Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Audit] - Error when consuming records from audit topic __kui-audit-log #275

Closed
4 tasks done
smahroug opened this issue Apr 9, 2024 · 3 comments
Closed
4 tasks done

[Audit] - Error when consuming records from audit topic __kui-audit-log #275

smahroug opened this issue Apr 9, 2024 · 3 comments
Labels
area/audit status/duplicate This issue or pull request already exists status/triage/completed Automatic triage completed type/bug Something isn't working

Comments

@smahroug
Copy link

smahroug commented Apr 9, 2024

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running main-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I activated the audit feature. The audit logs are produced in the topic : __kui-audit-log
Here the config :

kafka:
  clusters:
    - name: LAB
      audit:
        topic-audit-enabled: true
        console-audit-enabled: true
        topic: '__kui-audit-log' # default name
        audit-topic-properties: # any kafka topic properties in format of a map
          - retention.ms: 43200000
        audit-topics-partitions: 1 # how many partitions, default is 1
        level: all # either ALL or ALTER_ONLY (default). ALL will log all read operations.

Permissions are set to be able to read from all the topics starting with "_"

 - resource: topic
          value: "_*"
          actions:
            - VIEW # can be upper or lower case
            - CREATE
            - EDIT
            - DELETE
            - MESSAGES_READ
            - MESSAGES_PRODUCE
            - MESSAGES_DELETE

Server error appears :
image

Expected behavior

I expect that audit records can be consumed by Kafka UI __kui-audit-log

Your installation details

1 - app version : 1.0.0 [https://github.com/kafbat/kafka-ui/commit/2956664bd712266f7340659dc9fbb83e6f3f1923]

Steps to reproduce

Activate the audit feature and display the records in :

Screenshots

No response

Logs

155478 [parallel-1] INFO  audit - {"timestamp":"2024-04-09T09:37:47.553857498Z","username":"xxxxxxxxx","clusterName":"DEV","resources":[{"type":"TOPIC","id":"A-TOPIC-FOR-TESTS-v0.1","alter":false,"accessType":["VIEW"]}],"operation":"getTopicDetails","result":{"success":true}}
155483 [reactor-http-epoll-4] INFO  audit - {"timestamp":"2024-04-09T09:37:47.559365355Z","username":"xxxxxxxxx","clusterName":"LAB","resources":[{"type":"TOPIC","id":"__kui-audit-log","alter":false,"accessType":["MESSAGES_READ"]},{"type":"AUDIT","alter":false,"accessType":["VIEW"]}],"operation":"getTopicMessages","result":{"success":false,"error":"ACCESS_DENIED"}}
156495 [reactor-http-epoll-1] INFO  audit - {"timestamp":"2024-04-09T09:37:48.571260932Z","username":"xxxxxxxxx","clusterName":"LAB","resources":[{"type":"TOPIC","id":"__kui-audit-log","alter":false,"accessType":["MESSAGES_READ"]},{"type":"AUDIT","alter":false,"accessType":["VIEW"]}],"operation":"getTopicMessages","result":{"success":false,"error":"ACCESS_DENIED"}}
156639 [reactor-http-epoll-4] ERROR o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler - [bcf6b1bf-103]  500 Server Error for HTTP GET "/api/clusters/DEV/topics/A-TOPIC-FOR-TESTS-v0.1/messages/v2?limit=100&mode="
java.lang.NullPointerException: null
        at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:903)
        Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
        *__checkpoint ⇢ io.kafbat.ui.config.CorsGlobalConfiguration$$Lambda$1330/0x0000000100930680 [DefaultWebFilterChain]
        *__checkpoint ⇢ io.kafbat.ui.config.CustomWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ io.kafbat.ui.config.ReadOnlyModeFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ AuthorizationWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ ExceptionTranslationWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ LogoutWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ ServerRequestCacheWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ SecurityContextServerWebExchangeWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ LogoutPageGeneratingWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ LoginPageGeneratingWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ OAuth2LoginAuthenticationWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ OAuth2AuthorizationRequestRedirectWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ ReactorContextWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ HttpHeaderWriterWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
        *__checkpoint ⇢ org.springframework.web.filter.reactive.ServerHttpObservationFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ HTTP GET "/api/clusters/DEV/topics/A-TOPIC-FOR-TESTS-v0.1/messa

Additional context

"operation":"getTopicMessages","result":{"success":false,"error":"ACCESS_DENIED"}

getTopicMessages is normaly guaranteed by permission MESSAGES_READ on the resource topic value: "_*"
@smahroug smahroug added status/triage Issues pending maintainers triage type/bug Something isn't working labels Apr 9, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress area/audit status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Apr 9, 2024
@smahroug
Copy link
Author

smahroug commented Apr 9, 2024

RBAC documentation didn't say anything about special permission for the audit topic.

@Haarolean
Copy link
Member

RBAC documentation didn't say anything about special permission for the audit topic.

yep there are none, it's rather a bug :) we'll fix this within current release

@Haarolean Haarolean mentioned this issue Apr 19, 2024
Open
4 tasks
@Haarolean
Copy link
Member

Duplicate of #253

@Haarolean Haarolean marked this as a duplicate of #253 Apr 19, 2024
@Haarolean Haarolean closed this as not planned Won't fix, can't repro, duplicate, stale Apr 19, 2024
@Haarolean Haarolean added status/duplicate This issue or pull request already exists and removed status/triage/manual Manual triage in progress labels Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/audit status/duplicate This issue or pull request already exists status/triage/completed Automatic triage completed type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Haarolean @smahroug