kafka-ui icon indicating copy to clipboard operation
kafka-ui copied to clipboard

Published 20 hours ago verified publisher icon kafbat

BE: RBAC: Support JSON path for roles-field

Open exlosir opened this issue 7 months ago • 2 comments

Issue submitter TODO list

  • [x] I've searched for an already existing issues here
  • [x] I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

I set up oauth2 authentication (keycloak) and rbac. I created client, role, user. Assing role to user. When i receive token - path to role field see like as realm_access.roles or altenative variant like this resource_access.KAFKA-UI-LOCAL.roles. On site list of clusters is empty, because roles is not mapped to Keycloak roles.

Describe the feature you're interested in

As suggested by @germanosin, I would like to add the ability to specify a custom path for roles-field in the token by json-path

Describe alternatives you've considered

No response

Version you're running

https://github.com/kafbat/kafka-ui/commit/3074abc

Additional context

Current configuration docker-compose

version: '3.8'

name: kafka-ui
services:
  app:
    image: ghcr.io/kafbat/kafka-ui:latest
    container_name: "kafka-ui-am"
    environment:
      SPRING_CONFIG_LOCATION: file:/etc/kafkaui/application.yml
      SPRING_PROFILES_ACTIVE: keycloak,rbac
      #SERVER_SERVLET_CONTEXT_PATH: /kafka-ui
    ports:
        - 8080:8080
    volumes:
      - ./application.yml:/etc/kafkaui/application.yml
    networks:
      - kafka-ui

networks:
  kafka-ui:

application.yml

kafka:
  clusters:
    - name: dev
      bootstrapServers: localhost:9092

logging:
  level:
    #ROOT: TRACE
    io.kafbat.ui.service.rbac.extractor: TRACE

auth:
  type: OAUTH2
  oauth2:
    client:
      keycloak:
        provider: keycloak
        clientId: KAFKA-UI-LOCAL
        clientSecret: some-secret-key
        scope: ['openid', 'roles']
        issuer-uri: https://localhost:8081/realms/master
        user-name-attribute: preferred_username
        client-name: keycloak
        custom-params:
          type: oauth
          roles-field: realm_access.roles

server:
  forward-headers-strategy: native # to make it work behind reverse-proxy

rbac:
  roles:
    - name: kafka-ui-readonly
      clusters:
        - dev
      subjects:
        - provider: oauth
          type: role
          value: kafka-ui-readonly
      permissions:
        - resource: clusterconfig
          actions: [ "view" ]

        - resource: topic
          value: ".*"
          actions: 
            - VIEW
            - MESSAGES_READ

        - resource: schema
          value: ".*"
          actions: [ view ]

        - resource: connect
          value: ".*"
          actions: [ view ]

        - resource: acl
          actions: [ view ]

exlosir avatar Apr 14 '25 18:04 exlosir

Hi exlosir! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

github-actions[bot] avatar Apr 14 '25 18:04 github-actions[bot]

Been previously discussed at:

  • https://discord.com/channels/897805035122077716/1271514267862175886/1274076850020417650
  • https://github.com/provectus/kafka-ui/issues/4024
  • https://github.com/kafbat/kafka-ui/issues/829#issuecomment-2801255287

Haarolean avatar Apr 14 '25 19:04 Haarolean