search

provectus / kafka-ui

Open-Source Web UI for Apache Kafka Management
Apache License 2.0
9.05k stars 1.11k forks source link

RBAC: LDAP user belonging to many groups can't see anything #3892

Closed MxFbk closed 1 year ago

MxFbk commented 1 year ago

Issue submitter TODO list

Describe the bug (actual behavior)

Hi all,

I would want to configure RBAC but I'm still facing issues.

I can access on KafkaUI through our LDAP without problem, but introducing roles.yml I can log in but no clusters/resources are visible in the UI.

Looking at documentation I wasn't able to solve this on my own.

Sorry if it's my fault.

Thanks a lot.

Expected behavior

I would want to be able to configure RBAC with LDAP, but no success.

Your installation details

APP version 0.7.0

CONFIG:

compose.yml

  kafka-ui:
    image: provectuslabs/kafka-ui:latest
    container_name: kafka-ui
    ports:
      - "8083:8080"
    restart: always
    user: "0"
    environment:
      LOGGING_LEVEL_ROOT: debug
      LOGGING_LEVEL_COM_PROVECTUS: debug
      TZ: Europe/Rome
      KAFKA_ADMIN-CLIENT-TIMEOUT: 60000
      #######
      AUTH_TYPE: LDAP
      SPRING_LDAP_URLS: ldap://ldap_server:389
      SPRING_LDAP_BASE: CN=***********,OU=company,OU=tech_users,DC=g,DC=b,DC=s
      SPRING_LDAP_ADMIN-USER: CN=***********,OU=company,OU=tech_users,DC=g,DC=b,DC=s
      SPRING_LDAP_ADMINP-ASSWORD: **************************
      SPRING_LDAP_USER-FILTER-SEARCH-BASE: OU=obp,OU=users,DC=g,DC=b,DC=s
      #SPRING_LDAP_USER-FILTER-SEARCH-FILTER: "(&(sAMAccountName={0})(memberOf=CN=FBK_AWX_PRE,OU=company,OU=tech_users,DC=g,DC=b,DC=s)(memberOf=CN=FBK_AWX_PRO,OU=company,OU=tech_users,DC=g,DC=b,DC=s))"
      SPRING_LDAP_USER-FILTER-SEARCH-FILTER: "(sAMAccountName={0})"
      SPRING_LDAP_GROUP-FILTER-SEARCH-BASE: OU=company,OU=tech_users,DC=g,DC=b,DC=s
      SPRING_CONFIG_ADDITIONAL-LOCATION: /roles.yml
      #      AUTH_TYPE: "LOGIN_FORM"
      #      SPRING_SECURITY_USER_NAME: team
      #      SPRING_SECURITY_USER_PASSWORD: **************************
      #######
      KAFKA_CLUSTERS_0_NAME: fbk_kafka_tst
      ... ... ... ...
      #######
      KAFKA_CLUSTERS_1_NAME: fbk_kafka_pre
      ... ... ... ...
      #######
      JAVA_OPTS: ... ... ...
    volumes:
      - type: bind
        source: /opt/kafkaui/logs
        target: /opt/kafkaui/logs
      - type: bind
        source: /opt/kafkaui/config
        target: /opt/kafkaui/config
      - /etc/localtime:/etc/localtime:ro
      - /opt/kafkaui/roles.yml:/roles.yml

roles.yml

  roles:
    - name: "itop"
      clusters:
        - fbk_kafka_tst
        - fbk_kafka_pre
      subjects:
        - provider: ldap
          type: group
          value: "FBK_AWX_PRO"
      permissions:
        - resource: applicationconfig
          actions: all

        - resource: clusterconfig
          actions: all

        - resource: topic
          value: ".*"
          actions: all

        - resource: consumer
          value: ".*"
          actions: all

        - resource: schema
          value: ".*"
          actions: all

        - resource: connect
          value: ".*"
          actions: all

        - resource: ksql
          actions: all

        - resource: acl
          value: ".*"
          actions: [ view ]

Steps to reproduce

ENABLING roles through "roles.yml" I can log in but no permissions granted. DISABLING roles I can see everything.

Screenshots

No response

Logs

Using DEBUG LEVEL I can see RIGHT Granted Authorities linked to my user:

2023-06-01T16:50:42.037+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@7a13056c, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@39d4f754'

All Granted Authorities are right and associated to my user.

