RBAC: Unclear required access level for the audit topic #460
Comments
Ilyin-V-V
added
status/triage
kapybro
bot
added
status/triage/manual
|
Hi Ilyin-V-V! 👋 Welcome, and thank you for opening your first issue in the repo! Please wait for triaging by our maintainers. As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. If you plan to raise a PR for this issue, please take a look at our contributing guide. |
|
|
Haarolean
added
status/invalid
|
And I think that _kui_audit_log is just a topic, but why then the rule:
but I still get 403 FORBIDDEN |
|
Aah, sorry, there actually is a special treatment for the audit topic: Please let me know if it works for you |
Haarolean
added
status/feedback-requested
and removed
status/invalid
|
Further user feedback is requested. Please reply within 7 days or we might close the issue. |
Haarolean
added
impact/documentation
It doesn't work for me, here is my RBAC:
And still, when reading from the UI topic __kui-audit-log in the logs - Completed 403 FORBIDDEN |
|
This particular config works for me: The question why we'd need both still remains, we'll take a look into this. For now, please add both the actions to your config, this should work. |
Haarolean
added
scope/backend
Haarolean
changed the title
thank you very much, it works |
Haarolean
added
the
status/confirmed
|
is the issue resolved? |
|
@Ansh7899 nope, feel free to tackle this! We should allow access to the audit topic via |
Issue submitter TODO list
main-labeled docker image and the issue still persists thereDescribe the bug (actual behavior)
Lack of access to _kui_audit_log topic messages when configuring LDAP, RBAC.
If you disable RBAC, then access to messages is available, what could be the reason for this behavior?
Expected behavior
Reading messages in the _kui_audit_log topic using kui even if RBAC is enabled
Your installation details
auth:
type: LDAP
spring:
jmx:
enabled: true
ldap:
urls: ldap://ms.it.domain.com:389
base:
admin-user:
admin-password:
user-filter-search-base: DC=it,DC=domain,DC=com
user-filter-search-filter: (&(uid={0})(objectClass=inetOrgPerson))
group-filter-search-base: ou=Groups,DC=it,DC=domain,DC=com
kafka:
clusters:
-
name: Kafka-cluster-1
bootstrapServers: kafka1.com,kafka2.com,kafka3.com
ssl:
truststorelocation: /truststore.jks
truststorepassword:
properties:
security:
protocol: SASL_SSL
sasl:
mechanism: PLAIN
jaas:
config: org.apache.kafka.common.security.plain.PlainLoginModule required username="" password="";
rbac:
roles:
- name: "admins"
clusters:
- Kafka-cluster-1
subjects:
- provider: ldap
type: group
value: "MS"
Steps to reproduce
Enable LDAP, enable RBAC
Screenshots
No response
Logs
, String, String, Long, Long, String, String, String, ServerWebExchange)
2024-06-27 15:35:40,259 DEBUG [reactor-http-epoll-4] o.s.w.s.a.HttpWebHandlerAdapter: [ea53e5a8-59] Completed 403 FORBIDDEN
2024-06-27 15:35:41,638 DEBUG [reactor-http-epoll-4] o.s.w.s.a.HttpWebHandlerAdapter: [ea53e5a8-60] HTTP GET "/api/clusters/Kafka-cluster-1/topics/__kui-audit-log/messages/v2?limit=100&mode=LATEST"
2024-06-27 15:35:41,640 DEBUG [reactor-http-epoll-4] o.s.w.r.r.m.a.RequestMappingHandlerMapping: [ea53e5a8-60] Mapped to io.kafbat.ui.controller.MessagesController#getTopicMessagesV2(String, String, PollingModeDTO, List, Integer, String, String, Long, Long, String, String, String, ServerWebExchange)
Additional context
similar problem on https://github.com/provectus/kafka-ui, perhaps you need to explicitly set the access rules acl is disabled on kafka
The text was updated successfully, but these errors were encountered: