RBAC: LDAP user belonging to many groups can't see anything

[MxFbk]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Hi all,

I would want to configure RBAC but I'm still facing issues.

I can access on KafkaUI through our LDAP without problem, but introducing roles.yml I can log in but no clusters/resources are visible in the UI.

Looking at documentation I wasn't able to solve this on my own.

Sorry if it's my fault.

Thanks a lot.

Expected behavior

I would want to be able to configure RBAC with LDAP, but no success.

Your installation details

APP version 0.7.0

CONFIG:

compose.yml

  kafka-ui:
    image: provectuslabs/kafka-ui:latest
    container_name: kafka-ui
    ports:
      - "8083:8080"
    restart: always
    user: "0"
    environment:
      LOGGING_LEVEL_ROOT: debug
      LOGGING_LEVEL_COM_PROVECTUS: debug
      TZ: Europe/Rome
      KAFKA_ADMIN-CLIENT-TIMEOUT: 60000
      #######
      AUTH_TYPE: LDAP
      SPRING_LDAP_URLS: ldap://ldap_server:389
      SPRING_LDAP_BASE: CN=***********,OU=company,OU=tech_users,DC=g,DC=b,DC=s
      SPRING_LDAP_ADMIN-USER: CN=***********,OU=company,OU=tech_users,DC=g,DC=b,DC=s
      SPRING_LDAP_ADMINP-ASSWORD: **************************
      SPRING_LDAP_USER-FILTER-SEARCH-BASE: OU=obp,OU=users,DC=g,DC=b,DC=s
      #SPRING_LDAP_USER-FILTER-SEARCH-FILTER: "(&(sAMAccountName={0})(memberOf=CN=FBK_AWX_PRE,OU=company,OU=tech_users,DC=g,DC=b,DC=s)(memberOf=CN=FBK_AWX_PRO,OU=company,OU=tech_users,DC=g,DC=b,DC=s))"
      SPRING_LDAP_USER-FILTER-SEARCH-FILTER: "(sAMAccountName={0})"
      SPRING_LDAP_GROUP-FILTER-SEARCH-BASE: OU=company,OU=tech_users,DC=g,DC=b,DC=s
      SPRING_CONFIG_ADDITIONAL-LOCATION: /roles.yml
      #      AUTH_TYPE: "LOGIN_FORM"
      #      SPRING_SECURITY_USER_NAME: team
      #      SPRING_SECURITY_USER_PASSWORD: **************************
      #######
      KAFKA_CLUSTERS_0_NAME: fbk_kafka_tst
      ... ... ... ...
      #######
      KAFKA_CLUSTERS_1_NAME: fbk_kafka_pre
      ... ... ... ...
      #######
      JAVA_OPTS: ... ... ...
    volumes:
      - type: bind
        source: /opt/kafkaui/logs
        target: /opt/kafkaui/logs
      - type: bind
        source: /opt/kafkaui/config
        target: /opt/kafkaui/config
      - /etc/localtime:/etc/localtime:ro
      - /opt/kafkaui/roles.yml:/roles.yml

roles.yml

  roles:
    - name: "itop"
      clusters:
        - fbk_kafka_tst
        - fbk_kafka_pre
      subjects:
        - provider: ldap
          type: group
          value: "FBK_AWX_PRO"
      permissions:
        - resource: applicationconfig
          actions: all

        - resource: clusterconfig
          actions: all

        - resource: topic
          value: ".*"
          actions: all

        - resource: consumer
          value: ".*"
          actions: all

        - resource: schema
          value: ".*"
          actions: all

        - resource: connect
          value: ".*"
          actions: all

        - resource: ksql
          actions: all

        - resource: acl
          value: ".*"
          actions: [ view ]

Steps to reproduce

ENABLING roles through "roles.yml" I can log in but no permissions granted.
DISABLING roles I can see everything.

Screenshots

No response

Logs

Using DEBUG LEVEL I can see RIGHT Granted Authorities linked to my user:

2023-06-01T16:50:42.037+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@7a13056c, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@39d4f754'

All Granted Authorities are right and associated to my user.