Calling /api/clusters context I'll receive an empty array when roles enabled. Looking at response calling /api/authorization I receive:

{"rbacEnabled":true,"userInfo":{"username":"my_user","permissions":[]}}

Looking for ISSUES in LOGS at DEBUG LEVEL I can see just this:

2023-06-01T17:15:25.428+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.w.s.adapter.HttpWebHandlerAdapter    : [d9bf5fa6-83] HTTP GET "/manifest.json"
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'POST /login'
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=GET}
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'GET /login'
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=GET}
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'GET /logout'
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.w.s.s.DefaultWebSessionManager       : Created new WebSession.
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [reactor-http-epoll-1] r.n.http.server.HttpServerOperations     : [3d9fe5e1-17, L:/10.170.59.2:8080 - R:/192.168.116.41:41480] Decreasing pending responses, now 0
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'POST /logout'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [reactor-http-epoll-1] r.n.http.server.HttpServerOperations     : [3d9fe5e1-17, L:/10.170.59.2:8080 - R:/192.168.116.41:41480] Last HTTP packet was sent, terminating the channel
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [reactor-http-epoll-1] r.netty.channel.ChannelOperations        : [3d9fe5e1-17, L:/10.170.59.2:8080 - R:/192.168.116.41:41480] [HttpServer] Channel inbound receiver cancelled (operation cancelled).
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/css/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /css/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/js/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /js/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/media/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /media/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/resources/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /resources/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/health/**', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /actuator/health/**'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/info', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /actuator/info'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/auth', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /auth'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /login'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /logout'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/oauth2/**', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /oauth2/**'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/static/**', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /static/**'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/manifest.json' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@7dfa736e
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] ebSessionServerSecurityContextRepository : No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@3f0f7993'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization failed: Access Denied

All other context are authorized with "Authorization successful".

Additional context

No response

github-actions[bot] commented 1 year ago

Hello there MxFbk! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

MxFbk commented 1 year ago

I can add an info after more investigation.

When roles disabled call on /api/clusters gives back a JSON:

2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/api/clusters' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizatio
nManager@68d25c9b
2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=LdapUserDetailsImp
l [Dn=cn=GBS07272,ou=OBP,ou=Utenze,dc=SG,dc=GBS,dc=PRO; Username=GBS07272; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]], Credentials=[PROTECTE
D], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@18a9a3f5'
2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization successful
2023-06-01T17:53:10.850+02:00 DEBUG 1 --- [reactor-http-epoll-2] .s.w.r.r.m.a.ResponseEntityResultHandler : [d2999f34-14] Using 'application/json' given [*/*] and supported [application/json]
2023-06-01T17:53:10.850+02:00 DEBUG 1 --- [reactor-http-epoll-2] .s.w.r.r.m.a.ResponseEntityResultHandler : [d2999f34-14] 0..N [com.provectus.kafka.ui.model.ClusterDTO]
2023-06-01T17:53:10.864+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.http.codec.json.Jackson2JsonEncoder  : [d2999f34-14] Encoding [class ClusterDTO {<EOL>    name: fbk_kafka_tst<EOL>    defaultCluster: null<EOL>    status: initializing<EOL>    las (truncated)...]
2023-06-01T17:53:10.875+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.http.codec.json.Jackson2JsonEncoder  : [d2999f34-14] Encoding [class ClusterDTO {<EOL>    name: fbk_kafka_pre<EOL>    defaultCluster: null<EOL>    status: initializing<EOL>    las (truncated)...]
2023-06-01T17:53:10.877+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [d2999f34-14] Completed 200 OK

If roles enabled no JSON is given back even if Authorization successful.

2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/api/clusters' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizatio
nManager@ee8a53b
2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafk
a.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.se
ssion.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization successful
2023-06-01T17:58:29.749+02:00 DEBUG 1 --- [reactor-http-epoll-4] s.w.r.r.m.a.RequestMappingHandlerMapping : [1e948963-14] Mapped to com.provectus.kafka.ui.controller.ClustersController#getClusters(ServerWebExchange)
2023-06-01T17:58:29.801+02:00 DEBUG 1 --- [reactor-http-epoll-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [1e948963-14] Using 'application/json' given [*/*] and supported [application/json]
2023-06-01T17:58:29.801+02:00 DEBUG 1 --- [reactor-http-epoll-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [1e948963-14] 0..N [com.provectus.kafka.ui.model.ClusterDTO]
2023-06-01T17:58:29.816+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.817+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.821+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.w.s.adapter.HttpWebHandlerAdapter    : [1e948963-14] Completed 200 OK
gastoncan commented 1 year ago

Hi Kafka-UI team :) First of all, I wanted to thank you for the great job you are doing developing this great app! While trying the new RBAC feature, I am getting an empty list of permissions when calling the /api/authorization API; despite I am authenticated and my groups are properly found. Additionally, I removed myself from all LDAP security groups but the relevant one for authentication and authorization (a single group); but the issue is still reproducing. Looks like my user's authentication info is not properly binded to rbac configuration.

yamlApplicationConfig:
  kafka:
    clusters:
      - name: kafka
        bootstrapServers: kafka-host:9094
  auth:
    type: "LDAP"
  spring:
    ldap:
      admin-password: pppp
      admin-user: CN=yyyy
      urls: ldap://ldap-host.company.local:389
      user-filter-search-base: OU=users,OU=my-company,DC=company,DC=local
      user-filter-search-filter: (&(sAMAccountName={0})(objectClass=person)(memberOf=CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local))
      group-filter-search-base: OU=Kafka_UI,OU=my-company,DC=company,DC=local
  rbac:
    roles:
      - name: "admin"
        clusters:
          - kafka
        subjects:
          - provider: ldap
            type: group
            value: "kafkaui_admin"
        permissions:
          - resource: applicationconfig
            actions: all
          - resource: clusterconfig
            actions: all
          - resource: topic
            value: ".*"
            actions: all
          - resource: consumer
            value: ".*"
            actions: all
          - resource: schema
            value: ".*"
            actions: all
          - resource: connect
            value: ".*"
            actions: all
          - resource: ksql
            actions: all
          - resource: acl
            value: ".*"
            actions: [ view ]

/api/authorization: {"rbacEnabled":true,"userInfo":{"username":"xxxxx","permissions":[]}}

/api/clusters: []

2023-06-04 09:24:57,079 DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [5ee84444-282] HTTP POST "/login"
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Checking match of request : '/login'; against '/login'
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: matched
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] r.n.c.FluxReceive: [5ee84444-10, L:/10.XXX.YYY.ZZZ:8080 - R:/10.AAA.BBB.CCC:7306] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2023-06-04 09:24:57,081 DEBUG [reactor-http-epoll-1] o.s.h.c.FormHttpMessageReader: [5ee84444-282] Read form fields [username, password] (content masked)
2023-06-04 09:24:57,081 DEBUG [boundedElastic-9] o.s.s.l.a.BindAuthenticator: Failed to bind with any user DNs []
2023-06-04 09:24:57,096 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:ppp'
2023-06-04 09:24:57,109 DEBUG [boundedElastic-9] o.s.s.l.SpringSecurityLdapTemplate: Found DN: CN=xxxxx
2023-06-04 09:24:57,110 DEBUG [boundedElastic-9] o.s.s.l.s.FilterBasedLdapUserSearch: Found user 'xxxxx', with FilterBasedLdapUserSearch [searchFilter=(&(sAMAccountName={0})(objectClass=person)(memberOf=CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local)); searchBase=OU=my-company,DC=company,DC=local; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ]
2023-06-04 09:24:57,148 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:389'
2023-06-04 09:24:57,153 DEBUG [boundedElastic-9] o.s.s.l.a.BindAuthenticator: Bound cn=xxxxx
2023-06-04 09:24:57,153 DEBUG [boundedElastic-9] o.s.l.c.LdapTemplate: The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2023-06-04 09:24:57,167 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:ppp'
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Found roles from search [{spring.security.ldap.dn=[CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local], cn=[kafkaui_admin]}]
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Retrieved authorities for user cn=xxxxx
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.LdapUserDetailsMapper: Mapping user details from context with DN cn=xxxxx
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.a.LdapAuthenticationProvider: Authenticated user
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] i.n.h.c.h.c.ServerCookieDecoder: Skipping cookie because value 'consentid:bXlGQzBYS09DYUtwaWRDcHUzc1VJQ0RnaXVSaTU4RVk,consent:yes,action:yes,necessary:yes,functional:yes,analytics:yes,performance:yes,advertisement:yes,other:yes' contains invalid char ','
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Saved SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:24:57,175 DEBUG [parallel-1] o.s.s.w.s.DefaultServerRedirectStrategy: Redirecting to '/'
2023-06-04 09:24:57,175 DEBUG [parallel-1] o.s.w.s.a.HttpWebHandlerAdapter: [5ee84444-282] Completed 302 FOUND

2023-06-04 09:29:52,177 DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [96887c8f-352] HTTP GET "/api/authorization"
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /api/authorization' doesn't match 'POST /login'
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found
...
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.DelegatingReactiveAuthorizationManager: Checking authorization on '/api/authorization' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@acdc038
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.AuthorizationWebFilter: Authorization successful
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.RequestMappingHandlerMapping: [96887c8f-352] Mapped to com.provectus.kafka.ui.controller.AccessController#getUserAuthInfo(ServerWebExchange)
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [96887c8f-352] Using 'application/json' given [text/html, application/xhtml+xml, image/avif, image/webp, image/apng, application/xml;q=0.9, */*;q=0.8, application/signed-exchange;v=b3;q=0.7] and supported [application/json]
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [96887c8f-352] 0..1 [com.provectus.kafka.ui.model.AuthenticationInfoDTO]
2023-06-04 09:29:52,181 DEBUG [reactor-http-epoll-1] o.s.h.c.j.Jackson2JsonEncoder: [96887c8f-352] Encoding [class AuthenticationInfoDTO {<EOL>    rbacEnabled: true<EOL>    userInfo: class UserInfoDTO {<EOL>        userna (truncated)...]