Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BE: RBAC: Ignore values for non-applicable resources #253

Open
4 tasks done
Sahay-ohikc opened this issue Mar 29, 2024 · 2 comments · May be fixed by #503
Open
4 tasks done

BE: RBAC: Ignore values for non-applicable resources #253

Sahay-ohikc opened this issue Mar 29, 2024 · 2 comments · May be fixed by #503
Labels
area/rbac Related to Role Based Access Control feature good first issue Up for grabs scope/backend Related to backend changes status/triage/completed Automatic triage completed type/bug Something isn't working
Milestone
1.1

Comments

@Sahay-ohikc
Copy link

Sahay-ohikc commented Mar 29, 2024
edited by Haarolean
Loading

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running main-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I get the 500 errors while trying to get Broker configs or edit dynamic config of a cluster.
Roman Zabaluev suggested that it may be a bug with RBAC. Logs and RBAC config are in the attachment.
log-events-viewer-result.csv
rbac-qa.zip

Uploaded Files

image
image
image
image

Expected behavior

Cluster dynamic config reachable.
Broker configs tab working.

Your installation details

I'm running an image 2956664 v1.0.0 from ghcr.io/kafbat/kafka-ui:latest
I build a custom image in ECR with this simple Dockerfile:
FROM provectuslabs/kafka-ui:latest
COPY rbac-qa-test.yml /roles.yml
ENV SPRING_CONFIG_ADDITIONAL-LOCATION /roles.yml
EXPOSE 8080
It is deployed on AWS ECS with AWS IAM authorization to Cluster and Cognito authorization to Kafka-UI with RBAC enabled.
Cluster config is transferred via env variables.
rbac-qa.zip

Steps to reproduce

Use configuration to deploy KafkaUI, then click the appropriate "configure" button or broker config tab.

Screenshots

Screenshots

image
image
image
image

Logs

1711720109267,java.lang.IllegalStateException: null
1711720109267, at com.google.common.base.Preconditions.checkState(Preconditions.java:496)
1711720109267, Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:

1711720109267,Original Stack Trace:
1711720109267, at com.google.common.base.Preconditions.checkState(Preconditions.java:496)
1711720109267, at io.kafbat.ui.model.rbac.AccessContext$SingleResourceAccess.lambda$isAccessible$1(AccessContext.java:72)

log-events-viewer-result.csv

Additional context

No response
@Sahay-ohikc Sahay-ohikc added status/triage Issues pending maintainers triage type/bug Something isn't working labels Mar 29, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Mar 29, 2024
@github-actions GitHub Actions
Copy link

Hello there Sahay-ohikc! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

@Haarolean Haarolean self-assigned this Mar 29, 2024
@Haarolean Haarolean added area/rbac Related to Role Based Access Control feature and removed status/triage/manual Manual triage in progress labels Mar 29, 2024
@Haarolean Haarolean added this to the 2.0 milestone Mar 29, 2024
@Haarolean
Copy link
Member

Haarolean commented Mar 30, 2024
edited
Loading

Fails at io/kafbat/ui/model/rbac/AccessContext.java:72 due to the config containing non-allowed values for app and cluster configs:

        - resource: applicationconfig
#          value: ".*"
          actions: ALL
        - resource: clusterconfig
#          value: ".*"
          actions: ALL

TODO:

  1. Either ignore these or make it clear in logs (upon start, ideally) that the config is not valid.

Also #275

@Haarolean Haarolean removed their assignment Mar 30, 2024
@Haarolean Haarolean added scope/backend Related to backend changes good first issue Up for grabs labels Mar 30, 2024
@Haarolean Haarolean changed the title 500 errors while trying to get Broker configs or edit dynamic config BE: RBAC: Ignore values for non-applicable resources Mar 30, 2024
@Haarolean Haarolean mentioned this issue Apr 19, 2024
Closed
4 tasks
@Haarolean Haarolean pinned this issue Apr 19, 2024
@wernerdv wernerdv linked a pull request Jul 26, 2024 that will close this issue
Open
13 tasks
@Haarolean Haarolean mentioned this issue Sep 18, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rbac Related to Role Based Access Control feature good first issue Up for grabs scope/backend Related to backend changes status/triage/completed Automatic triage completed type/bug Something isn't working
Projects
Release 1.1
Status: Todo
Up for grabs
Status: Todo
Milestone
1.1
Development

Successfully merging a pull request may close this issue.

BE: RBAC: Ignore values for non-applicable resources wernerdv/kafka-ui
2 participants
@Haarolean @Sahay-ohikc