0.7: ACLs, LDAP & Generic OAuth support for RBAC

[Haarolean]

Release 0.7 with ACLs, LDAP & Generic OAuth support for RBAC

¡Hola! We're excited to announce the latest release of UI for Apache Kafka!
This new version comes packed with a range of new features, enhancements, and bug fixes to improve your experience.
Here's a closer look at some of the highlights:

New Features

• ACL Lists: UI for Apache Kafka now gives you access to your Kafka's ACL lists in read-only mode, allowing you to monitor and review them in greater detail. This feature lays the groundwork for more advanced functionality in the upcoming 0.8 release, where we plan to introduce full ACL editing capabilities.

• UI Dark Theme: Take a break from the bright lights with the dark theme. You can even activate the auto-mode feature to have the interface switch automatically between light and dark modes depending on your system settings.

• RBAC: LDAP Support: We've added support for fetching roles via LDAP, enabling you to authenticate and manage users' roles across your organization more efficiently.

• RBAC: Generic OAuth2 Support: UI for Apache Kafka now supports fetching roles with any generic OAuth2 provider.

Significant Enhancements

• RBAC: Separate KC Restart Permission: Managing Kafka Connect permissions just got easier with the new KC Restart permission, providing a more granular approach to managing your roles.

• Broker Skew Displayed in UI: You can now monitor broker skew directly in UI, providing deeper insights into the state of your Kafka cluster.

• Data Masking: Regex Support for Field Names: We've introduced support for regular expressions in field names for data masking, providing more powerful masking capabilities.

• Opt-Out of Version Check: To support air-gap environments further, we got rid of version check requests on frontend. Since they're performed on the backend now, from now on, your frontend won't fail if there's no internet connection.

User Experience (UX) Improvements

• Kafka Connect Quick Actions: Accessing Kafka Connect actions is now easier with the new quick actions feature in the sandwich menu.

• Keep Contents Switch: We've added a new "keep contents" switch on message produce, allowing you to retain message content after production for a smoother and more efficient workflow.

BREAKING CHANGES

Of course, there are some!

• LDAP users: Replace your spring.ldap.dn.pattern property name with spring.ldap.base. That's made to better match spring properties.
• Data masking: Within mask action, replaced pattern with fieldsNamePattern.

---

We hope you enjoy using UI for Apache Kafka and find these new features and enhancements useful. As always, we welcome your feedback and suggestions for future releases. Thank you for choosing UI for Apache Kafka, and we look forward to bringing you more exciting updates in the future!

Best regards,
Provectus & Contributors

---

Issues closed: https://github.com/provectus/kafka-ui/milestone/11?closed=1
All changes in a formatted way: https://gist.github.com/Haarolean/29a7040382a5386a01ecc3cf34fa3f04
Full Changelog: v0.6.0...v0.7.0

Contributors

@David-DB88, @Haarolean, @NeiruBugz, @RaajuKanuri, @VladSenyuta, @a1tair6, @blacktower88, @dependabot, @dependabot[bot], @iliax, @inanc-can, @michal-cesek, @nisanohana3 and @winnie-chiu

---

This discussion was created from the release 0.7: ACLs, LDAP & Generic OAuth support for RBAC.

[sm-shevchenko]

Hey!
Can you please update documentation instructions in part of configuration steps for use LDAP_AD identity provider for RBAC and provide some examples?

[Haarolean]

done
https://discord.com/channels/897805035122077716/897805035122077719/1107574013741502555

[sm-shevchenko]

even when I try to use roles.yml similar to the one given in the documentation, I get an error message:

[alexisph]

It crashes if value: ".*" under the acl resource is absent, even though the docs state otherwise.

[Haarolean]

@sm-shevchenko please raise a new dicsussion or ask on discord

[Haarolean]

@alexisph fixed in master

[nsagnett]

Hi,

It is possible to provide some complete examples about Azure AD RBAC setup? On my side, I encountered issues with this topic like Provider [azuread] doesn't contain a roles field param name, mapping won't be performedlogs.
So, I can provide more information but I don't know if this discussion is the best place to do that.

Many thanks!

[Haarolean]

Fortunately there's one available, from discord:

auth:
  type: OAUTH2
  oauth2:
    client:
      azure:
        clientId: <ClientID>
        clientSecret: <ClientSecret>
        scope: openid
        client-name: azure #whatever here
        provider: azure #whatever here
        authorization-grant-type: authorization_code
        redirect-uri: http://localhost:8080/login/oauth2/code/auth0
        issuer-uri: https://login.microsoftonline.com/<TenantID>/v2.0
        user-name-attribute: name
        custom-params:
          type: oauth #must be 'oauth'
          roles-field: roles # roles claim contains all granted roles for a user

kafka:
  clusters:
    - name: local
      bootstrapServers: broker0:29092
      zookeeper: zookeeper:2181
      schemaRegistry: http://schemaregistry:8085

rbac:
  roles:
    - name: "NormalUser"
      clusters:
        - local
      subjects:
        - provider: oauth
          type: role
          value: user # role that needs to be included in the roles claim
      permissions:
        - resource: clusterconfig
          actions: ["view", "edit"]
        - resource: topic
          value: "ololo.*"
          actions:
            - VIEW
            - CREATE
            - EDIT
            - DELETE
            - MESSAGES_READ
            - MESSAGES_PRODUCE
            - MESSAGES_DELETE
        - resource: consumer
          value: "\_confluent-ksql.*"
          actions: [VIEW, DELETE, RESET_OFFSETS]
        - resource: schema
          value: "blah.*"
          actions: [VIEW, CREATE, DELETE, EDIT, MODIFY_GLOBAL_COMPATIBILITY]
        - resource: connect
          value: "local"
          actions: [view, edit, create]
        - resource: ksql
          actions: [execute]

Posted by SiMoN#8695 there

[nsagnett]

Many thanks for the snippet!

Unfortunately, the problem still occurs despite roles are present in claims, may be an issue linked with CORS policy management.
I get this kind of log with the setup : Access to manifest at 'https://login.microsoftonline.com/b2153328-8559-402f-add2-ea85f76ef3d1/oauth2/v2.0/authorize?response_type=code&client_id=b85df718-4327-49be-838e-00cee2fe9b48&scope=https://graph.microsoft.com/User.Read&state=lcVH_tg-2GqkJJ25qHMlXaF7oAENUk4AdXUByw_w-Bs%3D&redirect_uri=https://customDomain/login/oauth2/code/azuread' (redirected from 'https://kafka-ui-test.eu-west-1.dev.k8s.intraxiti.com/manifest.json') from origin 'https://customDomain' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[Haarolean]

@nsagnett might be related: #3401 (comment), in progress

[nsagnett]

@Haarolean FYI I already have the problem with 0.4.0 with SSO setup without RBAC.

[Haarolean]

@nsagnett please raise a new dicussion or feel free to join us on discord

[alexisph]

RBAC with LDAP does not work for me on v0.7.0.
I have the following config:

kafka:
  clusters:
    - name: dev
      readOnly: false
      bootstrapServers: ${KAFKA_BOOTSTRAP}:9093

auth:
  type: LDAP
spring:
  ldap:
    urls: ldap://${AD_SERVER}
    base: "sAMAccountName={0},ou=${USERS_OU},dc=${AD_SERVER}"
    admin-user: "cn=${LDAP_ADMIN_USERNAME},dc=${AD_SERVER}"
    admin-password: "${LDAP_ADMIN_PASSWORD}"
    user-filter-search-base: "dc=${AD_SERVER}"
    user-filter-search-filter: "(&(sAMAccountName={0})(objectClass=user)(|(memberof=CN=${GROUP_NAME},OU=${GROUPS_OU},DC=${AD_SERVER})))"
    group-filter-search-base: "OU=${GROUPS_OU},DC=${AD_SERVER}"
oauth2:
  ldap:
    activeDirectory: false
    activeDirectory.domain: "${AD_SERVER}"

rbac:
  roles:
    - name: "admins"
      clusters:
        - dev
      subjects:
        - provider: ldap
          type: group
          value: "${GROUP_NAME}"
      permissions:
        - resource: applicationconfig
          # value not applicable for applicationconfig
          actions:
            - view
            # - edit
        - resource: clusterconfig
          # value not applicable for clusterconfig
          actions:
            - view
            # - edit
        - resource: topic
          value: ".*"
          actions:
            - view
            # - create
            # - edit
            # - delete
            - messages_read
            - messages_produce
            - messages_delete
        - resource: consumer
          value: ".*"
          actions:
            - view
            - delete
            - reset_offsets
        - resource: schema
          value: ".*"
          actions:
            - view
            - create
            - delete
            - edit
            # - modify_global_compatibility
        - resource: connect
          value: ".*"
          actions:
            - view
            # - edit
            # - create
        - resource: ksql
          # value not applicable for ksql
          actions:
            - execute
        # - resource: acl
        #   # value not applicable for acl
        #   value: ".*"  # FIXME: it crashes if this is removed
        #   actions:
        #     - view
        #     # - edit

I am able to login but I cannot see any clusters:

I have enabled DEBUG logs and I can see this:

DEBUG [boundedElastic-3] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Found roles from search [{spring.security.ldap.dn=[CN=${GROUP_NAME},OU=${GROUPS_OU},DC=${AD_SERVER}], cn=[${GROUP_NAME}]}]
DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.DelegatingReactiveAuthorizationManager: Checking authorization on '/api/clusters' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@XXXXX
DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@XXXXX, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[${GROUP_NAME}]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@XXXXX'
DEBUG [reactor-http-epoll-1] o.s.s.w.s.a.AuthorizationWebFilter: Authorization successful
DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.RequestMappingHandlerMapping: [XXXXX] Mapped to com.provectus.kafka.ui.controller.ClustersController#getClusters(ServerWebExchange)
DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [XXXXX] Using 'application/json' given [*/*] and supported [application/json]
DEBUG [reactor-http-epoll-1] o.s.w.r.r.m.a.ResponseEntityResultHandler: [XXXXX] 0..N [com.provectus.kafka.ui.model.ClusterDTO]
DEBUG [reactor-http-epoll-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@XXXXX, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[${GROUP_NAME}]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@XXXXX'
DEBUG [reactor-http-epoll-1] o.s.w.s.a.HttpWebHandlerAdapter: [XXXXX] Completed 200 OK

If I remove the rbac section, I can login and I can see and do everything because there are no roles.

[Haarolean]

I don't understand if you have redacted the logs/configs so the redacted parts look like placeholders or is it just placeholders not being replaced by the actual values?
DEBUG [boundedElastic-3] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Found roles from search [{spring.security.ldap.dn=[CN=${GROUP_NAME},OU=${GROUPS_OU},DC=${AD_SERVER}], cn=[${GROUP_NAME}]}]

Please provide logs/configs with the actual data, just remove the passwords.

[alexisph]

Hi. The information is redacted and replaced with placeholders. I cannot provide the actual values.

[Haarolean]

Well, it should work as far as I see, the group has been mapped to a GrantedAuthority properly.
Verify that the cluster name in the config matches the one you have. Also try looking at /authorization request' response in your browser dev console.

[apellegr06]

Hi, I have exactly the same problem with my configuration :

logging:
  level:
    root: debug
    com.provectus: debug
    org.springframework.security: debug

kafka:
  clusters:
    - name: cluster1
      bootstrapServers: xxxxxxxxxxxxxxxxx
      metrics:
        port: 7071
        type: PROMETHEUS
      properties:
        security.protocol: SASL_PLAINTEXT
        sasl.mechanism: GSSAPI
        sasl.jaas.config: xxxxxxxxxxxxxxxx
      kafkaconnect:
        - name: connect1
          address: xxxxxx
      ksqldbserver: xxxxxx
      schemaregistry: xxxxx
      ssl:
        truststorelocation: /kafka-ui.ts
        truststorepassword: xxxxx

auth:
  type: LDAP

spring:
  ldap:
    urls: "ldaps://xxxxx:636"
    base: "uid={0},ou=people,dc=xxxxxx,dc=xx"
    user-filter-search-base: "ou=people,dc=xxxxxx,dc=xx"
    user-filter-search-filter: "(&(uid={0})(objectClass=inetOrgPerson))"
    group-filter-search-base: "ou=group,dc=xxxxx,dc=xx"
    admin-user: "uid=xxxxxx,ou=serviceaccount,dc=xxxxxx,dc=xx"
    admin-password: "xxxxxx"

rbac:
  roles:
    - name: "admin"
      clusters:
        - cluster1
      subjects:
        - provider: ldap
          type: group
          value: "xxxxx"   ==> one of my ldap group
      permissions:
        - resource: applicationconfig
          actions: all
        - resource: clusterconfig
          actions: all
        - resource: topic
          value: ".*"
          actions: all
        - resource: consumer
          value: ".*"
          actions: all
        - resource: schema
          value: ".*"
          actions: all
        - resource: connect
          value: ".*"
          actions: all
        - resource: ksql
          actions: all