Calling /api/clusters context I'll receive an empty array when roles enabled.
Looking at response calling /api/authorization I receive:

{"rbacEnabled":true,"userInfo":{"username":"my_user","permissions":[]}}

Looking for ISSUES in LOGS at DEBUG LEVEL I can see just this:

2023-06-01T17:15:25.428+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.w.s.adapter.HttpWebHandlerAdapter    : [d9bf5fa6-83] HTTP GET "/manifest.json"
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'POST /login'
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=GET}
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'GET /login'
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=GET}
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'GET /logout'
2023-06-01T17:15:25.429+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.w.s.s.DefaultWebSessionManager       : Created new WebSession.
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [reactor-http-epoll-1] r.n.http.server.HttpServerOperations     : [3d9fe5e1-17, L:/10.170.59.2:8080 - R:/192.168.116.41:41480] Decreasing pending responses, now 0
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'POST /logout'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [reactor-http-epoll-1] r.n.http.server.HttpServerOperations     : [3d9fe5e1-17, L:/10.170.59.2:8080 - R:/192.168.116.41:41480] Last HTTP packet was sent, terminating the channel
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [reactor-http-epoll-1] r.netty.channel.ChannelOperations        : [3d9fe5e1-17, L:/10.170.59.2:8080 - R:/192.168.116.41:41480] [HttpServer] Channel inbound receiver cancelled (operation cancelled).
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/css/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /css/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/js/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /js/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/media/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /media/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/resources/**', method=null}
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /resources/**'
2023-06-01T17:15:25.430+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/health/**', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /actuator/health/**'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/info', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /actuator/info'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/auth', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /auth'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /login'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /logout'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/oauth2/**', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /oauth2/**'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/static/**', method=null}
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] athPatternParserServerWebExchangeMatcher : Request 'GET /manifest.json' doesn't match 'null /static/**'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/manifest.json' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@7dfa736e
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] ebSessionServerSecurityContextRepository : No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@3f0f7993'
2023-06-01T17:15:25.431+02:00 DEBUG 1 --- [parallel-4] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization failed: Access Denied

All other context are authorized with "Authorization successful".

Additional context

No response

[MxFbk]

I can add an info after more investigation.

When roles disabled call on /api/clusters gives back a JSON:

2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/api/clusters' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizatio
nManager@68d25c9b
2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=LdapUserDetailsImp
l [Dn=cn=GBS07272,ou=OBP,ou=Utenze,dc=SG,dc=GBS,dc=PRO; Username=GBS07272; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[]], Credentials=[PROTECTE
D], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@18a9a3f5'
2023-06-01T17:53:10.802+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization successful
2023-06-01T17:53:10.850+02:00 DEBUG 1 --- [reactor-http-epoll-2] .s.w.r.r.m.a.ResponseEntityResultHandler : [d2999f34-14] Using 'application/json' given [*/*] and supported [application/json]
2023-06-01T17:53:10.850+02:00 DEBUG 1 --- [reactor-http-epoll-2] .s.w.r.r.m.a.ResponseEntityResultHandler : [d2999f34-14] 0..N [com.provectus.kafka.ui.model.ClusterDTO]
2023-06-01T17:53:10.864+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.http.codec.json.Jackson2JsonEncoder  : [d2999f34-14] Encoding [class ClusterDTO {<EOL>    name: fbk_kafka_tst<EOL>    defaultCluster: null<EOL>    status: initializing<EOL>    las (truncated)...]
2023-06-01T17:53:10.875+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.http.codec.json.Jackson2JsonEncoder  : [d2999f34-14] Encoding [class ClusterDTO {<EOL>    name: fbk_kafka_pre<EOL>    defaultCluster: null<EOL>    status: initializing<EOL>    las (truncated)...]
2023-06-01T17:53:10.877+02:00 DEBUG 1 --- [reactor-http-epoll-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [d2999f34-14] Completed 200 OK

If roles enabled no JSON is given back even if Authorization successful.

