Closed jessetandor closed 4 years ago
Hello,
I agree that it will be very interesting to improve this functionality, for example it will be practical to give access to a user on topic configuration (partitions, consumer group, configs, logs) but not on message contents.
https://github.com/tchiotludo/kafkahq/blob/dev/application.example.yml#L88
security:
default-roles: # Roles available for all the user even unlogged user
default-roles
is missing on your configuration, that will do the tricks.
@apellegr06 & @jessetandor You can limit permissions by users using multiple users configurations
You can also filter topic by users : https://github.com/tchiotludo/kafkahq/blob/36e4902de1b1e86399383caed3ee6ee20c314689/application.example.yml#L124
The next version will simply this when this one merged https://github.com/tchiotludo/kafkahq/pull/144 because it implement notion of group : https://github.com/tchiotludo/kafkahq/issues/143
Added default-roles - i can still create topics though.
security:
default-roles:
- topic/read
- node/read
- topic/data/read
- group/read
- registry/read
- connect/read
please provide a full configuration, must be indent issue
---
kafkahq:
connections:
cluster:
properties:
bootstrap.servers: "x.x.x.x:9092" # IP and Port of one machine in the cluster for that region
security.protocol: SASL_PLAINTEXT # This is our setup in Kafka
sasl.mechanism: SCRAM-SHA-256 # This is our setup in Kafka
sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"user\" password=\"xxxx\";" # This has to match the user creaked in Kafka
pagination:
page-size: 30 # number of elements per page
threads: 16 # Number of parallel threads to resolve page - can be performance heavy
security:
default-roles:
- topic/read
- node/read
- topic/data/read
- group/read
- registry/read
- connect/read
As I say wrong indentation on pagination & default role. Look at application-example.yml please
@tchiotludo Sorry to continue here but it think it's easier. Could you provide a sample config that has two users - one with read-only and one with full access?
Also if both users are using the same config file - how do the two users at seperate machine's get served the right config?
Thanks.
Here is an example with dev
version, it introduce group that will simply the configuration :
kafkahq:
connections:
plaintext:
properties:
bootstrap.servers: "kafka:9092"
schema-registry:
url: "http://schema-registry:8085"
basic-auth-username: test_user
basic-auth-password: test_pass
connect:
url: "http://connect:8083"
basic-auth-username: test_user
basic-auth-password: test_pass
ksql:
url: "http://ksql:8088"
security:
basic-auth:
user:
password: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
groups:
- admin
basic-auth:
user:
password: 00e3261a6e0d79c329445acd540fb2b07187a0dcf6017065c8814010283ac67f
groups:
- reader
The concern to share configuration is not covered by KafkaHQ. KafkaHQ is designed to be deployed 1 time and every user could use the same instance.
The design you want is covered by micronaut but not implemented on the current version since it was a marginal use case.
Struggling with RO mode - How exactly can i set it up..Is it only working with a user login?
This connects to my broker :
Ive tried adding RO rights via security like:
But im still able to create topics.
Ideally, I'd like to have multiple user accounts with different permissions. Ive tried using the basic-auth feature but it doesnt work. For example:
If there are different users - how can the two login seperately..?