Authorization Fails When RBAC Role Name Differs from LDAP Group Name

ahmettortumlu commented 4 months ago

Issue submitter TODO list

[X] I've looked up my issue in FAQ
[X] I've searched for an already existing issues here
[X] I've tried running master-labeled docker image and the issue still persists there
[X] I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

If RBAC role name is different from LDAP group name, authorization is not working.

Expected behavior

I could give independent names to RBAC roles. Currently, I have to assign the same name to roles with LDAP groups.

Your installation details

I am using kubernetes helm charts for installation. version: 0.7.5 and appVersion: v0.7.1

Here is my helm values yaml:


replicaCount: 1

image:
  registry: registry.address
  repository: provectuslabs/kafka-ui
  tag: "v0.7.1"

service:
  type: NodePort
  port: 80
  targetPort: 80

probes:
  useHttpsScheme: false

autoscaling:
  enabled: false

ingress:
  enabled: false

networkPolicy:
  enabled: false

serviceAccount:
  create: false

env: 
   - name: KAFKA_CONFIG_SANITIZER_ENABLED
     value: "false"

volumeMounts:
  - mountPath: /security-files/
    name: truststore

volumes:
  - name: truststore
    secret:
      secretName: truststore

yamlApplicationConfig:
  auth:
    type: LDAP
  spring:
    ldap:
      admin-password: admin123
      admin-user: adminuser
      base: some=parameters
      group-filter-search-base: (some=parameters)
      urls: ldap://ldap-address
      user-filter-search-base: some=parameters
      user-filter-search-filter: (sAMAccountName={0})      
  oauth2:
    ldap:
      activeDirectory: true
      aсtiveDirectory:
        domain: mydomain.com      
  kafka:
    clusters:
      - bootstrapServers: broker:9092
        kafkaConnect:
          - address: connect-cluster:8083
        name: example-cluster-1
        properties:
          sasl:
            jaas.config:
              org.apache.kafka.common.security.scram.ScramLoginModule required
              username=admin-user password=admin-password;
            mechanism: SCRAM-SHA-512
          security.protocol: SASL_SSL
        readOnly: false

        ssl:
          truststoreLocation: /security-files/truststore.jks
          truststorePassword: secret123

  rbac:
    roles:
      - name: kafka-ui-ldap-group
        subjects:
          - provider: ldap
            type: group
            value: kafka-ui-ldap-group
        clusters:
          - example-cluster-1
        permissions:
          - resource: topic
            value: .*
            actions: [view, messages_read]

          - resource: consumer
            value: .*
            actions: [view]

If rbac.roles.name != rbac.role.subjects.value it fails :)

Steps to reproduce

Deploy kafka-ui with LDAP groups authantication method and do not give same value to rbac role name with LDAP group name.

Screenshots

No response

Logs

No response

Additional context

No response

github-actions[bot] commented 4 months ago

Hello there ahmettortumlu! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

germanosin commented 2 months ago

Me and @Haarolean no longer support this repo, don't you mind to post this to https://github.com/kafbat/kafka-ui

provectus / kafka-ui