kafka-ui
kafka-ui copied to clipboard
kafbat
RBAC: Unclear required access level for the audit topic
Issue submitter TODO list
- [X] I've looked up my issue in FAQ
- [X] I've searched for an already existing issues here
- [X] I've tried running
main-labeled docker image and the issue still persists there - [X] I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
Lack of access to _kui_audit_log topic messages when configuring LDAP, RBAC. If you disable RBAC, then access to messages is available, what could be the reason for this behavior?
Expected behavior
Reading messages in the _kui_audit_log topic using kui even if RBAC is enabled
Your installation details
auth: type: LDAP
spring: jmx: enabled: true
ldap: urls: ldap://ms.it.domain.com:389 base: admin-user: admin-password: user-filter-search-base: DC=it,DC=domain,DC=com user-filter-search-filter: (&(uid={0})(objectClass=inetOrgPerson)) group-filter-search-base: ou=Groups,DC=it,DC=domain,DC=com
kafka: clusters: - name: Kafka-cluster-1 bootstrapServers: kafka1.com,kafka2.com,kafka3.com ssl: truststorelocation: /truststore.jks truststorepassword: properties: security: protocol: SASL_SSL sasl: mechanism: PLAIN jaas: config: org.apache.kafka.common.security.plain.PlainLoginModule required username="" password="";
audit:
topicAuditEnabled: true
consoleAuditEnabled: true
topic: "__kui-audit-log" # default name
auditTopicProperties: # any kafka topic properties in format of a map
retention.ms: 43200000
auditTopicsPartitions: 1 # how many partitions, default is 1
level: ALTER_ONLY # either ALL or ALTER_ONLY (default). ALL will log all read operations.**
rbac: roles: - name: "admins" clusters: - Kafka-cluster-1 subjects: - provider: ldap type: group value: "MS"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: acl
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
value: ".*"
actions: all
Steps to reproduce
Enable LDAP, enable RBAC
Screenshots
No response
Logs
, String, String, Long, Long, String, String, String, ServerWebExchange) 2024-06-27 15:35:40,259 DEBUG [reactor-http-epoll-4] o.s.w.s.a.HttpWebHandlerAdapter: [ea53e5a8-59] Completed 403 FORBIDDEN 2024-06-27 15:35:41,638 DEBUG [reactor-http-epoll-4] o.s.w.s.a.HttpWebHandlerAdapter: [ea53e5a8-60] HTTP GET "/api/clusters/Kafka-cluster-1/topics/__kui-audit-log/messages/v2?limit=100&mode=LATEST" 2024-06-27 15:35:41,640 DEBUG [reactor-http-epoll-4] o.s.w.r.r.m.a.RequestMappingHandlerMapping: [ea53e5a8-60] Mapped to io.kafbat.ui.controller.MessagesController#getTopicMessagesV2(String, String, PollingModeDTO, List, Integer, String, String, Long, Long, String, String, String, ServerWebExchange)
Additional context
similar problem on https://github.com/provectus/kafka-ui, perhaps you need to explicitly set the access rules acl is disabled on kafka
Hi Ilyin-V-V! 👋
Welcome, and thank you for opening your first issue in the repo!
Please wait for triaging by our maintainers.
As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. Sponsorship link
If you plan to raise a PR for this issue, please take a look at our contributing guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
_kui_audit_log is just a topic and has no special treatment from the perspective of RBAC. You have to add RBAC rules for that topic manually. Let me know if there's anything else we could help with.
And I think that _kui_audit_log is just a topic, but why then the rule:
- resource: topic value: ".*" actions: all results in Completed 403 FORBIDDEN. I also tried to write the rule explicitly:
- resource: topic value: ".*audit-log" actions: [view, messages_read]
but I still get 403 FORBIDDEN
Aah, sorry, there actually is a special treatment for the audit topic: In order to be able to view its messages you have to add the following RBAC permission:
- resource: audit
actions: all
Please let me know if it works for you
Further user feedback is requested. Please reply within 7 days or we might close the issue.
![kapybro[bot] avatar](https://avatars.githubusercontent.com/in/321362?v=4 "Published by a pub.dev verified publisher"){kind=small}
We'd need to update the docs: https://github.com/kafbat/ui-docs/blob/main/configuration/audit-log.md https://github.com/kafbat/ui-docs/blob/main/configuration/rbac-role-based-access-control/README.md
Ааа, извините, на самом деле для темы аудита существует особая обработка: чтобы иметь возможность просматривать ее сообщения, вам необходимо добавить следующее разрешение RBAC:
- resource: audit actions: allПожалуйста, дайте мне знать, если это вам подходит.
It doesn't work for me, here is my RBAC: rbac: roles:
- name: "admins" clusters:
- Kafka-cluster-1 subjects:
- provider: ldap type: group value: "MS" permissions:
- resource: topic value: ".*" actions: all
- resource: audit actions: all
And still, when reading from the UI topic __kui-audit-log in the logs - Completed 403 FORBIDDEN Version kafbat-ui-v1.0.0.jar
This particular config works for me:
- resource: topic
value: "__kui-audit-log"
actions: all
- resource: audit
actions: all
The question why we'd need both still remains, we'll take a look into this. For now, please add both the actions to your config, this should work.
Мне подходит вот эта конфигурация:
- resource: topic value: "__kui-audit-log" actions: all - resource: audit actions: allВопрос, зачем нам оба нужны, все еще остается, мы разберемся в этом. А пока добавьте оба действия в свою конфигурацию, это должно работать.
thank you very much, it works
@Ansh7899 nope, feel free to tackle this! We should allow access to the audit topic via resource: audit permission without a need for resource: topic one.
Hi! I faced the same issue: cannot read messages in the audit topic with RBAC. But for some reason the configuration below doesn't help:
- resource: topic
value: "__kui-audit-log"
actions: all
- resource: audit
actions: all
full config for permissions:
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: "__kui-audit-log"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- resource: acl
actions: [ view ]
- resource: audit
actions: all
And the message in the log: kafka-ui | 2025-01-13 10:38:48,446 INFO [reactor-http-epoll-4] audit: {"timestamp":"2025-01-13T10:38:48.446022500Z","username":"YartsevaVV","clusterName":"test","resources":[{"type":"TOPIC","id":"__kui-audit-log","alter":false,"accessType":["MESSAGES_READ"]},{"type":"AUDIT","alter":false,"accessType":["VIEW"]}],"operation":"getTopicMessages","result":{"success":false,"error":"ACCESS_DENIED"}}
I am using kafbat/kafka-ui:v1.0.0. Can you please advise. Should I use another version or any other configurations?
UPD: this working properly in k8s (still doesn't in local docker, but ok)
- resource: topic
value: "__kui-audit-log"
actions: all
- resource: audit
actions: all
Just one note. Would be good to have possibility to allow only VIEW and MESSAGES_READ actions for audit topic. Now it is doesn't work:
- resource: topic
value: "__kui-audit-log"
actions:
- VIEW
- MESSAGES_READ
