kafka-ui
kafka-ui copied to clipboard
kafbat
RBAC for ACL Management
Issue submitter TODO list
- [X] I've searched for an already existing issues here
- [X] I'm running a supported version of the application which is listed here and the feature is not present there
Is your proposal related to a problem?
Today we can set the ACL RBAC action only for view & edit, and we don't have the option to set the value or some specific ACL action (e.g. ACL type, Resource type).
### Current RBAC role config
- resource: acl
actions: [view, edit]
Describe the feature you're interested in
We need the ability to set actions & values for each RBAC role and ACL resource/type
Resource type
actions:
vieweditdeletecustom_aclproducer_aclconsumer_aclstream_acl
value: (for custom_acl, edit & view, filter by resource type)
TOPICGROUPCLUSTERTRANSACTIONAL_IDDELEGATION_TOKENUSER
For Example:
### Requested RBAC role config
- resource: acl
value: ["TOPIC", "GROUP"]
actions: [view, edit, custom_acl, producer_acl, consumer_acl]
Describe alternatives you've considered
No response
Version you're running
v1.0.0
Additional context
No response
Hi joelpavlovsky! 👋
Welcome, and thank you for opening your first issue in the repo!
Please wait for triaging by our maintainers.
As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link
If you plan to raise a PR for this issue, please take a look at our contributing guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper.
Thank you for your response.
The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes.
My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions.
Thank you for your response.
The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes.
My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions.
On Thu, May 2, 2024, 01:11 Roman Zabaluev @.***> wrote:
Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper.
— Reply to this email directly, view it on GitHub https://github.com/kafbat/kafka-ui/issues/288#issuecomment-2089219491, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO3VNE5URLLU7COFAIZBKV3ZAFSANAVCNFSM6AAAAABGGBDJQOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBZGIYTSNBZGE . You are receiving this because you authored the thread.Message ID: @.***>