AlexisSouquiere
commented
1 month ago Can you show the groups and roles parts of your application.yml ?
Closed panphg closed 1 week ago
AlexisSouquiere
commented
1 month ago Can you show the groups and roles parts of your application.yml ?
panphg
commented
1 month ago security:
default-group: no-access # Default groups for all the user even unlogged user
# Groups definition
roles:
no-access:
- resources: [ ]
actions: [ ]
reader:
- resources: [ "TOPIC", "TOPIC_DATA", "CONSUMER_GROUP", "CONNECT_CLUSTER", "CONNECTOR", "SCHEMA", "NODE", "ACL", "KSQLDB" ]
actions: [ "READ" ]
- resources: [ "TOPIC", "NODE" ]
actions: [ "READ_CONFIG" ]
topic-admin:
- resources: [ "TOPIC", "TOPIC_DATA" ]
actions: [ "READ", "CREATE", "UPDATE", "DELETE", "READ_CONFIG", "ALTER_CONFIG" ]
topic-data-admin:
- resources: [ "TOPIC", "TOPIC_DATA" ]
actions: [ "READ", "CREATE", "DELETE" ]
consumer-group-admin:
- resources: [ "CONSUMER_GROUP" ]
actions: [ "READ", "UPDATE_OFFSET", "DELETE", "DELETE_OFFSET" ]
connect-cluster-reader:
- resources: [ "CONNECT_CLUSTER" ]
actions: [ "READ" ]
connector-admin:
- resources: [ "CONNECTOR" ]
actions: [ "READ", "CREATE", "DELETE", "UPDATE_STATE" ]
schema-admin:
- resources: [ "SCHEMA" ]
actions: [ "READ", "CREATE", "UPDATE", "DELETE", "DELETE_VERSION" ]
node-admin:
- resources: [ "NODE" ]
actions: [ "READ", "READ_CONFIG", "ALTER_CONFIG" ]
acl-reader:
- resources: [ "ACL" ]
actions: [ "READ" ]
ksqldb-admin:
- resources: [ "KSQLDB" ]
actions: [ "READ", "EXECUTE" ]
groups:
admin:
- role: node-admin
- role: topic-admin
- role: topic-data-admin
- role: consumer-group-admin
- role: connect-cluster-reader
- role: connector-admin
- role: schema-admin
- role: node-admin
- role: acl-reader
- role: ksqldb-admin
topic-reader:
- role: reader
no-access:
- role: no-access
# OIDC configuration
oidc:
enabled: true
providers:
azure:
label: "Login with Azure"
username-field: preferred_username
groups-field: roles
default-group: topic-reader
groups:
- name: oidc-admin-group
groups:
- admin
users:
- username: user1@company.com
groups:
- admin
- username: user2@company.com
groups:
- admin
# more admin users with the same configuration@panphg remove this
no-access:
- resources: [ ]
actions: [ ]AKHQ doesn't handle well a default group with empty resources/actions
panphg
commented
1 week ago I removed
no-access:
- resources: [ ]
actions: [ ]from rules,
no-access:
- role: no-accessfrom groups and also removed default-group: no-access.
The result was the same: a black screen and TypeError: t.resources is undefined.
A little bit more debugging revealed that roles in the function organizeRoles(roles) does not contain the roles we configured but something different:
AlexisSouquiere
commented
1 week ago For me the right configuration should be this one: default-group defined but nothing related to the no-access group in groups or roles.
security:
default-group: no-access # Default groups for all the user even unlogged user
# Groups definition
roles:
reader:
- resources: [ "TOPIC", "TOPIC_DATA", "CONSUMER_GROUP", "CONNECT_CLUSTER", "CONNECTOR", "SCHEMA", "NODE", "ACL", "KSQLDB" ]
actions: [ "READ" ]
- resources: [ "TOPIC", "NODE" ]
actions: [ "READ_CONFIG" ]
topic-admin:
- resources: [ "TOPIC", "TOPIC_DATA" ]
actions: [ "READ", "CREATE", "UPDATE", "DELETE", "READ_CONFIG", "ALTER_CONFIG" ]
topic-data-admin:
- resources: [ "TOPIC", "TOPIC_DATA" ]
actions: [ "READ", "CREATE", "DELETE" ]
consumer-group-admin:
- resources: [ "CONSUMER_GROUP" ]
actions: [ "READ", "UPDATE_OFFSET", "DELETE", "DELETE_OFFSET" ]
connect-cluster-reader:
- resources: [ "CONNECT_CLUSTER" ]
actions: [ "READ" ]
connector-admin:
- resources: [ "CONNECTOR" ]
actions: [ "READ", "CREATE", "DELETE", "UPDATE_STATE" ]
schema-admin:
- resources: [ "SCHEMA" ]
actions: [ "READ", "CREATE", "UPDATE", "DELETE", "DELETE_VERSION" ]
node-admin:
- resources: [ "NODE" ]
actions: [ "READ", "READ_CONFIG", "ALTER_CONFIG" ]
acl-reader:
- resources: [ "ACL" ]
actions: [ "READ" ]
ksqldb-admin:
- resources: [ "KSQLDB" ]
actions: [ "READ", "EXECUTE" ]
groups:
admin:
- role: node-admin
- role: topic-admin
- role: topic-data-admin
- role: consumer-group-admin
- role: connect-cluster-reader
- role: connector-admin
- role: schema-admin
- role: node-admin
- role: acl-reader
- role: ksqldb-admin
topic-reader:
- role: reader
# OIDC configuration
oidc:
enabled: true
providers:
azure:
label: "Login with Azure"
username-field: preferred_username
groups-field: roles
default-group: topic-reader
groups:
- name: oidc-admin-group
groups:
- admin
users:
- username: user1@company.com
groups:
- admin
- username: user2@company.com
groups:
- admin
# more admin users with the same configurationWhen you go on AKHQ you should see the login page as there are no rights granted with the default-group
panphg
commented
1 week ago It doesn't work with just default-group: no-access, but I got it to work with default-group: no-access and a no-access group without roles:
groups:
no-access: []Thank you for your help!
After updating from 0.25.0 to 0.25.1 we get a black screen when trying to access AKHQ.
In the browser's debbuger we see the error:
TypeError: t.resources is undefined