RBAC: Fix permissions getting available from other clusters (#330)

Haarolean · web-flow · commit 02877a4e3ec9 · 2024-05-01T14:19:17.000+04:00
diff --git a/api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java b/api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java
@@ -27,6 +27,7 @@
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import javax.annotation.Nullable;
+import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.collections.CollectionUtils;
@@ -54,7 +55,9 @@ public class AccessControlService {
   private final RoleBasedAccessControlProperties properties;
   private final Environment environment;
 
+  @Getter
   private boolean rbacEnabled = false;
+  @Getter
   private Set<ProviderAuthorityExtractor> oauthExtractors = Collections.emptySet();
 
   @PostConstruct
@@ -107,12 +110,14 @@ private boolean isAccessible(AuthenticatedUser user, AccessContext context) {
     if (context.cluster() != null && !isClusterAccessible(context.cluster(), user)) {
       return false;
     }
-    return context.isAccessible(getUserPermissions(user));
+    return context.isAccessible(getUserPermissions(user, context.cluster()));
   }
 
-  private List<Permission> getUserPermissions(AuthenticatedUser user) {
-    return properties.getRoles().stream()
+  private List<Permission> getUserPermissions(AuthenticatedUser user, String clusterName) {
+    return properties.getRoles()
+        .stream()
         .filter(filterRole(user))
+        .filter(role -> role.getClusters().stream().anyMatch(clusterName::equalsIgnoreCase))
         .flatMap(role -> role.getPermissions().stream())
         .toList();
   }
@@ -188,10 +193,6 @@ public Mono<Boolean> isConnectAccessible(String connectName, String clusterName)
     );
   }
 
-  public Set<ProviderAuthorityExtractor> getOauthExtractors() {
-    return oauthExtractors;
-  }
-
   public List<Role> getRoles() {
     if (!rbacEnabled) {
       return Collections.emptyList();
@@ -203,7 +204,4 @@ private Predicate<Role> filterRole(AuthenticatedUser user) {
     return role -> user.groups().contains(role.getName());
   }
 
-  public boolean isRbacEnabled() {
-    return rbacEnabled;
-  }
 }
diff --git a/frontend/src/components/ACLPage/List/List.tsx b/frontend/src/components/ACLPage/List/List.tsx
@@ -7,17 +7,19 @@ import useAppParams from 'lib/hooks/useAppParams';
 import { useAcls, useDeleteAcl } from 'lib/hooks/api/acl';
 import { ClusterName } from 'lib/interfaces/cluster';
 import {
+  Action,
   KafkaAcl,
   KafkaAclNamePatternType,
   KafkaAclPermissionEnum,
+  ResourceType,
 } from 'generated-sources';
 import useBoolean from 'lib/hooks/useBoolean';
-import { Button } from 'components/common/Button/Button';
 import ACLForm from 'components/ACLPage/Form/Form';
 import DeleteIcon from 'components/common/Icons/DeleteIcon';
 import { useTheme } from 'styled-components';
 import ACLFormContext from 'components/ACLPage/Form/AclFormContext';
 import PlusIcon from 'components/common/Icons/PlusIcon';
+import ActionButton from 'components/common/ActionComponent/ActionButton/ActionButton';
 
 import * as S from './List.styled';
 
@@ -148,9 +150,17 @@ const ACList: React.FC = () => {
   return (
     <S.Container>
       <PageHeading text="Access Control List">
-        <Button buttonType="primary" buttonSize="M" onClick={openFrom}>
+        <ActionButton
+          buttonType="primary"
+          buttonSize="M"
+          onClick={openFrom}
+          permission={{
+            resource: ResourceType.ACL,
+            action: Action.EDIT,
+          }}
+        >
           <PlusIcon /> Create ACL
-        </Button>
+        </ActionButton>
       </PageHeading>
       <Table
         columns={columns}
