Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC for ACL Management #288

Open
2 tasks done
joelpavlovsky opened this issue Apr 14, 2024 · 4 comments
Open
2 tasks done

RBAC for ACL Management #288

joelpavlovsky opened this issue Apr 14, 2024 · 4 comments
Labels
area/acl area/rbac Related to Role Based Access Control feature status/needs-attention Collective discussion is required status/triage/completed Automatic triage completed type/feature A brand new feature

Comments

@joelpavlovsky
Copy link

Issue submitter TODO list

  • I've searched for an already existing issues here
  • I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

Today we can set the ACL RBAC action only for view & edit, and we don't have the option to set the value or some specific ACL action (e.g. ACL type, Resource type).

### Current RBAC role config
        - resource: acl
          actions: [view, edit]

Describe the feature you're interested in

We need the ability to set actions & values for each RBAC role and ACL resource/type
Resource type

actions:

  • view
  • edit
  • delete
  • custom_acl
  • producer_acl
  • consumer_acl
  • stream_acl

value: (for custom_acl, edit & view, filter by resource type)

  • TOPIC
  • GROUP
  • CLUSTER
  • TRANSACTIONAL_ID
  • DELEGATION_TOKEN
  • USER

For Example:

### Requested RBAC role config
        - resource: acl
          value: ["TOPIC", "GROUP"]
          actions: [view, edit, custom_acl, producer_acl, consumer_acl]

Describe alternatives you've considered

No response

Version you're running

v1.0.0

Additional context

No response

@joelpavlovsky joelpavlovsky added status/triage Issues pending maintainers triage type/feature A brand new feature labels Apr 14, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress area/acl area/rbac Related to Role Based Access Control feature status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Apr 14, 2024
Copy link

Hi joelpavlovsky! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

@Haarolean
Copy link
Member

Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper.

@Haarolean Haarolean closed this as not planned Won't fix, can't repro, duplicate, stale May 1, 2024
@Haarolean Haarolean added the status/invalid This doesn't seem right label May 1, 2024
@joelpavlovsky
Copy link
Author

Thank you for your response.

The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes.

My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions.

@joelpavlovsky
Copy link
Author

joelpavlovsky commented May 2, 2024 via email

@Haarolean Haarolean reopened this May 3, 2024
@Haarolean Haarolean added status/needs-attention Collective discussion is required and removed status/invalid This doesn't seem right status/triage/manual Manual triage in progress labels May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/acl area/rbac Related to Role Based Access Control feature status/needs-attention Collective discussion is required status/triage/completed Automatic triage completed type/feature A brand new feature
Projects
Status: Backlog
Development

No branches or pull requests

2 participants