Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enhancement: support for acls-filter-regexp #1281

Merged
merged 1 commit into from
Jan 2, 2023

Conversation

meeraj257
Copy link
Contributor

This PR contains changes to support Regex for filtering security groups based on principal names added to the acl bindings

Copy link
Contributor

@LittleWat LittleWat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I really appreciate your work!
(I am new to AKHQ and you can ignore me but I left a couple of comments and questions.)

public List<AccessControl> findAll(String clusterId, Optional<String> search) throws ExecutionException, InterruptedException {
return toGroupedAcl(kafkaWrapper
.describeAcls(clusterId, AclBindingFilter.ANY)
.stream()
.filter(aclBinding -> isSearchMatch(search, aclBinding.entry().principal()))
.filter(aclBinding -> isMatchRegex(getAclFilterRegex(),aclBinding.entry().principal()))
Copy link
Contributor

@LittleWat LittleWat Dec 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

space should be here?

Suggested change
.filter(aclBinding -> isMatchRegex(getAclFilterRegex(),aclBinding.entry().principal()))
.filter(aclBinding -> isMatchRegex(getAclFilterRegex(), aclBinding.entry().principal()))

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LittleWat - good catch :) Must have been my fingers.

var searchResult = aclRepository.findByPrincipal(KafkaTestCluster.CLUSTER_ID, AccessControl.encodePrincipal("test:toto"), Optional.empty());
assertEquals("test:toto", searchResult.getPrincipal());
assertEquals(2, searchResult.getAcls().size());
assertEquals(2, searchResult
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure whether this test case is necessary or not.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LittleWat - I added to make sure few more principal patterns other than one starting with user* still works after my changes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I just thought both the result(searchResult.getAcls().size() and searchResult.stream().filter(acl -> acl.getOperation().getPermissionType() == AclPermissionType.ALLOW).count()) ) are 2, so it might be okay to remove the latter one. This is just a thought so that you can ignore it. 🙇

@@ -114,6 +117,8 @@ akhq:
attributes:
topics-filter-regexp:
- "test.*"
acls-filter-regexp:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure this is necessary because this group does not have acls/read role

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LittleWat - Same comment as one below

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@@ -131,6 +136,9 @@ akhq:
- topic/insert
- topic/delete
- registry/version/delete
attributes:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same above

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LittleWat - I added these as part of trying to locally test the changes for non-default groups. No harm in leaving it i think

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@meeraj257

No harm in leaving it i think

Thank you for your reply! I think so too but I just felt a bit strange that no-filter group has the filter(acls-filter-regexp).

@@ -104,6 +104,9 @@ akhq:
- connect/update
- connect/delete
- connect/state/update
attributes:
Copy link
Contributor

@LittleWat LittleWat Dec 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, this might be a stupid question. If we remove this, void findAllByUser() in AccessControlRepositoryTest.java will fail, right...? ( I mean that if we remove it, assertEquals(5, searchResult.getAcls().size()); would become assertEquals(7, searchResult.getAcls().size());)

@tchiotludo tchiotludo merged commit 823cff6 into tchiotludo:dev Jan 2, 2023
@tchiotludo
Copy link
Owner

Amazing !

@matigoal
Copy link

Hello,

I change akhq version 0.16 to the last 0.24 but i think may be the structure change for the mapping of groups and the permissions filters.
Here is an extract from my application.yml version 0.16:

 security:
    enabled: true
    default-group: default
    groups:
      default: no-roles
      ORIGIN-GROUP:
        name: ORIGIN-GROUP
        roles:
          - node/read
          - acls/read
        attributes:
          topics-filter-regexp:
             - "^*$"
      GROUP-FIRST:
        name: GROUP-FIRST
        roles:
          - topic/read
          - topic/insert
          - topic/delete
          - topic/config/update
          - node/read
          - topic/data/read
          - topic/data/insert
          - topic/data/delete
          - group/read
          - group/offsets/update
          - registry/read
          - acls/read
        attributes:
          topics-filter-regexp:
             - "^.*group1.*-pcr1.*$"
             - "^.*group1.*-pcdn.*$"
      GROUP-SECOND:
        name: GROUP-SECOND
        roles:
          - topic/read
          - topic/data/read
          - group/read
          - registry/read
          - acls/read
        attributes:
          topics-filter-regexp:
             - "^.*group2.*-pcr1.*$"
             - "^.*group2.*-pcdn.*$"

But in the last version 0.24 i see this change [1][2] for declare the default-group:

security:
   enabled: true
   default-group: no-roles
   groups:
    no-roles:
     ORIGIN-GROUP:
       name: ORIGIN-GROUP
       roles:
         - node/read
         - acls/read
       attributes:
         topics-filter-regexp:
            - "^*$"
     GROUP-FIRST:
       name: GROUP-FIRST
       roles:
         - topic/read
         - topic/insert
         - topic/delete
         - topic/config/update
         - node/read
         - topic/data/read
         - topic/data/insert
         - topic/data/delete
         - group/read
         - group/offsets/update
         - registry/read
         - acls/read
       attributes:
         topics-filter-regexp:
            - "^.*group1.*-pcr1.*$"
            - "^.*group1.*-pcdn.*$"
     GROUP-SECOND:
       name: GROUP-SECOND
       roles:
         - topic/read
         - topic/data/read
         - group/read
         - registry/read
         - acls/read
       attributes:
         topics-filter-regexp:
            - "^.*group2.*-pcr1.*$"
            - "^.*group2.*-pcdn.*$"

What's the good use for define my default-group the example 1 or the example 2 for the last version 0.24?

Thank you for your help in advance.

[1] https://akhq.io/docs/configuration/authentifications/external.html

[2] https://github.com/tchiotludo/akhq/blob/0.24.0/application.example.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants