootstrapServers: <redacter>
spring:
security:
oauth2:
auth:
type: OAUTH2
oauth2:
client:
gitlab:
clientId: <redacted>
clientSecret: <redacted>
scope: ['openid', 'profile']
client-name: gitlab
provider: gitlab
redirect-uri: https://<redacted>/login/oauth2/code/gitlab
issuer-uri: https:// <redacted>
authorization-grant-type: authorization_code
user-name-attribute: nickname
custom-params:
type: oauth
roles-field: nickname
management:
health:
ldap:
enabled: false
rbac:
roles:
- name: "admins"
cluster:
- <cluster>
subjects:
- provider: oauth
type: role
value: "<nickname>"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- resource: acl
value: ".*"
actions: [ view ]But after registration I see entire white screen, see picture:
In the log I see successful login:
<time> DEBUG [reactor-http-nio-1] c.p.k.u.s.r.e.OauthAuthorityExtractor: Assigning role [<nickname>] to user [<nickname>]With debug: on:
<time> DEBUG [reactor-http-nio-3] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=RbacOidcUser[user=Name: [<nickname>], Granted Authorities: [[OIDC_USER, SCOPE_openid, SCOPE_profile]], User Attributes: [{sub=19, groups_direct=[<group>], profile=https://<redacted>/<nickname>, iss=https://<redacted>, groups=[<group>], preferred_username=<nickname>, https://gitlab.org/claims/groups/owner=[<group>], nonce=<redacted>, picture=https://<redacted>/uploads/-/system/user/avatar/19/avatar.png, aud=[<redacted>], auth_time=<time>, name=<redacted>, nickname=<nickname> sub_legacy=<redacted>, exp=<time>, iat=<time>}], groups=[admins]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[OIDC_USER, SCOPE_openid, SCOPE_profile]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1ecb2f6'Is there a misconfiguration in config or did I something wrong? Note: Without rbac section (only when auth is present) I can login without any problem.
Alexander-ac
commented
2 months ago Hello @IIPOCTAK , i have the same issue with the white screen. And i have the same log output:
2024-05-02 09:02:02,176 DEBUG [reactor-http-epoll-4] c.p.k.u.s.r.e.OauthAuthorityExtractor: Assigning role [admin] to user [Alexander Boger]
Did you find the solution for this problem?
with kind regards
Alexander Boger
IIPOCTAK
commented
2 months ago Hello @Alexander-ac.
Unfortunately, I haven't found proper solution to fix white screen yet.
Right now we are using basic auth to login in kafka-ui, but I hope that problem above will be noticed by developers and will be fixed in the future release.
Kind regards.
Alexander-ac
commented
2 months ago But that is extremely strange. I configured the whole thing with Azure (oauth).
Honestly, I can't imagine that it isn't already supported. But I run into the same error. A white screen is displayed after redirection.
Does basic authentication also support RBAC?
Haarolean
commented
2 months ago Please note this repo is not maintained (#4255). Happy to address your issues here: https://github.com/kafbat/kafka-ui
Alexander-ac
commented
2 months ago @IIPOCTAK Are you using ngnix or something else?
Yesterday I experimented with Keycloak and WebUI locally on my computer. I built the whole thing using Docker and simulated it without using reverse proxy. And look, it works! So I strongly suspect that the cause of the problem is the reverse proxy settings.
Alexander-ac
commented
2 months ago I think I have now found the real reason for the problem. If I remove the SERVER_SERVLET_CONTEXT_PATH variable, the forwarding works properly. And the WEB-UI interface appears.
IIPOCTAK
commented
1 month ago Created an issue here
@Alexander-ac Yes, we use ingress nginx as reverse proxy for kafka-ui. Unfortunately, I didn't use SERVER_SERVLET_CONTEXT_PATH in configuration, when I tried to use the variable in the configuration - problem still appears.
Does basic authentication also support RBAC?
No, It doesn't.
Hi, I am trying to make kafka-ui available for an entire organization. For now I was able to integrate the authentication with GitLab, but when it comes to RBAC I can not find the config. Is it supported?
Config I am using for the authentication: auth: type: OAUTH2 oauth2: client: gitlab: provider: gitlab clientId: redacted authorizationGrantType: authorization_code clientSecret: redacted redirectUri: http://kafka-ui.com/login/oauth2/code/gitlab scope:
Config I am trying for RBAC: rbac: roles: