RBAC: Support Gitlab teams #3249
Comments
|
Hi, currently we do not support gitlab for RBAC. |
Haarolean
added
type/enhancement
Haarolean
added
the
status/on-hold
|
@Haarolean Is there any progress on RBAC with Gitlab? Similar to @EI-Joao, we are able to login with Gitlab SSO, but RBAC would definitely help us. |
|
@varkey with our current bandwidth we have planned support for LDAP & generic oauth providers for the current release. It may work with gitlab as a generic provider, otherwise, it'll be a separate task in future releases. |
Haarolean
removed
the
status/on-hold
|
Hello. I'm not sure if my problem should be here. But I didn't find something related to the gitlab anywhere. ---
kafka:
clusters:
- name: <cluster>
bootstrapServers: <redacter>
spring:
security:
oauth2:
auth:
type: OAUTH2
oauth2:
client:
gitlab:
clientId: <redacted>
clientSecret: <redacted>
scope: ['openid', 'profile']
client-name: gitlab
provider: gitlab
redirect-uri: https://<redacted>/login/oauth2/code/gitlab
issuer-uri: https:// <redacted>
authorization-grant-type: authorization_code
user-name-attribute: nickname
custom-params:
type: oauth
roles-field: nickname
management:
health:
ldap:
enabled: false
rbac:
roles:
- name: "admins"
cluster:
- <cluster>
subjects:
- provider: oauth
type: role
value: "<nickname>"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- resource: acl
value: ".*"
actions: [ view ]But after registration I see entire white screen, see picture: <time> DEBUG [reactor-http-nio-1] c.p.k.u.s.r.e.OauthAuthorityExtractor: Assigning role [<nickname>] to user [<nickname>]With <time> DEBUG [reactor-http-nio-3] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=RbacOidcUser[user=Name: [<nickname>], Granted Authorities: [[OIDC_USER, SCOPE_openid, SCOPE_profile]], User Attributes: [{sub=19, groups_direct=[<group>], profile=https://<redacted>/<nickname>, iss=https://<redacted>, groups=[<group>], preferred_username=<nickname>, https://gitlab.org/claims/groups/owner=[<group>], nonce=<redacted>, picture=https://<redacted>/uploads/-/system/user/avatar/19/avatar.png, aud=[<redacted>], auth_time=<time>, name=<redacted>, nickname=<nickname> sub_legacy=<redacted>, exp=<time>, iat=<time>}], groups=[admins]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[OIDC_USER, SCOPE_openid, SCOPE_profile]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@1ecb2f6'Is there a misconfiguration in config or did I something wrong? |
|
Hello @IIPOCTAK , 2024-05-02 09:02:02,176 DEBUG [reactor-http-epoll-4] c.p.k.u.s.r.e.OauthAuthorityExtractor: Assigning role [admin] to user [Alexander Boger] Did you find the solution for this problem? with kind regards Alexander Boger |
|
Hello @Alexander-ac. Unfortunately, I haven't found proper solution to fix white screen yet. Right now we are using basic auth to login in kafka-ui, but I hope that problem above will be noticed by developers and will be fixed in the future release. Kind regards. |
|
But that is extremely strange. I configured the whole thing with Azure (oauth). Honestly, I can't imagine that it isn't already supported. Does basic authentication also support RBAC? |
|
Please note this repo is not maintained (#4255). Happy to address your issues here: https://github.com/kafbat/kafka-ui |
|
@IIPOCTAK Yesterday I experimented with Keycloak and WebUI locally on my computer. I built the whole thing using Docker and simulated it without using reverse proxy. And look, it works! So I strongly suspect that the cause of the problem is the reverse proxy settings. |
|
I think I have now found the real reason for the problem. If I remove the SERVER_SERVLET_CONTEXT_PATH variable, the forwarding works properly. And the WEB-UI interface appears. |
|
Created an issue here @Alexander-ac Yes, we use ingress nginx as reverse proxy for kafka-ui. Unfortunately, I didn't use SERVER_SERVLET_CONTEXT_PATH in configuration, when I tried to use the variable in the configuration - problem still appears.
No, It doesn't. |
|
Me and @Haarolean no longer support this repo, don't you mind to post this to https://github.com/kafbat/kafka-ui |
Hi, I am trying to make kafka-ui available for an entire organization. For now I was able to integrate the authentication with GitLab, but when it comes to RBAC I can not find the config. Is it supported?
Config I am using for the authentication:
auth:
type: OAUTH2
oauth2:
client:
gitlab:
provider: gitlab
clientId: redacted
authorizationGrantType: authorization_code
clientSecret: redacted
redirectUri: http://kafka-ui.com/login/oauth2/code/gitlab
scope:
- read_user
clientName: GitLab
authorizationUri: https://gitlab.com/oauth/authorize
tokenUri: https://gitlab.com/oauth/token
userInfoUri: https://gitlab.com/api/v3/user
jwkSetUri: https://gitlab.com/oauth/discovery/keys
userNameAttribute: username
customParams:
type: gitlab
Config I am trying for RBAC:
rbac:
roles:
- name: "admin"
clusters:
- dev
subjects:
- provider: oauth_gitlab
type: user
value: "user1"
- provider: oauth_gitlab
type: user
value: "user2"
permissions:
- resource: clusterconfig
actions: all
- resource: topic
value: "."
actions: all
- resource: consumer
value: "."
actions: all
- resource: connect
value: ".*"
actions: all
The text was updated successfully, but these errors were encountered: