tchiotludo
commented
3 years ago Hi, Can you provide a full yaml configuration please ? I can't understand with only snippets. Thanks
Closed MrMunki closed 3 years ago
tchiotludo
commented
3 years ago Hi, Can you provide a full yaml configuration please ? I can't understand with only snippets. Thanks
MrMunki
commented
3 years ago Sure, see below. It looks to be the group membership it's not picking up, the AD part is working. I can see in the logs that the groups are picked up but they are not used and it just refreshes back to the login page. However, this refresh back is not displayed in the log (see at the bottom)
micronaut:
security:
enabled: true
ldap:
default:
enabled: true
context:
server: "ldaps://myadserver.domain:3269"
managerDn: "CN=useraccount,OU=accounts,DC=domain,DC=com"
managerPassword: 'password'
search:
enabled: true
base: "dc=domain,DC=com"
filter: "sAMAccountName={0}"
groups:
enabled: true
subtree: true
base: "dc=domain,DC=com"
filter: "(&(objectclass=group)(cn=group-prefix*)(member={0}))"
token:
jwt:
signatures:
secret:
generator:
secret: 'somestringof32chars' # Minimum 32 characters required here
akhq:
server:
access-log: # Access log configuration (optional)
enabled: true # true by default
name: org.akhq.log.access # Logger name
format: "[Date: {}] [Duration: {} ms] [Url: {} {} {}] [Status: {}] [Ip: {}] [Length: {}] [Port: {}]" # Logger format
# default kafka properties for each clients, available for admin / producer / consumer (optional)
clients-defaults:
consumer:
properties:
isolation.level: read_committed
# list of kafka cluster available for akhq
connections:
my-cluster:
properties:
bootstrap.servers: "myserver:9093"
security.protocol: SSL
ssl.truststore.location: /opt/akhq/kafka.client.truststore.jks
ssl.truststore.password: 'apassword'
ssl.keystore.location: /opt/akhq/kafka.client.keystore.jks
ssl.keystore.password: 'apassword'
schema-registry:
url: "http://myschearegistryhost.domain:port" # schema registry url (optional)
properties: # standard kafka properties (optional)
ssl.protocol: TLS
pagination:
page-size: 25 # number of elements per page (default : 25)
threads: 16 # Number of parallel threads to resolve page
# Topic list display options (optional)
topic:
retention: 172800000 # default retention period when creating topic
partition: 3 # default number of partition when creating topic
replication: 3 # default number of replicas when creating topic
default-view: ALL # default list view (ALL, HIDE_INTERNAL, HIDE_INTERNAL_STREAM, HIDE_STREAM)
internal-regexps: # list of regexp to be considered as internal (internal topic can't be deleted or updated)
- "^_.*$"
- "^.*_schemas$"
- "^.*connect-config$"
- "^.*connect-offsets$1"
- "^.*connect-status$"
stream-regexps: # list of regexp to be considered as internal stream topic
- "^.*-changelog$"
- "^.*-repartition$"
- "^.*-rekey$"
skip-consumer-groups: false # Skip loading consumer group information when showing topics
# Topic display data options (optional)
topic-data:
sort: OLDEST # default sort order (OLDEST, NEWEST) (default: OLDEST)
size: 50 # max record per page (default: 50)
poll-timeout: 1000 # The time, in milliseconds, spent waiting in poll if data is not available in the buffer.
# Auth & Roles (optional)
security:
default-group: no-roles
ldap:
default-group: no-roles # If I change this to read-only it lets me log in, but it does not use the ldap/AD groups below
group:
admins: # just a key, no matter will be override by name below
name: "groupnameforadmins-nonproduction"
groups: # Akhq groups list
- admin
read-only:
name: "groupnamefornonadmins-nonproduction"
groups:
- read-only
groups:
admin: # Group name
roles: # roles for the group
- topic/read
- topic/insert
- topic/delete
- topic/config/update
- node/read
- node/config/update
- topic/data/read
- topic/data/insert
- topic/data/delete
- group/read
- group/delete
- group/offsets/update
- registry/read
- registry/insert
- registry/update
- registry/delete
- registry/version/delete
- acls/read
- connect/read
- connect/insert
- connect/update
- connect/delete
- connect/state/update
attributes:
# Regexp to filter topic available for group
#topics-filter-regexp: "test.*"
read-only: # Other group
roles: # roles for the group
- topic/read
- node/read
- topic/data/read
- group/read
- registry/read
- acls/read
- connect/read
attributes:
#topics-filter-regexp: "test\\.reader.*" # Left here for reference2021-04-19 15:38:41,477 DEBUG r-thread-2 LdapAuthenticationProvider Starting authentication with configuration [default]
2021-04-19 15:38:41,478 DEBUG r-thread-2 LdapAuthenticationProvider Attempting to initialize manager context
2021-04-19 15:38:42,784 DEBUG r-thread-2 LdapAuthenticationProvider Manager context initialized successfully
2021-04-19 15:38:42,784 DEBUG r-thread-2 LdapAuthenticationProvider Attempting to authenticate with user [myusername]
2021-04-19 15:38:42,880 DEBUG r-thread-2 LdapAuthenticationProvider User found in context [CN=myusername REDACTED]. Attempting to bind.
2021-04-19 15:38:43,093 DEBUG r-thread-2 LdapAuthenticationProvider Successfully bound user [CN=myusername REDACTED]. Attempting to retrieving groups.
2021-04-19 15:38:43,139 TRACE r-thread-2 .DefaultLdapGroupProcessor The following groups were found for [CN=myusername REDACTED]: [groupnameforadmins-nonproduction]
2021-04-19 15:38:43,139 TRACE r-thread-2 .DefaultLdapGroupProcessor The following groups were found for [CN=myusername REDACTED]: [groupnameforadmins-nonproduction, groupnameforadmins-production]
2021-04-19 15:38:43,140 DEBUG r-thread-2 .DefaultLdapGroupProcessor Attempting to add any additional groups...
2021-04-19 15:38:43,140 DEBUG r-thread-2 LdapAuthenticationProvider Group search returned [[groupnameforadmins-nonproduction, groupnameforadmins-production]] for user [myusername]
2021-04-19 15:38:43,140 TRACE r-thread-2 LdapAuthenticationProvider Attempting to map [myusername] with groups [[groupnameforadmins-nonproduction, groupnameforadmins-production]] to an authentication response.
2021-04-19 15:38:43,179 INFO r-thread-2 org.akhq.log.access [Date: 2021-04-19T15:38:41.410069Z] [Duration: 1768 ms] [Url: POST /login 303] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
2021-04-19 15:38:43,180 DEBUG r-thread-2 LdapAuthenticationProvider Response successfully created for [myusername]. Response is authenticated: [true]
2021-04-19 15:38:43,260 INFO r-thread-2 org.akhq.log.access [Date: 2021-04-19T15:38:43.259079Z] [Duration: 1 ms] [Url: GET /api/me 200] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
2021-04-19 15:38:43,365 INFO pGroup-1-5 org.akhq.log.access [Date: 2021-04-19T15:38:43.365234Z] [Duration: 0 ms] [Url: GET /ui/login 200] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
2021-04-19 15:38:43,519 INFO r-thread-2 org.akhq.log.access [Date: 2021-04-19T15:38:43.517115Z] [Duration: 0 ms] [Url: GET /api/me 200] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
2021-04-19 15:38:43,537 INFO pGroup-1-3 org.akhq.log.access [Date: 2021-04-19T15:38:43.537167Z] [Duration: 0 ms] [Url: GET /ui/favicon.ico 200] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
2021-04-19 15:38:43,539 INFO r-thread-2 org.akhq.log.access [Date: 2021-04-19T15:38:43.533658Z] [Duration: 5 ms] [Url: GET /api/auths 200] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
2021-04-19 15:38:43,642 INFO r-thread-2 org.akhq.log.access [Date: 2021-04-19T15:38:43.641375Z] [Duration: 0 ms] [Url: GET /api/cluster 200] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
2021-04-19 15:38:43,717 INFO r-thread-2 org.akhq.log.access [Date: 2021-04-19T15:38:43.715418Z] [Duration: 2 ms] [Url: GET /api/cluster 200] [Status: /1.1.1.1] [Ip: myusername] [Length: {}] [Port: {}]
twobeeb
commented
3 years ago Hi,
akhq.security.ldap.group should be akhq.security.ldap.groups AND expects a List, not a Map
Code : https://github.com/tchiotludo/akhq/blob/dev/src/main/java/org/akhq/configs/Ldap.java#L14
Example : https://github.com/tchiotludo/akhq/blob/dev/application.example.yml#L228-L243
Try this :
# Auth & Roles (optional)
security:
default-group: no-roles
ldap:
default-group: no-roles # If I change this to read-only it lets me log in, but it does not use the ldap/AD groups below
groups:
- name: "groupnameforadmins-nonproduction"
groups: # Akhq groups list
- admin
- name: "groupnamefornonadmins-nonproduction"
groups:
- read-only@twobeeb Thanks for this, it's now working. Much appreciated.
tchiotludo
commented
3 years ago thnkas @twobeeb
I'm struggling to migrate to version 0.17.0 from 0.14.1 as the login box is not working. If I set the default group to "no-roles" it just gives me the login page with no box to fill in the username and password. I've enabled security as per previous posts:
I've added the jwt section with a password over over 32 characters.
But the prompt is still not there.
If I go to hostname/api/auths I get this output
{"loginEnabled":true,"formEnabled":false}So it looks like auth is enabled, I'm just unable to use it
Any help appreciated.
Thanks
Update
I can get the login prompt up if I set this:
I can log in BUT I only ever get a read only role. If I remove the default-group: read-only from below ldap it then stops showing the login box.