Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP nested groups not supported #4445

Closed
4 tasks done
RomainDubois opened this issue May 15, 2024 · 3 comments
Closed
4 tasks done

LDAP nested groups not supported #4445

RomainDubois opened this issue May 15, 2024 · 3 comments
Labels
status/triage Issues pending maintainers triage type/bug Something isn't working

Comments

@RomainDubois
Copy link

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running master-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

With LDAP authentication, only direct groups of the connected user are collected to compute user roles.

Expected behavior

Groups should be collected recursively to compute user roles (= groups of groups).

Your installation details

Tested with 83b5a60 version.

LDAP configuration:

AUTH_TYPE=LDAP
SPRING_LDAP_URLS=ldaps://my.ldap.url
SPRING_LDAP_USER_FILTER_SEARCH_BASE=cn=accounts,dc=my-company
SPRING_LDAP_GROUP_FILTER_SEARCH_BASE=cn=accounts,dc=my-company
SPRING_LDAP_USER_FILTER_SEARCH_FILTER=(&(uid={0})(objectClass=inetOrgPerson))
SPRING_LDAP_BASE=cn={0},dc=my-company
SPRING_CONFIG_ADDITIONAL-LOCATION=/roles/roles.yaml

roles.yaml:

---

rbac:
  roles:

    - name: admin
      clusters:
        - main
      subjects:
        - provider: ldap
          type: group
          value: nestedgroup
      permissions:
        - resource: applicationconfig
          actions: all
        - resource: clusterconfig
          actions: all
        - resource: topic
          value: ".*"
          actions: all
        - resource: consumer
          value: ".*"
          actions: all
        - resource: schema
          value: ".*"
          actions: all
        - resource: connect
          value: ".*"
          actions: all
        - resource: ksql
          actions: all
        - resource: acl
          value: ".*"
          actions: [ view ]

Steps to reproduce

  1. Find or create a LDAP user U which is member of a group G1 where G1 is member of an other group G2. U should not be a member of G2.
  2. Configure Kafka-UI with a LDAP authentication
  3. Configure a role on a group G2
  4. Log in with user U
  5. Check the user has not the role

Screenshots

No response

Logs

No response

Additional context

No response
@RomainDubois RomainDubois added status/triage Issues pending maintainers triage type/bug Something isn't working labels May 15, 2024
@github-actions GitHub Actions
Copy link

Hello there RomainDubois! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

@Haarolean
Copy link
Contributor

hey @RomainDubois, this repo is not maintained (#4255). But we'll be happy to accept your PR here: https://github.com/kafbat/kafka-ui

@RomainDubois
Copy link
Author

Will switch to https://github.com/kafbat/kafka-ui

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/triage Issues pending maintainers triage type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Haarolean @RomainDubois