search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.41k stars 660 forks source link

No groups with keycloak #1915

Closed giz33 closed 2 months ago

giz33 commented 3 months ago

Hello! I am facing a problem when I login with keycloak auth:

image

Error on POD log:

image

This is my config:


  micronaut:
    security:
      enabled: true
      callback-uri: "http://3.72.133.120:32551/oauth/callback/oidc"
      redirect:
        login-success: "/ui"
      oauth2:
        enabled: true
        clients:
          keycloak:
            client-id: "akhq"
            client-secret: "skndjaeikndqondo53pfnsvsfsnfsdk"
            openid:
              issuer: https://keycloak-client.clienturl.com/realms/akhq-realm
  akhq:
    connections:
      my-kafka-cluster:
        properties:
          bootstrap.servers: "kafka-0-external.opennms.svc.cluster.local:9094,kafka-1-external.opennms.svc.cluster.local:9094,kafka-2-external.opennms.svc.cluster.local:9094"
          security.protocol: "SASL_PLAINTEXT"
          sasl.mechanism: "PLAIN"
          sasl.jaas.config: "org.apache.kafka.common.security.plain.PlainLoginModule required username='kafka' password='passkafka';"
    security:
      default-group: no-roles
      groups:
          test_grp:
            name: test_grp
            roles:
              - topic/read
          no-roles:
            name: no-roles
            roles: [ ]
          read_only:
            name: read_only
            roles:
              - topic/read
              - topic/data/read
              - group/read
          admin:
            name: admin
            roles:
              - topic/read
              - topic/insert
              - topic/delete
              - topic/config/update
              - node/read
              - node/config/update
              - topic/data/read
              - topic/data/insert
              - topic/data/delete
              - group/read
              - group/delete
              - group/offsets/update
              - registry/read
              - registry/insert
              - registry/update
              - registry/delete
              - registry/version/delete
              - acls/read
              - connect/read
              - connect/insert
              - connect/update
              - connect/delete
              - connect/state/update
      basic-auth:
          - username: reader
            password: "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
            groups:
            - read_only
      oidc:
        enabled: true
        providers:
          keycloak:
            label: "Login with KeyCloak"
            username-field: preferred_username
            groups-field: roles
            default-group: akhq-read-only
            groups:
              - name: "kafka-admin"
                groups:
                  - "admin"
              - name: "akhq-read-only"
                groups:
                  - "read_only"```
Can someone help me please?
giz33 commented 3 months ago

Now I was able to login normally, but with user read only I am capable to delete a topic...this is not right. Someone know why this is happening?

Tks in advance

AlexisSouquiere commented 2 months ago

@giz33 you should consider upgrading to 0.25.1 with the new RBAC management. IMO, the only reason for this kind of issue would be a wrong mapping between your user groups in Keycloak and the groups in the AKHQ configuration. I'm closing as it is related to an old version and probably not an AKHQ error. Please create a discussion if you face the same issue with the new version to help you setting up the permissions