LDAP nested groups not supported

RomainDubois commented 6 months ago

Issue submitter TODO list

[X] I've looked up my issue in FAQ
[X] I've searched for an already existing issues here
[X] I've tried running master-labeled docker image and the issue still persists there
[X] I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

With LDAP authentication, only direct groups of the connected user are collected to compute user roles.

Expected behavior

Groups should be collected recursively to compute user roles (= groups of groups).

Your installation details

Tested with 83b5a60 version.

LDAP configuration:

AUTH_TYPE=LDAP
SPRING_LDAP_URLS=ldaps://my.ldap.url
SPRING_LDAP_USER_FILTER_SEARCH_BASE=cn=accounts,dc=my-company
SPRING_LDAP_GROUP_FILTER_SEARCH_BASE=cn=accounts,dc=my-company
SPRING_LDAP_USER_FILTER_SEARCH_FILTER=(&(uid={0})(objectClass=inetOrgPerson))
SPRING_LDAP_BASE=cn={0},dc=my-company
SPRING_CONFIG_ADDITIONAL-LOCATION=/roles/roles.yaml

roles.yaml:

---

rbac:
  roles:

    - name: admin
      clusters:
        - main
      subjects:
        - provider: ldap
          type: group
          value: nestedgroup
      permissions:
        - resource: applicationconfig
          actions: all
        - resource: clusterconfig
          actions: all
        - resource: topic
          value: ".*"
          actions: all
        - resource: consumer
          value: ".*"
          actions: all
        - resource: schema
          value: ".*"
          actions: all
        - resource: connect
          value: ".*"
          actions: all
        - resource: ksql
          actions: all
        - resource: acl
          value: ".*"
          actions: [ view ]

Steps to reproduce

Find or create a LDAP user U which is member of a group G1 where G1 is member of an other group G2. U should not be a member of G2.
Configure Kafka-UI with a LDAP authentication
Configure a role on a group G2
Log in with user U
Check the user has not the role

Screenshots

No response

Logs

No response

Additional context

No response

github-actions[bot] commented 6 months ago

Hello there RomainDubois! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

Haarolean commented 6 months ago

hey @RomainDubois, this repo is not maintained (#4255). But we'll be happy to accept your PR here: https://github.com/kafbat/kafka-ui

RomainDubois commented 6 months ago

Will switch to https://github.com/kafbat/kafka-ui

provectus / kafka-ui