Skip to content

Readonly roles can create acls #370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
4 tasks done
marcosschroh opened this issue May 6, 2024 · 9 comments
Closed
4 tasks done

Readonly roles can create acls #370

marcosschroh opened this issue May 6, 2024 · 9 comments
Labels
area/rbac Related to Role Based Access Control feature scope/frontend Related to frontend changes status/invalid This doesn't seem right status/triage/completed Automatic triage completed type/bug Something isn't working

Comments

@marcosschroh
Copy link

marcosschroh commented May 6, 2024

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running main-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

When using RBAC with a readonly role it is possible to create ACLs, which I think it should not be allowed

Expected behavior

Read only roles should not be able to create ACLs.

Your installation details

# values.yaml
kafka-ui:
  # kubernetes resources
  image:
    repository: kafbat/kafka-ui
    tag: "v1.0.0"

# Chart.yaml
dependencies:
- name: kafka-ui
  version: "1.4.0"
  repository: "https://kafbat.github.io/helm-charts"

Steps to reproduce

Setup RBAC and use the configuration that is it found in the documentation

rbac:
  roles:
    - name: "readonly"
      clusters:
        # FILL THIS
      subjects:
        # FILL THIS
      permissions:
        - resource: clusterconfig
          actions: [ "view" ]

        - resource: topic
          value: ".*"
          actions: 
            - VIEW
            - MESSAGES_READ

        - resource: consumer
          value: ".*"
          actions: [ view ]

        - resource: schema
          value: ".*"
          actions: [ view ]

        - resource: connect
          value: ".*"
          actions: [ view ]

Screenshots

Screenshot 2024-05-06 at 16 30 36
Screenshot 2024-05-06 at 16 32 38

Logs

No response

Additional context

No response

@marcosschroh marcosschroh added status/triage Issues pending maintainers triage type/bug Something isn't working labels May 6, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels May 6, 2024
Copy link

github-actions bot commented May 6, 2024

Hi marcosschroh! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

@Haarolean
Copy link
Member

Please share the commit tag for the main-labeled image you've tried running

Copy link

kapybro bot commented May 6, 2024

Further user feedback is requested. Please reply within 7 days or we might close the issue.

@marcosschroh
Copy link
Author

marcosschroh commented May 6, 2024

I am using v1.0.0 which is the only release in the project. This is the image id: ghcr.io/kafbat/kafka-ui:359069bf7f964bea6770cb45e9bbabe216e7611e

Containers:
  kafka-ui:
    Container ID:   containerd://xxxxxxxxx
    Image:          ghcr.io/kafbat/kafka-ui:v1.0.0
    Image ID:       ghcr.io/kafbat/kafka-ui@sha256:9f2b621d1be787dc5f0e91a55b0b8347fc4cf1e2cf0ec464b20a18f0168739b4
   ...

Copy link

kapybro bot commented May 6, 2024

Thanks for the additional feedback! We'll get back to your issue soon.

@Haarolean
Copy link
Member

@marcosschroh
image

1.00 is the only release, but not the only image. Every commit to the main branch results in a new image which is tagged with main tag rather than latest.

@Haarolean
Copy link
Member

Fixed within #330 which was an UI issue (the user couldn't actually create an ACL, but the button was enabled)

@Haarolean Haarolean closed this as not planned Won't fix, can't repro, duplicate, stale May 6, 2024
@Haarolean Haarolean added status/invalid This doesn't seem right scope/frontend Related to frontend changes area/rbac Related to Role Based Access Control feature and removed status/triage/manual Manual triage in progress labels May 6, 2024
@marcosschroh
Copy link
Author

marcosschroh commented May 6, 2024

Thanks @Haarolean . I can confirm that it works with the latest main. However, are we not on risk of always using tag: "main" rather than a specific version? If someone introduces a bug and an new image is published then we will get the bug as well. For development purposes it could be ok, but not for production. If I have to rolled back then is almost impossible.

@Haarolean
Copy link
Member

@marcosschroh you can always pin a concrete version, like current main image has two tags:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/rbac Related to Role Based Access Control feature scope/frontend Related to frontend changes status/invalid This doesn't seem right status/triage/completed Automatic triage completed type/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants