console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon redpanda-data

Console over-restrains allowed role names

Open JFlath opened this issue 1 year ago • 6 comments

In Console we apply this filter:

https://github.com/redpanda-data/console/blob/c99b26ed8d033f076467c12d02895779b18b0907/proto/redpanda/api/console/v1alpha1/security.proto#L80

However Redpanda itself isn't so strict:

https://github.com/redpanda-data/redpanda/blob/dev/src/v/redpanda/admin/security.cc#L293 vvv https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L362 vvv https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L193 vvv https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L34-L45

Redpanda's implementation seems inkeeping with others. Notably, Console doesn't allow . in a Role

JFlath avatar Oct 04 '24 09:10 JFlath

N.B. The line referenced is one example, but the same applies for all requests in that file (and possibly more broadly)

JFlath avatar Oct 04 '24 09:10 JFlath

I think we had discussions about constraining the character set for roles to the same rules that apply to topics. Reason being things such as:

  • More complex characters usually not needed / desired
  • URL encoding (in Console and Admin API)
  • We'd need to ensure we can display all allowed characters and length accordingly
  • We may want to be a bit opinionated to establish some convention on the naming
  • We can always become less strict but not the other way round, hence we started with this character set

Is there a specific reason to relax the requirements?

weeco avatar Oct 04 '24 12:10 weeco

So at the moment you can use rpk to create a role called my.team - Console will then fail to work with that correctly even though it's a real role that exists within Redpanda. I agree with the points raised, but the convention/standard has already been defined by what we allow in Redpanda itself

JFlath avatar Oct 04 '24 12:10 JFlath

The API is cloud exclusive and RPK uses that API as well. In RP Cloud no one can create a role with a different convention because everything has to go through console

weeco avatar Oct 04 '24 12:10 weeco

We may be talking cross purposes here, not sure - rpk security role create my.team uses Redpanda's Admin API directly (/v1/security/roles) and is available on Self Hosted clusters. I do see this in the code though that seems to suggest we permanently gate this?

https://github.com/redpanda-data/console/blob/master/frontend/src/state/supportedFeatures.ts#L54-L56

JFlath avatar Oct 04 '24 13:10 JFlath

I think we had discussions about constraining the character set for roles to the same rules that apply to topics. Reason being things such as:

Currently with console you can also create a topic containing . like test.example, but you can't create role like that. So this is not consistent.

burandobata avatar Oct 04 '24 15:10 burandobata

@weeco sounds like we might have an update here after more investigation?

mattschumpert avatar Nov 01 '24 18:11 mattschumpert

Fixed via https://github.com/redpanda-data/console/pull/1490

weeco avatar Nov 03 '24 13:11 weeco