Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC: Support Active Directory #54

Open
Haarolean opened this issue Jan 24, 2024 · 12 comments · May be fixed by #717
Open

RBAC: Support Active Directory #54

Haarolean opened this issue Jan 24, 2024 · 12 comments · May be fixed by #717
Assignees
@Haarolean
Labels
area/rbac Related to Role Based Access Control feature scope/backend Related to backend changes type/enhancement En enhancement/improvement to an already existing feature
Milestone
1.1

Comments

@Haarolean
Copy link
Member

Haarolean commented Jan 24, 2024
edited
Loading

LdapSecurityConfig:

  • verify ActiveDirectoryLdapAuthenticationProvider does populate authorities properly (most likely, it doesn't)
  • if it doesn't, copy-paste ActiveDirectoryLdapAuthenticationProvider
    and (re)implement a populator (unless #4490 is resolved)

via provectus/kafka-ui#3741
@github-actions github-actions bot added the status/triage Issues pending maintainers triage label Jan 24, 2024
@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes area/rbac Related to Role Based Access Control feature and removed status/triage Issues pending maintainers triage labels Jan 24, 2024
@Haarolean Haarolean self-assigned this Jan 24, 2024
@Haarolean Haarolean added this to the 1.1 milestone Jan 24, 2024
@germanosin germanosin assigned damirabdul and unassigned Haarolean Jan 26, 2024
@Haarolean
Copy link
Member Author

the last part might be fixed pretty soon in spring-projects/spring-security#14539, so we might want to put this on hold.

Closed
4 tasks
@askfarz

This comment was marked as off-topic.

Sign in to view
@germanosin

This comment was marked as off-topic.

Sign in to view
@Haarolean Haarolean mentioned this issue Apr 18, 2024
Open
@askfarz

This comment was marked as off-topic.

Sign in to view
@Haarolean

This comment was marked as off-topic.

Sign in to view
@Haarolean Haarolean modified the milestones: 1.1, 1.2 May 1, 2024
@Haarolean Haarolean removed this from Release 1.1 May 1, 2024
@mk-raven
Copy link

mk-raven commented Oct 9, 2024

There was spring security 6.3.3 released
And issue was done
spring-projects/spring-security#4490
So, could be updates of this issue?

@wernerdv
Copy link
Contributor

wernerdv commented Dec 12, 2024
edited
Loading

@Haarolean Hi, do I understand correctly that to support RBAC for AD you need to add an implementation of the LdapAuthoritiesPopulator interface based on DefaultActiveDirectoryAuthoritiesPopulator for the Active Directory user?

If yes, I am ready to work on this task.

@Haarolean
Copy link
Member Author

@wernerdv not quite. Since we've already upgraded to a newer spring boot/security with the DefaultActiveDirectoryAuthoritiesPopulator I implemented, we most likely don't have to do anything else here.

Can anyone with AD verify this works on main tag?

@wernerdv
Copy link
Contributor

wernerdv commented Dec 16, 2024
edited
Loading

@Haarolean I've tested with this configuration and RBAC with AD works as expected:

auth:
  type: LDAP
spring:
  ldap:
    urls: ldap://host:port
oauth2:
  ldap:
    activeDirectory: true
    activeDirectory.domain: <domain>  

rbac:
  roles:
    - name: "<AD group>"
       clusters:
         - LOCAL
       subjects:
         - provider: ldap_ad
           # type: group <-- works without it
           # value: <AD group> <-- works without it
       permissions:
         - resourse: topic
           value: ".*"
           actions: [ ... ]

But it only works if rbac.roles.name is group from AD.
If not, then /api/authorization returns empty permissions
https://github.com/kafbat/kafka-ui/blob/main/api/src/main/java/io/kafbat/ui/controller/AccessController.java#L37

And one more thing - you can do without subjects.value and subjects.type
it was a surprise to me at first :)

This was referenced Dec 16, 2024
Open
Open
@Haarolean Haarolean self-assigned this Dec 16, 2024
@Haarolean
Copy link
Member Author

Haarolean commented Dec 16, 2024
edited
Loading

And one more thing - you can do without subjects.value and subjects.type

that's... not intended. Let's fix this within #716.

But it only works if rbac.roles.name is group from AD.

What makes you think so? In RbacLdapAuthoritiesExtractor.java#L41 we match RBAC subjects with your AD groups and collect RBAC roles if there's a match.

@Haarolean Haarolean modified the milestones: 1.2, 1.1 Dec 16, 2024
@wernerdv
Copy link
Contributor

https://github.com/kafbat/kafka-ui/blob/main/api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacLdapAuthoritiesExtractor.java#L39

It seems you need to handle the filtering for Provider.LDAP_AD.

@Haarolean
Copy link
Member Author

@wernerdv yeah I was wondering the same, how could it work for you

Haarolean added a commit that referenced this issue Dec 16, 2024
@Haarolean
Support AD in LDAP authorities extractor. Resolves #54
36a62bc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Haarolean Haarolean

Labels
area/rbac Related to Role Based Access Control feature scope/backend Related to backend changes type/enhancement En enhancement/improvement to an already existing feature
Projects
Release 1.1
Status: Todo
Milestone
1.1
Development

Successfully merging a pull request may close this issue.

BE: Chore: RBAC: LDAP security config refactoring kafbat/kafka-ui
6 participants
@germanosin @Haarolean @damirabdul @mk-raven @wernerdv @askfarz