base-path option seems to enforce going through login

[bigorn0]

Hi,

I'm trying to run your nice tool behind a reverse proxy under /kafkahq root base path. Doing so, I'm consistently redirected to the /kafkahq//login/unauthorized page whatever I try.

The configuration I use is basically the application.conf example in the repository:

kafkahq:
  server:
    base-path: "/kafkahq/" # if behind a reverse proxy, path to kafkahq with trailing slash (optional).

    access-log: # Access log configuration (optional)
      enabled: true # true by default
      name: org.kafkahq.log.access # Logger name
      format: "[Date: {}] [Duration: {} ms] [Url: {} {} {}] [Status: {}] [Ip: {}] [Length: {}] [Port: {}]" # Logger format

  # default kafka properties for each clients, available for admin / producer / consumer (optional)
  clients-defaults:
    consumer:
      properties:
        isolation.level: read_committed

  # list of kafka cluster available for kafkahq
  connections:
    my-cluster-plain-text: # url friendly name for the cluster
      properties: # standard kafka properties (optional)
        bootstrap.servers: "kafka:9092"
      # schema-registry:
      #   url: "http://schema-registry:8085" # schema registry url (optional)

      connect:
        url: "http://kafka-connect-rest:8083" # connect url (optional)

  # Topic list display options (optional)
  topic:
    page-size: 25 # number of topics per page (default : 25)
    default-view: HIDE_INTERNAL # default list view (ALL, HIDE_INTERNAL, HIDE_INTERNAL_STREAM, HIDE_STREAM)
    internal-regexps: # list of regexp to be considered as internal (internal topic can't be deleted or updated)
      - "^_.*$"
      - "^.*_schemas$"
      - "^.*connect-config$"
      - "^.*connect-offsets$1"
      - "^.*connect-status$"
    stream-regexps: # list of regexp to be considered as internal stream topic
      - "^.*-changelog$"
      - "^.*-repartition$"
      - "^.*-rekey$"

  # Topic display data options (optional)
  topic-data:
    sort: OLDEST # default sort order (OLDEST, NEWEST) (default: OLDEST)
    size: 50 # max record per page (default: 50)
    poll-timeout: 1000 # The time, in milliseconds, spent waiting in poll if data is not available in the buffer.

  # Schama list display options (optional)
  schema:
    page-size: 25 # number of schemas per page (default : 25)

  # Auth & Roles (optional)
  security:
    default-roles: # Roles available for all the user even unlogged user
      - topic/read
      - topic/insert
      - topic/delete
      - topic/config/update
      - node/read
      - node/config/update
      - topic/data/read
      - topic/data/insert
      - topic/data/delete
      - group/read
      - group/delete
      - group/offsets/update
      - registry/read
      - registry/insert
      - registry/update
      - registry/delete
      - registry/version/delete
      - connect/read
      - connect/insert
      - connect/update
      - connect/delete
      - connect/state/update

    # Basic auth configuration
    basic-auth:
      admin: # Username
        password: pass
        roles: # Role for current users
          - topic/read
          - group/read
          - group/delete

It looks like it tries to enforce Basic Auth when base-path isn't empty because if I remove the base path to be base-path: "" then I can access my cluster summary page without going through login at all.

Ultimately I'd like to disable this Basic Auth and rely on default roles because I'm protective this in another third party tool (keycloak gatekeeper) I tried to override Micronaut security option to be disabled but no luck.

If there is a way to workaround or if I'm doing it wrongly please let me know :)

Thanks!

[tchiotludo]

Thanks for the report :+1:

• first issue, there is an issue with main redirect with base-path fix with last commit on docker pull tchiotludo/kafkahq:dev.
• second issue, the documentation is wrong and base-path is without trailing slash so configuration must be base-path: "/kafkahq", fix with last commit.

For the last point : the basic auth is not mandatory and by default is not enabled (to be honest, enabled by default, with all the roles). You can disabled it completely with on your configuration files:

micronaut:
  security:
    enabled: false

I don't know anything about keycloak gatekeeper, but as i see it will be difficult to map user from keycloak to kafkahq roles (to limit current right depending on users). I think about a feature with ability to get current user from a custom header and to map user on configuration files, tell me if it will be relevant in your use case

[bigorn0]

Thanks for the quick feedback! I'll test it and give you feedback quickly 👍 I see your fix is embedded in latest release so I'll go with it.

About Keycloak-gatekeeper I already use a specific header it sets when sending request to backends which might fit the case, e.g x-auth-roles. It provides the list of roles (a coma separated list) a user gets assigned to in Keycloak so I could perfectly declare roles based on those you already set in kafkahq

[tchiotludo]

for info, just release the 0.9.0 few minutes ago, no need to use the dev branch now :smile:

Thanks for the feedback for Keycloak-gatekeeper. I don't think this way (header that pass the roles), I mostly think an header that pass the user. But it seems to be a good feature, I will add this one on the release !

[bigorn0]

@tchiotludo I can confirm latest release solves the issue :) Thanks a lot!