0.7: ACLs, LDAP & Generic OAuth support for RBAC #3814
Replies: 5 comments 16 replies
-
Hey! |
Beta Was this translation helpful? Give feedback.
-
Hi, It is possible to provide some complete examples about Azure AD RBAC setup? On my side, I encountered issues with this topic like Many thanks! |
Beta Was this translation helpful? Give feedback.
-
RBAC with LDAP does not work for me on v0.7.0. kafka:
clusters:
- name: dev
readOnly: false
bootstrapServers: ${KAFKA_BOOTSTRAP}:9093
auth:
type: LDAP
spring:
ldap:
urls: ldap://${AD_SERVER}
base: "sAMAccountName={0},ou=${USERS_OU},dc=${AD_SERVER}"
admin-user: "cn=${LDAP_ADMIN_USERNAME},dc=${AD_SERVER}"
admin-password: "${LDAP_ADMIN_PASSWORD}"
user-filter-search-base: "dc=${AD_SERVER}"
user-filter-search-filter: "(&(sAMAccountName={0})(objectClass=user)(|(memberof=CN=${GROUP_NAME},OU=${GROUPS_OU},DC=${AD_SERVER})))"
group-filter-search-base: "OU=${GROUPS_OU},DC=${AD_SERVER}"
oauth2:
ldap:
activeDirectory: false
activeDirectory.domain: "${AD_SERVER}"
rbac:
roles:
- name: "admins"
clusters:
- dev
subjects:
- provider: ldap
type: group
value: "${GROUP_NAME}"
permissions:
- resource: applicationconfig
# value not applicable for applicationconfig
actions:
- view
# - edit
- resource: clusterconfig
# value not applicable for clusterconfig
actions:
- view
# - edit
- resource: topic
value: ".*"
actions:
- view
# - create
# - edit
# - delete
- messages_read
- messages_produce
- messages_delete
- resource: consumer
value: ".*"
actions:
- view
- delete
- reset_offsets
- resource: schema
value: ".*"
actions:
- view
- create
- delete
- edit
# - modify_global_compatibility
- resource: connect
value: ".*"
actions:
- view
# - edit
# - create
- resource: ksql
# value not applicable for ksql
actions:
- execute
# - resource: acl
# # value not applicable for acl
# value: ".*" # FIXME: it crashes if this is removed
# actions:
# - view
# # - edit I am able to login but I cannot see any clusters: I have enabled DEBUG logs and I can see this:
If I remove the |
Beta Was this translation helpful? Give feedback.
-
Hi, I've been struggling with getting Oauth2 working with Keycloak and a self-signed cert. My problem is I can't seem to get it to pick up my trust-store, so I end up with a I'm running in Minikube with a static manifest at the moment. Here's (what I think is) the relevant config:
I believe I've tried every permutation of Any hints? |
Beta Was this translation helpful? Give feedback.
-
Closing as this thread becomes a pile of off-topic messages which should be separate issues/discussions. |
Beta Was this translation helpful? Give feedback.
-
Release 0.7 with ACLs, LDAP & Generic OAuth support for RBAC
¡Hola! We're excited to announce the latest release of UI for Apache Kafka!
This new version comes packed with a range of new features, enhancements, and bug fixes to improve your experience.
Here's a closer look at some of the highlights:
New Features
ACL Lists: UI for Apache Kafka now gives you access to your Kafka's ACL lists in read-only mode, allowing you to monitor and review them in greater detail. This feature lays the groundwork for more advanced functionality in the upcoming 0.8 release, where we plan to introduce full ACL editing capabilities.
UI Dark Theme: Take a break from the bright lights with the dark theme. You can even activate the auto-mode feature to have the interface switch automatically between light and dark modes depending on your system settings.
RBAC: LDAP Support: We've added support for fetching roles via LDAP, enabling you to authenticate and manage users' roles across your organization more efficiently.
RBAC: Generic OAuth2 Support: UI for Apache Kafka now supports fetching roles with any generic OAuth2 provider.
Significant Enhancements
RBAC: Separate KC Restart Permission: Managing Kafka Connect permissions just got easier with the new KC Restart permission, providing a more granular approach to managing your roles.
Broker Skew Displayed in UI: You can now monitor broker skew directly in UI, providing deeper insights into the state of your Kafka cluster.
Data Masking: Regex Support for Field Names: We've introduced support for regular expressions in field names for data masking, providing more powerful masking capabilities.
Opt-Out of Version Check: To support air-gap environments further, we got rid of version check requests on frontend. Since they're performed on the backend now, from now on, your frontend won't fail if there's no internet connection.
User Experience (UX) Improvements
Kafka Connect Quick Actions: Accessing Kafka Connect actions is now easier with the new quick actions feature in the sandwich menu.
Keep Contents Switch: We've added a new "keep contents" switch on message produce, allowing you to retain message content after production for a smoother and more efficient workflow.
BREAKING CHANGES
Of course, there are some!
spring.ldap.dn.pattern
property name withspring.ldap.base
. That's made to better match spring properties.mask
action, replacedpattern
withfieldsNamePattern
.We hope you enjoy using UI for Apache Kafka and find these new features and enhancements useful. As always, we welcome your feedback and suggestions for future releases. Thank you for choosing UI for Apache Kafka, and we look forward to bringing you more exciting updates in the future!
Best regards,
Provectus & Contributors
Issues closed: https://github.com/provectus/kafka-ui/milestone/11?closed=1
All changes in a formatted way: https://gist.github.com/Haarolean/29a7040382a5386a01ecc3cf34fa3f04
Full Changelog: v0.6.0...v0.7.0
Contributors
@David-DB88, @Haarolean, @NeiruBugz, @RaajuKanuri, @VladSenyuta, @a1tair6, @blacktower88, @dependabot, @dependabot[bot], @iliax, @inanc-can, @michal-cesek, @nisanohana3 and @winnie-chiu
This discussion was created from the release 0.7: ACLs, LDAP & Generic OAuth support for RBAC.
Beta Was this translation helpful? Give feedback.
All reactions