kafka-ui
kafka-ui copied to clipboard
provectus
Role based access control
The main idea of this feature is to provide access control for authenticated users based on roles. Backend should support reading role bindings from git, s3, http, local yaml config like
roleBindings:
roleName:
users:
- userName
and role access control file, like
roles:
roleName:
permissions:
- resource: consumerGroups
includes: ["/.*/"]
excludes: []
allowedActions: ["listTopics"]
List of resources and actions should be defined and described in separate document. Using this bindings and ACL lists, backend should check all actions from authenticated users and provide this list to frontend. Frontend should use this data to show/hide certain action buttons, menus
Hey y'all, this is a really cool feature and I love this project. Do you think that this feature could pull Kafka permissions from Kafka's ACLs? I believe that this information is accessible from the Admin API. The kafka-ui application could be authed to Kafka as a service account, and the UI could provide the actual filtering down of permissions via the Admin API.
Hey y'all, this is a really cool feature and I love this project. Do you think that this feature could pull Kafka permissions from Kafka's ACLs? I believe that this information is accessible from the Admin API. The kafka-ui application could be authed to Kafka as a service account, and the UI could provide the actual filtering down of permissions via the Admin API.
@thealmightygrant hey, we're planning to implement authentication via kafka's ACLs as a separate feature (#1597). Regarding mapping ACLs to our permissions, we'll try to implement something close (#2250), but I can't guarantee that we can do it one to one at all.
hello @Haarolean just wanted to know when could this be GA. thank you
soon :)
The feature is implemented. Documentation is here
Love this @Haarolean
I see this only supports oauth_google provider. How about support for other providers like Azure AD or Keycloak?
How to setup RBAC when using in kubernetes.
the same way you do with docker-compose. Or you can use our helm charts
@abhinavgautam07 I really got lost in a number of issues/discussion you've created. If it's being discussed in other place, let's do this there, if that's one more problem of yours -- let's jump into discussions or discord. Cheers!
How @abhinavgautam07 solved this problem? I need to add RBAC for kafka ui in kubernetes too, and there is no clear exemple of this.
@andreyolv there are examples of how to do that config-wise, the rest is just passing the config into k8s/helm. https://provectus.gitbook.io/kafka-ui/configuration/rbac-role-based-access-control
@Haarolean my question is exactly this, how to pass the settings to k8s/helm, there is no example
@andreyolv you can write like this
yamlApplicationConfig:
rbac:
roles:
- name: "myname"
clusters:
- mycluster
subjects:
-
@andreyolv
https://github.com/provectus/kafka-ui/tree/master/charts/kafka-ui
existingConfigMap or envs.config (I don't personally recommend this one), or yamlApplicationConfigConfigMap or yamlApplicationConfig.
We'll update the main wiki with the chart info soon, I have a lot on the plate documentation-wise rn.
@andreyolv, I am attaching a demo config that worked for me.
yamlApplicationConfig:
kafka:
clusters:
- name: production-cluster
bootstrapServers: kafka-cluster-kafka-advertiser-0.ms-kafka.svc.cluster.local:9092
auth:
type: OAUTH2
oauth2:
client:
google:
provider: google
clientId: XXXX.apps.googleusercontent.com
clientSecret: GOCSPX-YYYY
redirect_uri: https://kafka.urbancompany.com/login/oauth2/code/google
user-name-attribute: email
custom-params:
type: google
allowedDomain: urbancompany.com
rbac:
roles:
- name: "admin"
clusters:
- production-cluster
subjects:
- provider: oauth_google
type: user
value: "[email protected]"
- provider: oauth_google
type: user
value: "[email protected]"
- provider: oauth_google
type: user
value: "[email protected]"
permissions:
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: [ "view","create","edit","delete","messages_produce" ]
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- name: "readonly"
clusters:
- production-cluster
subjects:
- provider: oauth_google
type: domain
value: "urbancompany.com"
permissions:
- resource: clusterconfig
actions: [ "view" ]
- resource: topic
value: ".*"
actions: [ "view" ]
- resource: consumer
value: ".*"
actions: [ view ]
- resource: schema
value: ".*"
actions: [ view ]
- resource: connect
value: ".*"
actions: [ view ]
PS: you can find rest of the commands and config on [artifactHub](helm install my-kafka-ui kafka-ui/kafka-ui --version 0.5.2). also, a lot of thanks to @Haarolean, my issues are currently resolved, if any other issue comes up in the future, will connect on discord.