cp-ansible
cp-ansible copied to clipboard
mds is not superuser
I have the following hosts.yaml:
rbac_enabled: true
mds_super_user: mds
mds_super_user_password: password
kafka_broker_ldap_user: bro
kafka_broker_ldap_password: password
schema_registry_ldap_user: reg
schema_registry_ldap_password: password
ksql_ldap_user: ksql
ksql_ldap_password: password
control_center_ldap_user: cce
control_center_ldap_password: password
create_mds_certs: false
token_services_public_pem_file: /vagrant/ssl/mds.publickey.pem
token_services_private_pem_file: /vagrant/ssl/mds.tokenkeypair.pem
kafka_broker_cluster_name: broker-cluster
schema_registry_cluster_name: schema-registry-cluster
ksql_cluster_name: ksql-cluster
kafka_broker_principal: User:mds
confluent_server_enabled: true
kafka_broker_schema_validation_enabled: true
server.properties:
super.users=User:mds;User:admin
but when I login with mds into Control Center I don't see the cluster. If I login with other ldap users I see the corresponding component (for instance with user bro I see the broker cluster).
With mds I get:
No clusters found
You need to configure Control Center so it knows how to connect to your Kafka cluster(s).
I checked the control center log files and I see the following:
[2021-07-02 14:05:10,513] INFO [qtp234988139-231] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/stream-monitoring HTTP/1.1" 200 55 78 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,518] INFO [qtp234988139-221] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/connect HTTP/1.1" 200 2 3 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,546] INFO [qtp234988139-108] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka HTTP/1.1" 200 2 26 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,572] INFO [qtp234988139-221] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/CLUSTER_MANAGEMENT HTTP/1.1" 200 55 54 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,573] INFO [qtp234988139-216] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/cluster_management HTTP/1.1" 200 55 132 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,590] INFO [qtp234988139-123] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/schema-registry HTTP/1.1" 200 2 112 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,591] INFO [qtp234988139-236] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka/display/stream-monitoring HTTP/1.1" 200 55 34 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,592] INFO [qtp234988139-233] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/kafka HTTP/1.1" 200 2 23 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,632] INFO [qtp234988139-215] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/metrics/maxtime HTTP/1.1" 200 2 28 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,633] INFO [qtp234988139-220] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/metrics/clusters/status HTTP/1.1" 200 2 27 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:10,634] INFO [qtp234988139-235] 192.168.188.1 - mds [02/Jul/2021:14:05:10 +0000] "GET /2.0/clusters/ksql HTTP/1.1" 200 2 113 (io.confluent.rest-utils.requests)
[2021-07-02 14:05:14,377] WARN [control-center-heartbeat-0] misconfigured topic=_confluent-command config=segment.bytes value=1073741824 expected=134217728 (io.confluent.controlcenter.healthcheck.HealthCheck)
[2021-07-02 14:05:14,377] WARN [control-center-heartbeat-0] misconfigured topic=_confluent-command config=delete.retention.ms value=86400000 expected=259200000 (io.confluent.controlcenter.healthcheck.HealthCheck)
What did I missconfigure here? Or did I missunderstood something? I expected that if I login with mds user I will see all of the assigments and mds will have all necessary assigments.
@AdamSzendrei Thanks for the question. MDS is a super user in the context of being able to setup permissions for other users on the Admin API. It is not a super user on say KSQL or Control Center, thus why you cannot login with it. Super Users in Confluent Platform are context specific.
So in order to login to Control Center, you would use the MDS user with the CLI, to setup permissions on another user that can Access Control Center.
@JumaX Thanks for your answer. I thought if I'm using the above mentioned I get a running system "out of box".
I was surprised that for instance LDAP user bro doesn't have any assigments, but other LDAP users have. Actually I thought some of the assignments are missing, because some assignments - like in case of LDAP user cce, reg, ksql - have been created.
@AdamSzendrei it's confusing, I agree. The challenge we have, is that by giving you a superuser that can access all services/systems out of the box is a big security issue. I've open a ticket to see if we can add this but make it more toggle-able.