kafka-ui
kafka-ui copied to clipboard
Wrong RBAC for Kafka Connect
Issue submitter TODO list
- [X] I've looked up my issue in FAQ
- [X] I've searched for an already existing issues here
- [X] I've tried running
main-labeled docker image and the issue still persists there - [X] I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
now it requires "edit" acl for pause and resume connectors, although it's valid for "restart" rights.
Expected behavior
No response
Your installation details
1.0.0
Steps to reproduce
use config
- resource: connect
value: ".*"
actions: [ "view", "restart" ]
and try to pause connector. you can do it, only if you have edit acl
Screenshots
No response
Logs
No response
Additional context
No response
it's meshed with https://github.com/provectus/kafka-ui/issues/4170, but there the author asked for a new type of access. it seems redundant.
https://github.com/kafbat/kafka-ui/blob/main/frontend/src/components/Connect/Details/Actions/Actions.tsx#L80 https://github.com/kafbat/kafka-ui/blob/main/frontend/src/components/Connect/Details/Actions/Actions.tsx#L93 https://github.com/kafbat/kafka-ui/blob/main/frontend/src/components/Connect/List/ActionsCell.tsx#L69 https://github.com/kafbat/kafka-ui/blob/main/api/src/main/java/io/kafbat/ui/controller/KafkaConnectController.java#L194
edit sounds weird for pause/start, but introducing pause and start on the other hand looks redundant as well.
no need to introduce additional ACLs. replacing the current "edit" permission with "restart" for pause/start actions is enough (we are currently forced to do this in a local build)
I would prefer to:
- Introduce a new action called 'operate'
- Deprecate the 'restart' action
- Update the logic to use 'operate' instead of 'edit' for pause/resume
@germanosin sounds good, but will definitely cause problems for old users after the update.
We could assign restart to operate for backward compatibility
Fixed in https://github.com/kafbat/kafka-ui/pull/1121