Console over-restrains allowed role names

redpanda-data / console

Redpanda Console is a developer-friendly UI for managing your Kafka/Redpanda workloads. Console gives you a simple, interactive approach for gaining visibility into your topics, masking data, managing consumer groups, and exploring real-time data with time-travel debugging.

https://redpanda.com

3.77k stars 347 forks source link

Console over-restrains allowed role names #1469

Open JFlath opened 1 day ago

JFlath commented 1 day ago

In Console we apply this filter:

https://github.com/redpanda-data/console/blob/c99b26ed8d033f076467c12d02895779b18b0907/proto/redpanda/api/console/v1alpha1/security.proto#L80

However Redpanda itself isn't so strict:

https://github.com/redpanda-data/redpanda/blob/dev/src/v/redpanda/admin/security.cc#L293 vvv https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L362 vvv https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L193 vvv https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L34-L45

Redpanda's implementation seems inkeeping with others. Notably, Console doesn't allow . in a Role

JFlath commented 1 day ago

N.B. The line referenced is one example, but the same applies for all requests in that file (and possibly more broadly)

weeco commented 1 day ago

I think we had discussions about constraining the character set for roles to the same rules that apply to topics. Reason being things such as:

More complex characters usually not needed / desired
URL encoding (in Console and Admin API)
We'd need to ensure we can display all allowed characters and length accordingly
We may want to be a bit opinionated to establish some convention on the naming
We can always become less strict but not the other way round, hence we started with this character set

Is there a specific reason to relax the requirements?

JFlath commented 1 day ago

So at the moment you can use rpk to create a role called my.team - Console will then fail to work with that correctly even though it's a real role that exists within Redpanda. I agree with the points raised, but the convention/standard has already been defined by what we allow in Redpanda itself

weeco commented 1 day ago

The API is cloud exclusive and RPK uses that API as well. In RP Cloud no one can create a role with a different convention because everything has to go through console

JFlath commented 1 day ago

We may be talking cross purposes here, not sure - rpk security role create my.team uses Redpanda's Admin API directly (/v1/security/roles) and is available on Self Hosted clusters. I do see this in the code though that seems to suggest we permanently gate this?

https://github.com/redpanda-data/console/blob/master/frontend/src/state/supportedFeatures.ts#L54-L56

burandobata commented 21 hours ago

I think we had discussions about constraining the character set for roles to the same rules that apply to topics. Reason being things such as:

Currently with console you can also create a topic containing . like test.example, but you can't create role like that. So this is not consistent.