Skip to content

BE: RBAC: Support provider for basic auth #917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

BE: RBAC: Support provider for basic auth #917

wants to merge 3 commits into from

Conversation

wernerdv
Copy link
Contributor

  • Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)
Resolve #850

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

@wernerdv wernerdv requested a review from a team as a code owner March 11, 2025 19:01
@kapybro kapybro bot added status/triage Issues pending maintainers triage area/auth App authentication related issues area/rbac Related to Role Based Access Control feature status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Mar 11, 2025
Haarolean
Haarolean requested changes Mar 11, 2025
View reviewed changes
wernerdv
wernerdv commented Mar 12, 2025
View reviewed changes
@wernerdv
BE: RBAC: Support provider for basic auth
dff1ee1 
create basic auth extractor
@wernerdv wernerdv requested a review from Haarolean March 12, 2025 10:54
Haarolean
Haarolean previously requested changes Mar 14, 2025
View reviewed changes
api/src/main/java/io/kafbat/ui/config/auth/BasicAuthSecurityConfig.java
}
}

private String password(String password, PasswordEncoder encoder) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we even need this method, we could delegate this to the encoder which should handle this via encoder.encode(password);

api/src/main/java/io/kafbat/ui/config/auth/BasicAuthSecurityConfig.java

return new RbacUserDetailsService(new RbacBasicAuthUser(userDetails, extractor.groups(user.getName())));
} else {
return new MapReactiveUserDetailsService(userDetails);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here we can do a fast return in the beginning of the method

api/src/main/java/io/kafbat/ui/service/rbac/extractor/RbacBasicAuthAuthoritiesExtractor.java
.filter(role -> role.getSubjects().stream()
.filter(subj -> Provider.LOGIN_FORM.equals(subj.getProvider()))
.filter(subj -> "user".equals(subj.getType()))
.anyMatch(subj -> username.equals(subj.getValue()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd suggest equalsIgnoreCase here just in case, what do you think?

api/src/test/java/io/kafbat/ui/BasicAuthIntegrationTest.java
private WebTestClient client;

@Test
void testUserPermissions() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for adding a test 😄

@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes and removed status/triage/manual Manual triage in progress labels Mar 14, 2025
@Haarolean
Copy link
Member

@wernerdv hey, before you dive in: we thought it looked kinda weird to assign RBAC for a single user, and it seems we could achieve the same result by implementing #344 instead. What do you think?

@Haarolean Haarolean dismissed their stale review March 14, 2025 11:37

outdated

@wernerdv
Copy link
Contributor Author

@wernerdv hey, before you dive in: we thought it looked kinda weird to assign RBAC for a single user, and it seems we could achieve the same result by implementing #344 instead. What do you think?

Implementing a default role makes sense, but that would still require creating a provider for auth.type=LOGIN_FORM, or am I mistaken?

@germanosin
Copy link
Member

@wernerdv hey, before you dive in: we thought it looked kinda weird to assign RBAC for a single user, and it seems we could achieve the same result by implementing #344 instead. What do you think?

Implementing a default role makes sense, but that would still require creating a provider for auth.type=LOGIN_FORM, or am I mistaken?

Maybe instead of LoginForm it would be better to add provider wildcard (ANY) and add this role as default?

@Haarolean
Copy link
Member

@wernerdv hey, before you dive in: we thought it looked kinda weird to assign RBAC for a single user, and it seems we could achieve the same result by implementing #344 instead. What do you think?

Implementing a default role makes sense, but that would still require creating a provider for auth.type=LOGIN_FORM, or am I mistaken?

I don't think so, we'd just apply a default role for anyone who can successfully log in, no matter what auth method

@wernerdv
Copy link
Contributor Author

@Haarolean @germanosin Alright, so can we close this PR then?
If you haven't started working on #344 yet, I can take on the task.

@Haarolean
Copy link
Member

@Haarolean @germanosin Alright, so can we close this PR then? If you haven't started working on #344 yet, I can take on the task.

yeah I think so. Sorry that we thought about it too late :)
Sure, #344 is yours!

@Haarolean Haarolean closed this Mar 14, 2025
@Haarolean Haarolean mentioned this pull request Apr 17, 2025
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Haarolean Haarolean Haarolean left review comments

Assignees
No one assigned
Labels
area/auth App authentication related issues area/rbac Related to Role Based Access Control feature scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

BE: RBAC: Support provider for basic auth
3 participants
@wernerdv @Haarolean @germanosin