RBAC w/ Keycloak

[Gemini1983]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

When attempting to configure RBAC (Role-Based Access Control) on Kafka-ui with Keycloak, no clusters are being displayed. I am using Keycloak v21.1.2 configured as Generic OAuth.

Expected behavior

The expected behavior is to display the configured cluster. I have tested using GitHub as the authentication system with the organization type, and no anomalies were detected

Your installation details

Version Keycloak v21.1.2
The decoded token generated by Keycloak includes the following roles:
"realm_access": { "roles": [ "default-roles-myrealm", "admin", "offline_access", "uma_authorization" ] }
Version kafka-ui v0.7 and v0.7.1
The Kafka-ui configuration is as follows:
`
auth:
type: OAUTH2
oauth2:
client:
keycloak:
clientId: kafkaui
clientSecret:
scope: openid
issuer-uri: http://myIP/realms/myrealm
jwk-set-uri: http://myIP/realms/myrealm/protocol/openid-connect/certs
user-name-attribute: preferred_username
provider: keycloak
custom-params:
type: keycloak

kafka:
clusters:
- bootstrapServers:
name: test-plain
properties: {}
readOnly: false

rbac:
roles:
- name: "admins"
clusters:
- test-plain
subjects:
- provider: oauth
type: role
value: "admin"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: "."
actions: all
- resource: consumer
value: "."
actions: all
- resource: schema
value: "."
actions: all
- resource: connect
value: "."
actions: all
- resource: ksql
actions: all
- resource: acl
value: ".*"
actions: [ view ]
`

I executed Kafka-ui using Docker with the following command:
docker run --rm -p 8183:8080 -e spring.config.additional-location=/tmp/config.yml -v /kafka-ui/dynamic_config_auth_mykeycloak.yaml:/tmp/config.yml provectuslabs/kafka-ui

Steps to reproduce

Open the Kafka-ui login page.
Perform the login process by entering the required credentials on the web page provided by Keycloak.

Screenshots

No response

Logs

`09:53:25,583 |-INFO in ch.qos.logback.classic.LoggerContext[default] - This is logback-classic version 1.4.6
09:53:25,644 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
09:53:25,645 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback.xml]
09:53:25,656 |-INFO in ch.qos.logback.classic.BasicConfigurator@20ce78ec - Setting up default configuration.
09:53:26,866 |-INFO in ch.qos.logback.core.joran.spi.ConfigurationWatchList@393671df - URL [jar:file:/kafka-ui-api.jar!/BOOT-INF/classes!/logback-spring.xml] is not of type file
09:53:27,041 |-INFO in ch.qos.logback.core.model.processor.AppenderModelHandler - Processing appender named [STDOUT]
09:53:27,042 |-INFO in ch.qos.logback.core.model.processor.AppenderModelHandler - About to instantiate appender of type [ch.qos.logback.core.ConsoleAppender]
09:53:27,094 |-WARN in ch.qos.logback.core.ConsoleAppender[STDOUT] - This appender no longer admits a layout as a sub-component, set an encoder instead.
09:53:27,094 |-WARN in ch.qos.logback.core.ConsoleAppender[STDOUT] - To ensure compatibility, wrapping your layout in LayoutWrappingEncoder.
09:53:27,094 |-WARN in ch.qos.logback.core.ConsoleAppender[STDOUT] - See also http://logback.qos.ch/codes.html#layoutInsteadOfEncoder for details
09:53:27,095 |-INFO in ch.qos.logback.classic.model.processor.RootLoggerModelHandler - Setting level of ROOT logger to INFO
09:53:27,095 |-INFO in ch.qos.logback.classic.jul.LevelChangePropagator@56620197 - Propagating INFO level on Logger[ROOT] onto the JUL framework
09:53:27,096 |-INFO in ch.qos.logback.core.model.processor.AppenderRefModelHandler - Attaching appender named [STDOUT] to Logger[ROOT]
09:53:27,096 |-INFO in ch.qos.logback.core.model.processor.DefaultProcessor@6eda5c9 - End of configuration.
09:53:27,100 |-INFO in org.springframework.boot.logging.logback.SpringBootJoranConfigurator@55b7a4e0 - Registering current configuration as safe fallback point

---

| | | |_ | / |_ _ _ /\ _ __ __ _ | | ___ | |/ /_ _ / | |____
| || || | | / _ | '| / _ | '_ / / _| ' \/ -_) | ' </ _ | | / / `|
_/|| || ___|| // _| .___,_|||___| ||__,|| |__,|
|_|

