Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BE: RBAC: Subject type/value is unintended to be optional #719

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

wernerdv
Copy link
Contributor

@wernerdv wernerdv commented Dec 19, 2024

  • Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)

  • minor refactoring

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

@wernerdv wernerdv requested a review from a team as a code owner December 19, 2024 12:37
@kapybro kapybro bot added status/triage Issues pending maintainers triage status/triage/manual Manual triage in progress area/rbac Related to Role Based Access Control feature status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Dec 19, 2024
@wernerdv
Copy link
Contributor Author

wernerdv commented Dec 19, 2024

@Haarolean I checked locally and with these changes RBAC with AD works as expected for both types (user, group).

Parameter value rbac.roles.name can be anything.

If need I can add integration tests with Active Directory.

@wernerdv
Copy link
Contributor Author

@Haarolean I've added integration tests with Active Directory.
Please take a look.

@@ -63,24 +62,39 @@ public ReactiveAuthenticationManager authenticationManager(LdapContextSource lda
ba.setUserSearch(userSearch);
}

AuthenticationManager manager = new ProviderManager(List.of(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not mix the distinct issues in one PR, please. #54 is to be solved within #717 (which was planned as more of a refactoring PR first, but, welp, it's another story).

#716 has nothing to do with LDAP in particular, we'd need RBAC subject validation. In io.kafbat.ui.model.rbac.Permission and Role classes there's a validate method, perhaps implementing one for Subject as well is the way here.

Copy link
Contributor Author

@wernerdv wernerdv Dec 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can merge this PR as is for the task fix #54 and I'll do the RBAC subject validation (#716) in a separate PR, what do you say?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's rather not. This is not quite the changes we need to resolve #54, I've already started implementing the required adjustments in #717

@ActiveProfiles("rbac-ad")
@AutoConfigureWebTestClient(timeout = "60000")
@ContextConfiguration(initializers = {ActiveDirectoryIntegrationTest.Initializer.class})
public class ActiveDirectoryIntegrationTest {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is really cool tho, can you raise a separate PR with these tests so we can merge this?

Btw, we don't quite need kafka container here, the app can perfectly start with no defined clusters.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw, we don't quite need kafka container here, the app can perfectly start with no defined clusters.

Yes, but there's a test that checks the creation of a topic on a cluster.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but there's a test that checks the creation of a topic on a cluster.

this sounds redundant. Authenticating successfully should suffice

Copy link
Contributor Author

@wernerdv wernerdv Dec 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you raise a separate PR with these tests so we can merge this?

Opened the PR with the tests #726

@Haarolean Haarolean marked this pull request as draft January 6, 2025 12:13
@wernerdv wernerdv requested a review from Haarolean January 7, 2025 16:27
@wernerdv wernerdv marked this pull request as ready for review January 7, 2025 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/rbac Related to Role Based Access Control feature status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants