Closed MxFbk closed 1 year ago
Hello there MxFbk! 👋
Thank you and congratulations 🎉 for opening your very first issue in this project! 💖
In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀
I can add an info after more investigation.
When roles disabled call on /api/clusters gives back a JSON:
2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/api/clusters' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizatio
nManager@68d25c9b
2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=LdapUserDetailsImp
l [Dn=cn=GBS07272,ou=OBP,ou=Utenze,dc=SG,dc=GBS,dc=PRO; Username=GBS07272; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]], Credentials=[PROTECTE
D], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@18a9a3f5'
2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.s.w.s.a.AuthorizationWebFilter : Authorization successful
2023-06-01T17:53:10.850+02:00 DEBUG 1 --- [reactor-http-epoll-2] .s.w.r.r.m.a.ResponseEntityResultHandler : [d2999f34-14] Using 'application/json' given [*/*] and supported [application/json]
2023-06-01T17:53:10.850+02:00 DEBUG 1 --- [reactor-http-epoll-2] .s.w.r.r.m.a.ResponseEntityResultHandler : [d2999f34-14] 0..N [com.provectus.kafka.ui.model.ClusterDTO]
2023-06-01T17:53:10.864+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.http.codec.json.Jackson2JsonEncoder : [d2999f34-14] Encoding [class ClusterDTO {<EOL> name: fbk_kafka_tst<EOL> defaultCluster: null<EOL> status: initializing<EOL> las (truncated)...]
2023-06-01T17:53:10.875+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.http.codec.json.Jackson2JsonEncoder : [d2999f34-14] Encoding [class ClusterDTO {<EOL> name: fbk_kafka_pre<EOL> defaultCluster: null<EOL> status: initializing<EOL> las (truncated)...]
2023-06-01T17:53:10.877+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.w.s.adapter.HttpWebHandlerAdapter : [d2999f34-14] Completed 200 OK
If roles enabled no JSON is given back even if Authorization successful.
2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/api/clusters' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizatio
nManager@ee8a53b
2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafk
a.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.se
ssion.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.a.AuthorizationWebFilter : Authorization successful
2023-06-01T17:58:29.749+02:00 DEBUG 1 --- [reactor-http-epoll-4] s.w.r.r.m.a.RequestMappingHandlerMapping : [1e948963-14] Mapped to com.provectus.kafka.ui.controller.ClustersController#getClusters(ServerWebExchange)
2023-06-01T17:58:29.801+02:00 DEBUG 1 --- [reactor-http-epoll-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [1e948963-14] Using 'application/json' given [*/*] and supported [application/json]
2023-06-01T17:58:29.801+02:00 DEBUG 1 --- [reactor-http-epoll-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [1e948963-14] 0..N [com.provectus.kafka.ui.model.ClusterDTO]
2023-06-01T17:58:29.816+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.817+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.821+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.w.s.adapter.HttpWebHandlerAdapter : [1e948963-14] Completed 200 OK
Hi Kafka-UI team :)
First of all, I wanted to thank you for the great job you are doing developing this great app!
While trying the new RBAC feature, I am getting an empty list of permissions when calling the /api/authorization
API; despite I am authenticated and my groups are properly found. Additionally, I removed myself from all LDAP security groups but the relevant one for authentication and authorization (a single group); but the issue is still reproducing.
Looks like my user's authentication info is not properly binded to rbac configuration.
yamlApplicationConfig:
kafka:
clusters:
- name: kafka
bootstrapServers: kafka-host:9094
auth:
type: "LDAP"
spring:
ldap:
admin-password: pppp
admin-user: CN=yyyy
urls: ldap://ldap-host.company.local:389
user-filter-search-base: OU=users,OU=my-company,DC=company,DC=local
user-filter-search-filter: (&(sAMAccountName={0})(objectClass=person)(memberOf=CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local))
group-filter-search-base: OU=Kafka_UI,OU=my-company,DC=company,DC=local
rbac:
roles:
- name: "admin"
clusters:
- kafka
subjects:
- provider: ldap
type: group
value: "kafkaui_admin"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- resource: acl
value: ".*"
actions: [ view ]
/api/authorization
:
{"rbacEnabled":true,"userInfo":{"username":"xxxxx","permissions":[]}}
/api/clusters
:
[]
2023-06-04 09:24:57,079 DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [5ee84444-282] HTTP POST "/login"
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Checking match of request : '/login'; against '/login'
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: matched
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] r.n.c.FluxReceive: [5ee84444-10, L:/10.XXX.YYY.ZZZ:8080 - R:/10.AAA.BBB.CCC:7306] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2023-06-04 09:24:57,081 DEBUG [reactor-http-epoll-1] o.s.h.c.FormHttpMessageReader: [5ee84444-282] Read form fields [username, password] (content masked)
2023-06-04 09:24:57,081 DEBUG [boundedElastic-9] o.s.s.l.a.BindAuthenticator: Failed to bind with any user DNs []
2023-06-04 09:24:57,096 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:ppp'
2023-06-04 09:24:57,109 DEBUG [boundedElastic-9] o.s.s.l.SpringSecurityLdapTemplate: Found DN: CN=xxxxx
2023-06-04 09:24:57,110 DEBUG [boundedElastic-9] o.s.s.l.s.FilterBasedLdapUserSearch: Found user 'xxxxx', with FilterBasedLdapUserSearch [searchFilter=(&(sAMAccountName={0})(objectClass=person)(memberOf=CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local)); searchBase=OU=my-company,DC=company,DC=local; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ]
2023-06-04 09:24:57,148 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:389'
2023-06-04 09:24:57,153 DEBUG [boundedElastic-9] o.s.s.l.a.BindAuthenticator: Bound cn=xxxxx
2023-06-04 09:24:57,153 DEBUG [boundedElastic-9] o.s.l.c.LdapTemplate: The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2023-06-04 09:24:57,167 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:ppp'
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Found roles from search [{spring.security.ldap.dn=[CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local], cn=[kafkaui_admin]}]
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Retrieved authorities for user cn=xxxxx
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.LdapUserDetailsMapper: Mapping user details from context with DN cn=xxxxx
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.a.LdapAuthenticationProvider: Authenticated user
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] i.n.h.c.h.c.ServerCookieDecoder: Skipping cookie because value 'consentid:bXlGQzBYS09DYUtwaWRDcHUzc1VJQ0RnaXVSaTU4RVk,consent:yes,action:yes,necessary:yes,functional:yes,analytics:yes,performance:yes,advertisement:yes,other:yes' contains invalid char ','
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Saved SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:24:57,175 DEBUG [parallel-1] o.s.s.w.s.DefaultServerRedirectStrategy: Redirecting to '/'
2023-06-04 09:24:57,175 DEBUG [parallel-1] o.s.w.s.a.HttpWebHandlerAdapter: [5ee84444-282] Completed 302 FOUND
2023-06-04 09:29:52,177 DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [96887c8f-352] HTTP GET "/api/authorization"
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /api/authorization' doesn't match 'POST /login'
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found
...
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.DelegatingReactiveAuthorizationManager: Checking authorization on '/api/authorization' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@acdc038
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.AuthorizationWebFilter: Authorization successful
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.RequestMappingHandlerMapping: [96887c8f-352] Mapped to com.provectus.kafka.ui.controller.AccessController#getUserAuthInfo(ServerWebExchange)
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [96887c8f-352] Using 'application/json' given [text/html, application/xhtml+xml, image/avif, image/webp, image/apng, application/xml;q=0.9, */*;q=0.8, application/signed-exchange;v=b3;q=0.7] and supported [application/json]
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [96887c8f-352] 0..1 [com.provectus.kafka.ui.model.AuthenticationInfoDTO]
2023-06-04 09:29:52,181 DEBUG [reactor-http-epoll-1] o.s.h.c.j.Jackson2JsonEncoder: [96887c8f-352] Encoding [class AuthenticationInfoDTO {<EOL> rbacEnabled: true<EOL> userInfo: class UserInfoDTO {<EOL> userna (truncated)...]
Issue submitter TODO list
master
-labeled docker image and the issue still persists thereDescribe the bug (actual behavior)
Hi all,
I would want to configure RBAC but I'm still facing issues.
I can access on KafkaUI through our LDAP without problem, but introducing roles.yml I can log in but no clusters/resources are visible in the UI.
Looking at documentation I wasn't able to solve this on my own.
Sorry if it's my fault.
Thanks a lot.
Expected behavior
I would want to be able to configure RBAC with LDAP, but no success.
Your installation details
APP version 0.7.0
CONFIG:
compose.yml
roles.yml
Steps to reproduce
ENABLING roles through "roles.yml" I can log in but no permissions granted. DISABLING roles I can see everything.
Screenshots
No response
Logs
Using DEBUG LEVEL I can see RIGHT Granted Authorities linked to my user:
All Granted Authorities are right and associated to my user.
Calling /api/clusters context I'll receive an empty array when roles enabled. Looking at response calling /api/authorization I receive:
Looking for ISSUES in LOGS at DEBUG LEVEL I can see just this:
All other context are authorized with "Authorization successful".
Additional context
No response