Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to apply subject-level RBAC bindings to cluster #285

Closed
lsolovey opened this issue May 27, 2021 · 3 comments · Fixed by #301
Closed

Unable to apply subject-level RBAC bindings to cluster #285

lsolovey opened this issue May 27, 2021 · 3 comments · Fixed by #301
Labels
bug Something isn't working

Comments

@lsolovey
Copy link
Contributor

lsolovey commented May 27, 2021
edited
Loading

Describe the bug
JulieOps is unable to apply subject-level RBAC bindings to the cluster. It fails with the following error:

[ERROR] 2021-05-27 16:26:25.979 [main] MDSApiClient - java.io.IOException: java.io.IOException: Something happened with the connection, response status code: 400 body: {"error_code":40002,"message":"Role binding update of resource-s
cope role without any resources"}
[ERROR] 2021-05-27 16:26:25.979 [main] MDSApiClient - java.io.IOException: java.io.IOException: Something happened with the connection, response status code: 400 body: {"error_code":40002,"message":"Role binding update of resource-s
cope role without any resources"}
[ERROR] 2021-05-27 16:26:25.979 [main] MDSApiClient - java.io.IOException: java.io.IOException: Something happened with the connection, response status code: 400 body: {"error_code":40002,"message":"Role binding update of resource-s
cope role without any resources"}
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
[ERROR] 2021-05-27 16:26:25.984 [main] ExecutionPlan - Something happen running action {
  "Operation" : "com.purbon.kafka.topology.actions.access.CreateBindings",
  "Bindings" : [ {
    "resourceType" : "CLUSTER",
    "resourceName" : "cluster",
    "host" : "*",
    "operation" : "ResourceOwner",
    "principal" : "User:user1",
    "pattern" : "LITERAL",
    "scope" : {
      "clusters" : {
        "kafka-cluster" : "...",
        "schema-registry-cluster" : "..."
      },
      "resources" : [ {
        "name" : "Subject:mysubject",
        "patternType" : "LITERAL",
        "resourceType" : "Subject"
      } ]
    }
  } ]
}
java.io.IOException: java.io.IOException: Something happened with the connection, response status code: 400 body: {"error_code":40002,"message":"Role binding update of resource-scope role without any resources"}
        at com.purbon.kafka.topology.clients.JulieHttpClient.doRequest(JulieHttpClient.java:125) ~[julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.clients.JulieHttpClient.doPost(JulieHttpClient.java:74) ~[julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.api.mds.MDSApiClient.bindRequest(MDSApiClient.java:88) ~[julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.roles.RBACProvider.createBindings(RBACProvider.java:29) ~[julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.actions.access.CreateBindings.execute(CreateBindings.java:28) ~[julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.actions.BaseAccessControlAction.run(BaseAccessControlAction.java:30) ~[julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.ExecutionPlan.execute(ExecutionPlan.java:112) ~[julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.ExecutionPlan.run(ExecutionPlan.java:90) [julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.JulieOps.run(JulieOps.java:242) [julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.JulieOps.run(JulieOps.java:259) [julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.CommandLineInterface.processTopology(CommandLineInterface.java:207) [julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.CommandLineInterface.run(CommandLineInterface.java:156) [julie-ops.jar.orig:?]
        at com.purbon.kafka.topology.CommandLineInterface.main(CommandLineInterface.java:146) [julie-ops.jar.orig:?]
Caused by: java.io.IOException: Something happened with the connection, response status code: 400 body: {"error_code":40002,"message":"Role binding update of resource-scope role without any resources"}
        at com.purbon.kafka.topology.clients.JulieHttpClient.doRequest(JulieHttpClient.java:114) ~[julie-ops.jar.orig:?]
        ... 12 more

To Reproduce

  1. Create very simple topology file (no topics needed to reproduce the bug):
context: "mycontext"
tenant: "tenant-1"

projects:

  - name: "myapp"

    schemas:
      - principal: "User:user1"
        subjects:
          - "mysubject"

    topics: []

  1. Run JulieOps with this topology against RBAC-enabled cluster
    (with JulieOps config topology.builder.access.control.class = com.purbon.kafka.topology.roles.RBACProvider)

  2. Observe the exception as shown above.

Expected behavior
JulieOps sucessfully create subject-level RBAC binding based on the schemas block of the topology.

Runtime (please complete the following information):

  • OS: Windows
  • JVM version: 11
  • Version 2.1.2
@lsolovey lsolovey added the bug Something isn't working label May 27, 2021
@lsolovey
Copy link
Contributor Author

The problem seems to be related to MDSApiClient.bindRequest()
https://github.com/kafka-ops/julie/blob/master/src/main/java/com/purbon/kafka/topology/api/mds/MDSApiClient.java#L73

 public void bindRequest(TopologyAclBinding binding) throws IOException {
    String url = binding.getPrincipal() + "/roles/" + binding.getOperation();
    if (!binding.getResourceType().equals(ResourceType.CLUSTER.name())) {
      url = url + "/bindings";
    }

    try {
      String jsonEntity;
      if (binding.getResourceType().equals(ResourceType.CLUSTER.name())) {
        jsonEntity = binding.getScope().clustersAsJson();
      } else {
        jsonEntity = binding.getScope().asJson();
      }
      LOGGER.debug("bind.entity: " + jsonEntity);
      doPost("/security/1.0/principals/" + url, jsonEntity);
    } catch (IOException e) {
      LOGGER.error(e);
      throw e;
    }
  }

According to the error logs the binding has resourceType=CLUSTER. This causes two issues in this method:

  1. Using incorrect REST endpoint - /bindings is not added to the URL
  2. RequestScope is serialized only with cluster ids - resources aren't serialized.

I guess the bigger question is why subject-level RBAC binding is considered as cluster-level binding. Does it properly represent actual domain model of the RBAC?

This was referenced May 27, 2021
Merged
Closed
@ludovic-boutros
Copy link
Contributor

Any progress on this ? How can I help ? @lsolovey @purbon

@lsolovey
Copy link
Contributor Author

lsolovey commented Jul 1, 2021
edited
Loading

@ludovic-boutros No progress yet.
As a workaround, in my local repo, I just hacked bindRequest() method mentioned above not to fail with the error in our specific use cases.
Then I assembled the custom jar, and just use such jar until we figure out the proper fix.

As for the proper fix, I'm not sure how would it look like. As I mentioned in the previous comment:

I guess the bigger question is why subject-level RBAC binding is considered as cluster-level binding. Does it properly represent actual domain model of the RBAC?

@ludovic-boutros ludovic-boutros mentioned this issue Jul 8, 2021
Merged
4 tasks
@lsolovey lsolovey mentioned this issue Jul 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: RBAC Subject and Cluster level binding ludovic-boutros/julie
2 participants
@ludovic-boutros @lsolovey