kafka-ui
kafka-ui copied to clipboard
kafbat
Add support for opa authorization
Issue submitter TODO list
- [X] I've searched for an already existing issues here
- [X] I'm running a supported version of the application which is listed here and the feature is not present there
Is your proposal related to a problem?
No response
Describe the feature you're interested in
Add the ability to select the open policy agent option to use authorization inside Kafka-ui. This will allow policies to manage user interface approval outside the application configuration and allow the usage of extra data sources to manage permissions. It can also be used to configure the masking of data on a topic.
Describe alternatives you've considered
I Tried using the static RBAC to manage users. This causes some issues. The main one is that you must restart the application each time you change the permissions. Secondly, you can't enrich the decision-making using a third-party tool (like a metadata store) to specify the permissions on the user interface
Version you're running
2956664
Additional context
Hi mano1233! 👋
Welcome, and thank you for opening your first issue in the repo!
Please wait for triaging by our maintainers.
As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link
If you plan to raise a PR for this issue, please take a look at our contributing guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
My organization is also in the process of migrating our authorization to OPA. We have started this move after the overhead of maintaining authorization rules in all of out applications. So far we have moved our Trino clusters to OPA, and are in the middle of transitioning out Kafka stack to OPA. We have looked to switch out Kafka management tool since our old one does not suite our requirement well. After testing many tools we decided to use Kafbat-Ui, but our only problem is the lack of support for OPA. Out idea is to have OPA policies the dictate authorization based on our data governance tool, and by doing that simplifying the overhead of authorization and have a single mechanism of managing it. To give some context on the current implementation in our environment, we are running Keycloack for Authentication, and OPA sidecar containers for the systems that support OPA. We have integrated out Kafbat-Ui with our Keycloack and would be happy if we could farther integrate it with OPA for our solution. Thank you in advance.
this is a long shot but happy to discuss if someone wills to contribute/sponsor this
Hey, Kinda new to JS, but I will gladly give a hand. How can we take this further?
@mano1233, this is definitely not related to the JavaScript part. It requires experience with Java, Spring, WebFlux, Security, and OPA. If you have that expertise, we'd greatly appreciate your contribution!
@mano1233 I conducted some preliminary research:
- It appears that the OPA document will need to contain two key data elements: 1.1 A permissions list, specifying the permissions that can be assigned to a user (passed as a query). 1.2 An allow rule, which will evaluate the user's permissions and apply them to the ActionContext (including the cluster and related resources).
- We should generalize AccessControlService as an interface and develop a separate implementation that will forward these requests to the OPA REST API.
This seems achievable, though it will require some time, particularly for implementation and testing. If you'd prefer, we can prioritize this issue, but please note that it would be classified at the gold level for support.
fyi: @Haarolean