Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: UI is broken for user with access to all topic metadata but selective access to data #2027

Open
erikgb opened this issue Dec 21, 2024 · 0 comments
Open

BUG: UI is broken for user with access to all topic metadata but selective access to data #2027

erikgb opened this issue Dec 21, 2024 · 0 comments

Comments

@erikgb
Copy link
Contributor

erikgb commented Dec 21, 2024

We are running multi-tenant Kafka clusters where we must ensure that tenants cannot read data from other tenants' topics. However, all users should have access to topic metadata in the cluster. Ideally, we want AKHQ to grant access to data in topics based on the ACLs configured for user/groups in the cluster, see #2025.

Right now, no users have permission to see any topic data through AKHQ. But some of our tenants already have established topic naming standards, so we are trying to set up a POC of access to topic data by applying static patterns in the AKHQ configuration. But this seems broken, and we have also tried using the dev image. It's probably related to #1910 - as we are seeing the same error message.

Extract of our configuration:

default-group: reader-no-data-access
roles:
  reader:
    - resources: ["TOPIC", "TOPIC_DATA", "CONSUMER_GROUP", "CONNECT_CLUSTER", "CONNECTOR", "SCHEMA", "NODE", "ACL", "KSQLDB"]
      actions: ["READ"]
    - resources: ["TOPIC", "NODE"]
      actions: ["READ_CONFIG"]
  reader-no-data-access:
    - resources: ["TOPIC", "CONSUMER_GROUP", "CONNECT_CLUSTER", "CONNECTOR", "SCHEMA", "NODE", "ACL", "KSQLDB"]
      actions: ["READ"]
    - resources: ["TOPIC", "NODE"]
      actions: ["READ_CONFIG"]
groups:
  reader:
    - role: reader
  fifty-reader:
    - role: reader
      patterns: [".*app_fifty_.*"]
  reader-no-data-access:
    - role: reader-no-data-access

This is what we observe:

  • UI works for an arbitrary user with no extra permissions or relevant groups. User is granted the reader-no-data-access role to all topics. ✅
  • UI works for a user belonging to the reader group. User is granted the reader role with access to all topics - including data in topics. ✅
  • UI is broken for a user belonging to the fifty-reader group with the error message "Unauthorized: missing permission on resource TOPIC_DATA and action READ" 💣

The expected behavior should (obviously) be that the user has access to metadata for all topics and access to data in the topics matching the configured pattern. Are we doing something wrong? With some pointers to where in the code this bug might be hiding, we would be happy to contribute a fix for it. 😸 Thanks a lot for providing this wonderful tool! ❤️
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Backlog
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erikgb