2023-06-30 09:53:27,247 INFO [background-preinit] o.h.v.i.u.Version: HV000001: Hibernate Validator 8.0.0.Final
2023-06-30 09:53:27,405 INFO [main] c.p.k.u.KafkaUiApplication: Starting KafkaUiApplication using Java 17.0.6 with PID 1 (/kafka-ui-api.jar started by kafkaui in /)
2023-06-30 09:53:27,406 DEBUG [main] c.p.k.u.KafkaUiApplication: Running with Spring Boot v3.0.5, Spring v6.0.7
2023-06-30 09:53:27,407 INFO [main] c.p.k.u.KafkaUiApplication: No active profile set, falling back to 1 default profile: "default"
2023-06-30 09:53:31,453 INFO [main] o.s.c.s.PostProcessorRegistrationDelegate$BeanPostProcessorChecker: Bean 'org.springframework.boot.actuate.autoconfigure.observation.ObservationAutoConfiguration' of type [org.springframework.boot.actuate.autoconfigure.observation.ObservationAutoConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2023-06-30 09:53:31,476 INFO [main] o.s.c.s.PostProcessorRegistrationDelegate$BeanPostProcessorChecker: Bean 'observationRegistry' of type [io.micrometer.observation.SimpleObservationRegistry] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2023-06-30 09:53:33,305 DEBUG [main] c.p.k.u.s.SerdesInitializer: Configuring serdes for cluster test-plain
2023-06-30 09:53:34,311 INFO [main] o.s.b.a.e.w.EndpointLinksResolver: Exposing 2 endpoint(s) beneath base path '/actuator'
2023-06-30 09:53:34,367 INFO [main] o.s.b.a.s.r.ReactiveUserDetailsServiceAutoConfiguration:

Using generated security password: 2cdb66ac-808e-4b1a-a36e-70a1582ec6c5

2023-06-30 09:53:34,536 INFO [main] c.p.k.u.c.a.OAuthSecurityConfig: Configuring OAUTH2 authentication.
2023-06-30 09:53:35,396 INFO [main] o.s.b.w.e.n.NettyWebServer: Netty started on port 8080
2023-06-30 09:53:35,443 INFO [main] c.p.k.u.KafkaUiApplication: Started KafkaUiApplication in 9.463 seconds (process running for 10.613)
2023-06-30 09:53:37,517 DEBUG [parallel-2] c.p.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: test-plain
2023-06-30 09:53:37,540 INFO [parallel-2] o.a.k.c.a.AdminClientConfig: AdminClientConfig values:
bootstrap.servers = [svilab]
client.dns.lookup = use_all_dns_ips
client.id = kafka-ui-admin-1688118817-1
connections.max.idle.ms = 300000
default.api.timeout.ms = 60000
metadata.max.age.ms = 300000
metric.reporters = []
metrics.num.samples = 2
metrics.recording.level = INFO
metrics.sample.window.ms = 30000
receive.buffer.bytes = 65536
reconnect.backoff.max.ms = 1000
reconnect.backoff.ms = 50
request.timeout.ms = 30000
retries = 2147483647
retry.backoff.ms = 100
sasl.client.callback.handler.class = null
sasl.jaas.config = null
sasl.kerberos.kinit.cmd = /usr/bin/kinit
sasl.kerberos.min.time.before.relogin = 60000
sasl.kerberos.service.name = null
sasl.kerberos.ticket.renew.jitter = 0.05
sasl.kerberos.ticket.renew.window.factor = 0.8
sasl.login.callback.handler.class = null
sasl.login.class = null
sasl.login.connect.timeout.ms = null
sasl.login.read.timeout.ms = null
sasl.login.refresh.buffer.seconds = 300
sasl.login.refresh.min.period.seconds = 60
sasl.login.refresh.window.factor = 0.8
sasl.login.refresh.window.jitter = 0.05
sasl.login.retry.backoff.max.ms = 10000
sasl.login.retry.backoff.ms = 100
sasl.mechanism = GSSAPI
sasl.oauthbearer.clock.skew.seconds = 30
sasl.oauthbearer.expected.audience = null
sasl.oauthbearer.expected.issuer = null
sasl.oauthbearer.jwks.endpoint.refresh.ms = 3600000
sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms = 10000
sasl.oauthbearer.jwks.endpoint.retry.backoff.ms = 100
sasl.oauthbearer.jwks.endpoint.url = null
sasl.oauthbearer.scope.claim.name = scope
sasl.oauthbearer.sub.claim.name = sub
sasl.oauthbearer.token.endpoint.url = null
security.protocol = PLAINTEXT
security.providers = null
send.buffer.bytes = 131072
socket.connection.setup.timeout.max.ms = 30000
socket.connection.setup.timeout.ms = 10000
ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
ssl.endpoint.identification.algorithm = https
ssl.engine.factory.class = null
ssl.key.password = null
ssl.keymanager.algorithm = SunX509
ssl.keystore.certificate.chain = null
ssl.keystore.key = null
ssl.keystore.location = null
ssl.keystore.password = null
ssl.keystore.type = JKS
ssl.protocol = TLSv1.3
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.certificates = null
ssl.truststore.location = null
ssl.truststore.password = null
ssl.truststore.type = JKS

2023-06-30 09:53:37,654 INFO [parallel-2] o.a.k.c.u.AppInfoParser: Kafka version: 3.3.1
2023-06-30 09:53:37,654 INFO [parallel-2] o.a.k.c.u.AppInfoParser: Kafka commitId: e23c59d00e687ff5
2023-06-30 09:53:37,654 INFO [parallel-2] o.a.k.c.u.AppInfoParser: Kafka startTimeMs: 1688118817652
2023-06-30 09:53:38,330 DEBUG [parallel-1] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: test-plain
2023-06-30 09:54:05,429 DEBUG [parallel-1] c.p.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: test-plain
2023-06-30 09:54:05,446 DEBUG [parallel-1] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: test-plain
2023-06-30 09:54:18,785 DEBUG [reactor-http-epoll-2] c.p.k.u.s.r.e.OauthAuthorityExtractor: Provider [keycloak] doesn't contain a roles field param name, mapping won't be performed`

Additional context

No response

[github-actions[bot]]

Hello there Gemini1983! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[Haarolean]

The clusters are not visible because you don't have any permissions granted. The obvious reason for this is that you don't have any keycloak roles assigned. This could be verified by calling /api/authorization endpoint.
Also, you're missing the param "roles-field" required for RBAC.

[Gemini1983]

Thanks for your fast reply.
The token generated by Keycloak includes the granted roles. In the OAuth token, the following property is present:
"realm_access": { "roles": [ "default-roles-myrealm", "admin", "offline_access", "uma_authorization" ] }

Regarding the 'roles-field' parameter to configure in Kafka-UI, should it be set as 'realm_access' in this case?"

[Haarolean]

https://discord.com/channels/897805035122077716/1110687228415451166/1113239293977178133
This is the thread from a user with a working rbac via keycloak, but without the details. Feel free to join the discord (the link is available in readme) and ask around there.

[nguyenbuitk]

What is value of param "roles-filed" for keycloak? thanks for reply!

[Gemini1983]

The default value for the "roles-field" parameter in Keycloak is "realm_access.roles". However, Kafka-UI does not support nested roles in this structure. This limitation is why I opened an enhancement request on GitHub: #4024

If you have access to Keycloak, you can modify the default behavior (although it is not recommended) or create a custom mapping within your realm. By creating a new field specifically for roles, you can use its name as the value for "roles-field".

[hoeggi]

For future reference and people without discord accounts:

auth:
  type: OAUTH2
  oauth2:
    client:
      keycloak:
        clientId: xxx
        clientSecret: yyy
        scope: openid
        issuer-uri: https://<keycloak_instance>/auth/realms/<realm>
        user-name-attribute: preferred_username
        client-name: keycloak
        provider: keycloak
        custom-params:
          type: keycloak --> I had to change this  to oauth instead of keycloak, it had to match the provider value in the subject, no sure if it would also work with changing the provider value in the subject to keycloak.
          roles-field: --> this is the claim name inside the token from keycloak where to look for the roles, righ now this  only supports on level deep in the json. So you need to add a custom mapper to your client mapping the role (either client or realm role) to a top level claim.

      subjects:
        - provider: oauth
          type: role
          value: "role-name"

[Haarolean]

@fallen-up nope, you'd need a custom mapper, which is like, 2 clicks in UI :)

[fallen-up]

@Haarolean yeap, got to that last night, it was easier than it looked.
for history:

• client-roles:
  
• realm-roles:
  

[Haarolean]

@fallen-up feel free to update our docs with the information you might think will reduce the confusion

[cpapad]

@hoeggi @fallen-up I followed what you said I see the claim in the logs in top level (roles) but it still does not match my permissions properly. Could you please paste your example from the roles-field value maybe I am missing something

[fallen-up]

  config:
    AUTH_TYPE: "OAUTH2"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_CLIENTID: "kafka-ui"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_SCOPE: "openid"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_ISSUER-URI: "https://xxx.yyy/auth/realms/kafka"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_USER-NAME-ATTRIBUTE: "preferred_username"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_CLIENT-NAME: "keycloak"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_PROVIDER: "keycloak"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_CUSTOM-PARAMS_TYPE: "oauth"
    AUTH_OAUTH2_CLIENT_KEYCLOCK_CUSTOM-PARAMS_ROLES-FIELD: "realm_roles"
    SPRING_CONFIG_ADDITIONAL-LOCATION: "/ssl/roles/roles.yml"