Readonly roles can create acls

[marcosschroh]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

When using RBAC with a readonly role it is possible to create ACLs, which I think it should not be allowed

Expected behavior

Read only roles should not be able to create ACLs.

Your installation details

# values.yaml
kafka-ui:
  # kubernetes resources
  image:
    repository: kafbat/kafka-ui
    tag: "v1.0.0"

# Chart.yaml
dependencies:
- name: kafka-ui
  version: "1.4.0"
  repository: "https://kafbat.github.io/helm-charts"

Steps to reproduce

Setup RBAC and use the configuration that is it found in the documentation

rbac:
  roles:
    - name: "readonly"
      clusters:
        # FILL THIS
      subjects:
        # FILL THIS
      permissions:
        - resource: clusterconfig
          actions: [ "view" ]

        - resource: topic
          value: ".*"
          actions: 
            - VIEW
            - MESSAGES_READ

        - resource: consumer
          value: ".*"
          actions: [ view ]

        - resource: schema
          value: ".*"
          actions: [ view ]

        - resource: connect
          value: ".*"
          actions: [ view ]

Screenshots

Logs

No response

Additional context

No response

[github-actions]

Hi marcosschroh! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

Please share the commit tag for the main-labeled image you've tried running

[kapybro]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[marcosschroh]

I am using v1.0.0 which is the only release in the project. This is the image id: ghcr.io/kafbat/kafka-ui:359069bf7f964bea6770cb45e9bbabe216e7611e

Containers:
  kafka-ui:
    Container ID:   containerd://xxxxxxxxx
    Image:          ghcr.io/kafbat/kafka-ui:v1.0.0
    Image ID:       ghcr.io/kafbat/kafka-ui@sha256:9f2b621d1be787dc5f0e91a55b0b8347fc4cf1e2cf0ec464b20a18f0168739b4
   ...

[kapybro]

Thanks for the additional feedback! We'll get back to your issue soon.

[Haarolean]

@marcosschroh

1.00 is the only release, but not the only image. Every commit to the main branch results in a new image which is tagged with main tag rather than latest.

[Haarolean]

Fixed within #330 which was an UI issue (the user couldn't actually create an ACL, but the button was enabled)

[marcosschroh]

Thanks @Haarolean . I can confirm that it works with the latest main. However, are we not on risk of always using tag: "main" rather than a specific version? If someone introduces a bug and an new image is published then we will get the bug as well. For development purposes it could be ok, but not for production. If I have to rolled back then is almost impossible.

[Haarolean]

@marcosschroh you can always pin a concrete version, like current main image has two tags: