Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Support LDAP nested groups #390

Closed
4 tasks done
RomainDubois opened this issue May 15, 2024 · 1 comment · Fixed by #391
Closed
4 tasks done

Auth: Support LDAP nested groups #390

RomainDubois opened this issue May 15, 2024 · 1 comment · Fixed by #391
Assignees
@RomainDubois
Labels
area/auth App authentication related issues scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Milestone
1.1

Comments

@RomainDubois
Copy link
Contributor

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running main-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

With LDAP authentication, only direct groups of the connected user are collected to compute user roles.

Expected behavior

Groups should be collected recursively to compute user roles (= groups of groups).

Your installation details

Tested with 2956664 version.

LDAP configuration:

AUTH_TYPE=LDAP
SPRING_LDAP_URLS=ldaps://my.ldap.url
SPRING_LDAP_USER_FILTER_SEARCH_BASE=cn=accounts,dc=my-company
SPRING_LDAP_GROUP_FILTER_SEARCH_BASE=cn=accounts,dc=my-company
SPRING_LDAP_USER_FILTER_SEARCH_FILTER=(&(uid={0})(objectClass=inetOrgPerson))
SPRING_LDAP_BASE=cn={0},dc=my-company
SPRING_CONFIG_ADDITIONAL-LOCATION=/roles/roles.yaml

roles.yaml:

---

rbac:
  roles:

    - name: admin
      clusters:
        - main
      subjects:
        - provider: ldap
          type: group
          value: nestedgroup
      permissions:
        - resource: applicationconfig
          actions: all
        - resource: clusterconfig
          actions: all
        - resource: topic
          value: ".*"
          actions: all
        - resource: consumer
          value: ".*"
          actions: all
        - resource: schema
          value: ".*"
          actions: all
        - resource: connect
          value: ".*"
          actions: all
        - resource: ksql
          actions: all
        - resource: acl
          value: ".*"
          actions: [ view ]

Steps to reproduce

  1. Find or create a LDAP user U which is member of a group G1 where G1 is member of an other group G2. U should not be a member of G2.
  2. Configure Kafka-UI with a LDAP authentication
  3. Configure a role on a group G2
  4. Log in with user U
  5. Check the user has not the role

Screenshots

No response

Logs

No response

Additional context

No response
@RomainDubois RomainDubois added status/triage Issues pending maintainers triage type/bug Something isn't working labels May 15, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels May 15, 2024
@github-actions GitHub Actions
Copy link

Hi RomainDubois! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

RomainDubois pushed a commit to RomainDubois/kafka-ui that referenced this issue May 15, 2024
Handle LDAP nested groups (kafbat#390)
838808a
@RomainDubois RomainDubois mentioned this issue May 15, 2024
Merged
13 tasks
@Haarolean Haarolean changed the title LDAP nested groups not supported AUth: Support LDAP nested groups May 16, 2024
@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes area/auth App authentication related issues and removed type/bug Something isn't working status/triage/manual Manual triage in progress labels May 16, 2024
@Haarolean Haarolean added this to the 1.1 milestone May 19, 2024
@Haarolean Haarolean changed the title AUth: Support LDAP nested groups Auth: Support LDAP nested groups May 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RomainDubois RomainDubois

Labels
area/auth App authentication related issues scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Projects
Release 1.1
Status: Done
Milestone
1.1
Development

Successfully merging a pull request may close this issue.

BE: Auth: Support LDAP nested groups RomainDubois/kafka-ui
2 participants
@Haarolean @RomainDubois