Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend the external role support #927

Closed
angeloxx opened this issue Nov 24, 2021 · 3 comments
Closed

Extend the external role support #927

angeloxx opened this issue Nov 24, 2021 · 3 comments
Labels
enhancement New feature or request login Login & Acls on AKHQ

Comments

@angeloxx
Copy link

In order to support complex scenario where for each LDAP group the user obtain rights to write or read a topic I'm trying to use the external role support, receiving the list user's LDAP group, to authorise the user with the right role for each topic.

Current external role support (seems to) support only a single role attribution, but I need something like:

[{
  "roles": ["topic/read", "..."],
  "attributes":
  {
    "topics-filter-regexp": [".*"],
    "connects-filter-regexp": [".*"],
    "consumer-groups-filter-regexp": [".*"]
  }
},
{
  "roles": ["topic/write", "..."],
  "attributes":
  {
    "topics-filter-regexp": ["^topic-rw.*"],
    "connects-filter-regexp": [".*"],
    "consumer-groups-filter-regexp": [".*"]
  }
}]

Is it possible to extend the external role support in order to map multiple roles?
@tchiotludo
Copy link
Owner

@twobeeb ? 😄

@twobeeb
Copy link
Contributor

twobeeb commented Nov 24, 2021

Short answer : It's not possible with current security model.

Long answer :
The current security model allows for a single list of roles and 3 filters that applies to the whole AKHQ instance for a given authenticated user.
The roles are applies to the pages:

  • topic/read lets you access topic API, for all Kafka clusters See code
  • topic/create lets you access the create topic API, for all Kafka clusters See code

Attributes are applied to the list API:

  • On the list topics page, results are optionally filtered with topics-filter-regexp irrespective of the Kafka clusters See code
  • Same for connects and consumer groups

I really mean that attributes applies only to list APIs: so if you have topic/create role and topics-filter-regexp attribute, you can still create any topic name.

We are aware of the limitation, that's why the discussion #523 is a good place to explain your needs, which could potentially be taken into account at some point in time.
There are several things to consider : roles per cluster, resources per cluster, roles per resource (as you suggest), and so on... I believe the subject is quite complex

@tchiotludo tchiotludo added enhancement New feature or request login Login & Acls on AKHQ labels Feb 24, 2022
@tchiotludo
Copy link
Owner

done in #1472

@tchiotludo tchiotludo moved this to Done in Backlog Jun 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request login Login & Acls on AKHQ
Projects
Backlog
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@angeloxx @tchiotludo @twobeeb