kafka-ui icon indicating copy to clipboard operation
kafka-ui copied to clipboard

Published 20 hours ago verified publisher icon provectus

RBAC: Inconsistent Topic Creation Permissions

Open abix5 opened this issue 1 year ago • 2 comments

Issue submitter TODO list

  • [X] I've looked up my issue in FAQ
  • [X] I've searched for an already existing issues here
  • [X] I've tried running master-labeled docker image and the issue still persists there
  • [X] I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

The current configuration for topic permissions is not working as expected. According to the configuration, topics should only be allowed to be created with names starting with "test-", but I am able to create topics with any name.

Expected behavior

According to the configuration, topics should only be allowed to be created with names starting with "test-".

Your installation details

- resource: topic
  value: "test-.*"
  actions: 
    - VIEW
    - CREATE
    - EDIT
    - DELETE
    - MESSAGES_READ
    - MESSAGES_PRODUCE

- resource: topic
  value: "^(?!test-).*"
  actions: 
    - VIEW
    - MESSAGES_READ
    - MESSAGES_PRODUCE

or

- resource: topic
  value: "test-.*"
  actions: 
    - VIEW
    - CREATE
    - EDIT
    - DELETE
    - MESSAGES_READ
    - MESSAGES_PRODUCE

- resource: topic
  value: ".*"
  actions: 
    - VIEW
    - MESSAGES_READ
    - MESSAGES_PRODUCE

Steps to reproduce

  • Create a topic with a name that does not start with "test-".
  • Verify that the topic is successfully created.

Screenshots

No response

Logs

No response

Additional context

No response

abix5 avatar Nov 16 '23 15:11 abix5

Hello there abix5! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

github-actions[bot] avatar Nov 16 '23 15:11 github-actions[bot]

I'm also seeing this issue.

        - name: "developer"
          clusters:
            - Dev
          subjects:
            - provider: ldap
              type: group
              value: "Kafka-dev"
          permissions:
            - resource: topic
              value: "dev.*"
              actions: [ view, create, edit, delete, messages_read, messages_produce, messages_delete ]

With this rbac the user can still create a topic with any name. However, they are not allowed to view it so after creating it they are redirected to the 403-page because the interface tries to send you to that topic after creation.

xpeoh avatar Nov 24 '23 16:11 xpeoh