Here is the log section with ldap :

2023-05-24 09:01:50,017 DEBUG [boundedElastic-1] j.e.security:  TLSHandshake: xxxxxxxxx:636, TLSv1.2, TLS_RSA_WITH_AES_128_GCM_SHA256, 1152726490
2023-05-24 09:01:50,020 DEBUG [boundedElastic-1] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldaps://xxxxxxx:636'
2023-05-24 09:01:50,040 DEBUG [boundedElastic-1] o.s.s.l.a.BindAuthenticator: Bound uid=xxxxxxx,ou=people,dc=xxxxxx,dc=xx
2023-05-24 09:01:50,057 DEBUG [boundedElastic-1] o.s.l.c.LdapTemplate: The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2023-05-24 09:01:50,118 DEBUG [boundedElastic-1] o.s.l.c.s.AbstractContextSource: Got Ldap context on server 'ldaps://xxxxxxx:636'
2023-05-24 09:01:50,122 DEBUG [boundedElastic-1] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Found roles from search []
2023-05-24 09:01:50,122 DEBUG [boundedElastic-1] o.s.s.l.u.DefaultLdapAuthoritiesPopulator: Retrieved authorities for user uid=xxxxxx,ou=people,dc=xxxxxx,dc=xx
2023-05-24 09:01:50,122 DEBUG [boundedElastic-1] o.s.s.l.u.LdapUserDetailsMapper: Mapping user details from context with DN uid=xxxxxx,ou=people,dc=xxxxxx,dc=xx
2023-05-24 09:01:50,126 DEBUG [boundedElastic-1] o.s.s.l.a.LdapAuthenticationProvider: Authenticated user
2023-05-24 09:01:50,129 DEBUG [boundedElastic-1] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Saved SecurityContext 'SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=com.provectus.kafka.ui.config.auth.RbacLdapUser@35fcc506, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@ac8e8b5'
2023-05-24 09:01:50,136 DEBUG [parallel-1] o.s.s.w.s.DefaultServerRedirectStrategy: Redirecting to '/'
2023-05-24 09:01:50,137 DEBUG [parallel-1] o.s.w.s.a.HttpWebHandlerAdapter: [4c8a1efd-5] Completed 302 FOUND

[Haarolean]

@alexisph @apellegr06 0.7.1 will include a user filter search filter (alongside with existing user filter search base), might help if you use something different from (member={0}). Otherwise, it's a configuration issue.

[nrkljo]

Hi,

I've been struggling with getting Oauth2 working with Keycloak and a self-signed cert. My problem is I can't seem to get it to pick up my trust-store, so I end up with a javax.net.ssl.SSLHandshakeException: PKIX path building failed everytime it tries to access https://keycloak-server/realms/keycloak-realm/.well-known/openid-configuration
I know the trust-store itself is fine, 'cause it's the same I use to access my Kafka brokers over TLS.

I'm running in Minikube with a static manifest at the moment. Here's (what I think is) the relevant config:

          env:
            #Local cluster
          - name: KAFKA_CLUSTERS_0_NAME
            value: kafka-local
          - name: AUTH_TYPE
            value: OAUTH2
          - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENTID
            value: kafka-ui-local
          - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENTSECRET
            value: ********
          - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_SCOPE
            value: openid
          - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENT_NAME
            value: keycloak
          - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_PROVIDER
            value: keycloak
          - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_REDIRECT_URI
            value: http://localhost:8008/kafka-ui/login/oauth2/code/keycloak
          - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_ISSUER_URI
            value: https://keycloak-server/realms/keycloak-realm
          - name: TRUST_STORE
            value: /opt/keystores/Trust.jks
          - name: TRUST_STORE_PASSWORD
            value: ********

I believe I've tried every permutation of TRUST_STORE|TRUSTSTORE|TRUSTSTORE_LOCATION with and whthout various Spring or OAuth related prefixes...

Any hints?

[Haarolean]

please raise a new issue

[Haarolean]

Closing as this thread becomes a pile of off-topic messages which should be separate issues/discussions.