2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/api/clusters' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizatio
nManager@ee8a53b
2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafk
a.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.se
ssion.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.748+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization successful
2023-06-01T17:58:29.749+02:00 DEBUG 1 --- [reactor-http-epoll-4] s.w.r.r.m.a.RequestMappingHandlerMapping : [1e948963-14] Mapped to com.provectus.kafka.ui.controller.ClustersController#getClusters(ServerWebExchange)
2023-06-01T17:58:29.801+02:00 DEBUG 1 --- [reactor-http-epoll-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [1e948963-14] Using 'application/json' given [*/*] and supported [application/json]
2023-06-01T17:58:29.801+02:00 DEBUG 1 --- [reactor-http-epoll-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [1e948963-14] 0..N [com.provectus.kafka.ui.model.ClusterDTO]
2023-06-01T17:58:29.816+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.817+02:00 DEBUG 1 --- [reactor-http-epoll-4] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@62561f8a, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[FBK_AWX_PRO, FBK_AWX_PRE, ACL_FBK_FBK_ELK, ACL_FBK_ELK_APM]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@71e16474'
2023-06-01T17:58:29.821+02:00 DEBUG 1 --- [reactor-http-epoll-4] o.s.w.s.adapter.HttpWebHandlerAdapter    : [1e948963-14] Completed 200 OK

[gastoncan]

Hi Kafka-UI team :)
First of all, I wanted to thank you for the great job you are doing developing this great app!
While trying the new RBAC feature, I am getting an empty list of permissions when calling the /api/authorization API; despite I am authenticated and my groups are properly found. Additionally, I removed myself from all LDAP security groups but the relevant one for authentication and authorization (a single group); but the issue is still reproducing.
Looks like my user's authentication info is not properly binded to rbac configuration.

yamlApplicationConfig:
  kafka:
    clusters:
      - name: kafka
        bootstrapServers: kafka-host:9094
  auth:
    type: "LDAP"
  spring:
    ldap:
      admin-password: pppp
      admin-user: CN=yyyy
      urls: ldap://ldap-host.company.local:389
      user-filter-search-base: OU=users,OU=my-company,DC=company,DC=local
      user-filter-search-filter: (&(sAMAccountName={0})(objectClass=person)(memberOf=CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local))
      group-filter-search-base: OU=Kafka_UI,OU=my-company,DC=company,DC=local
  rbac:
    roles:
      - name: "admin"
        clusters:
          - kafka
        subjects:
          - provider: ldap
            type: group
            value: "kafkaui_admin"
        permissions:
          - resource: applicationconfig
            actions: all
          - resource: clusterconfig
            actions: all
          - resource: topic
            value: ".*"
            actions: all
          - resource: consumer
            value: ".*"
            actions: all
          - resource: schema
            value: ".*"
            actions: all
          - resource: connect
            value: ".*"
            actions: all
          - resource: ksql
            actions: all
          - resource: acl
            value: ".*"
            actions: [ view ]

/api/authorization:
{"rbacEnabled":true,"userInfo":{"username":"xxxxx","permissions":[]}}

/api/clusters:
[]

2023-06-04 09:24:57,079 DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [5ee84444-282] HTTP POST "/login"
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Checking match of request : '/login'; against '/login'
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: matched
2023-06-04 09:24:57,080 DEBUG [reactor-http-epoll-1] r.n.c.FluxReceive: [5ee84444-10, L:/10.XXX.YYY.ZZZ:8080 - R:/10.AAA.BBB.CCC:7306] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2023-06-04 09:24:57,081 DEBUG [reactor-http-epoll-1] o.s.h.c.FormHttpMessageReader: [5ee84444-282] Read form fields [username, password] (content masked)
2023-06-04 09:24:57,081 DEBUG [boundedElastic-9] o.s.s.l.a.BindAuthenticator: Failed to bind with any user DNs []
2023-06-04 09:24:57,096 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:ppp'
2023-06-04 09:24:57,109 DEBUG [boundedElastic-9] o.s.s.l.SpringSecurityLdapTemplate: Found DN: CN=xxxxx
2023-06-04 09:24:57,110 DEBUG [boundedElastic-9] o.s.s.l.s.FilterBasedLdapUserSearch: Found user 'xxxxx', with FilterBasedLdapUserSearch [searchFilter=(&(sAMAccountName={0})(objectClass=person)(memberOf=CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local)); searchBase=OU=my-company,DC=company,DC=local; scope=subtree; searchTimeLimit=0; derefLinkFlag=false ]
2023-06-04 09:24:57,148 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:389'
2023-06-04 09:24:57,153 DEBUG [boundedElastic-9] o.s.s.l.a.BindAuthenticator: Bound cn=xxxxx
2023-06-04 09:24:57,153 DEBUG [boundedElastic-9] o.s.l.c.LdapTemplate: The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2023-06-04 09:24:57,167 DEBUG [boundedElastic-9] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldap://ldap-host.company.local:ppp'
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Found roles from search [{spring.security.ldap.dn=[CN=kafkaui_admin,OU=Kafka_UI,OU=my-company,DC=company,DC=local], cn=[kafkaui_admin]}]
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Retrieved authorities for user cn=xxxxx
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.u.LdapUserDetailsMapper: Mapping user details from context with DN cn=xxxxx
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.l.a.LdapAuthenticationProvider: Authenticated user
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] i.n.h.c.h.c.ServerCookieDecoder: Skipping cookie because value 'consentid:bXlGQzBYS09DYUtwaWRDcHUzc1VJQ0RnaXVSaTU4RVk,consent:yes,action:yes,necessary:yes,functional:yes,analytics:yes,performance:yes,advertisement:yes,other:yes' contains invalid char ','
2023-06-04 09:24:57,173 DEBUG [boundedElastic-9] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Saved SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:24:57,175 DEBUG [parallel-1] o.s.s.w.s.DefaultServerRedirectStrategy: Redirecting to '/'
2023-06-04 09:24:57,175 DEBUG [parallel-1] o.s.w.s.a.HttpWebHandlerAdapter: [5ee84444-282] Completed 302 FOUND

2023-06-04 09:29:52,177 DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [96887c8f-352] HTTP GET "/api/authorization"
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=POST}
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher: Request 'GET /api/authorization' doesn't match 'POST /login'
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher: No matches found
...
2023-06-04 09:29:52,178 DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.DelegatingReactiveAuthorizationManager: Checking authorization on '/api/authorization' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@acdc038
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.AuthorizationWebFilter: Authorization successful
2023-06-04 09:29:52,179 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.RequestMappingHandlerMapping: [96887c8f-352] Mapped to com.provectus.kafka.ui.controller.AccessController#getUserAuthInfo(ServerWebExchange)
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@5ed7492d, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[kafkaui_admin]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@93663f7'
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [96887c8f-352] Using 'application/json' given [text/html, application/xhtml+xml, image/avif, image/webp, image/apng, application/xml;q=0.9, */*;q=0.8, application/signed-exchange;v=b3;q=0.7] and supported [application/json]
2023-06-04 09:29:52,180 DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [96887c8f-352] 0..1 [com.provectus.kafka.ui.model.AuthenticationInfoDTO]
2023-06-04 09:29:52,181 DEBUG [reactor-http-epoll-1] o.s.h.c.j.Jackson2JsonEncoder: [96887c8f-352] Encoding [class AuthenticationInfoDTO {<EOL>    rbacEnabled: true<EOL>    userInfo: class UserInfoDTO {<EOL>        userna (truncated)...]

[Haarolean]

HI, if this doesn't solve your problem either, please raise a new discussion in favor or hijacking other threads :) Thanks

[Haarolean]

@MxFbk

Hey, LDAP authorities currently are bound as-is for role names, not the ldap' subject values, so, for now, you can rename your role ( - name: "itop" to one of the authorities you have). We've changed things back and forth which led to this behavior, but we're planning to get both (matching via role name and subject) in 0.7.1.

[gastoncan]

Hi @Haarolean;
Your suggestion solved my issue, I appreciate your time.
Thank you very much.

[gastoncan]

Can I suggest to improve the documentation reflecting the product behavior more clearly?

[MxFbk]

Hi @Haarolean,

thank you very much. Your suggestion solved my config issue.

I agree with @gastoncan about documentation and examples.

Just one last question:

Which is the right use of "subjects" value if role name is linked to authorities.
Is it just one more filter on user groups?

Thanks

[apellegr06]

Hi,

This trick solved my issue also :)

Thank you

[Haarolean]

Can I suggest to improve the documentation reflecting the product behavior more clearly?

We're gonna fix it soon so no documentation update will be needed