New ACLS systems ! Need feedback

[tchiotludo]

There is many features request about acls: #451 #456 #291 #254.
You want to have more fine grained acl !

Now how ! I create this issue more to have feedback from you !
There is many ways to handle it, so since I want this to be last rework on AKHQ ACL!
For every comment, can you add a 👍 or others reaction in order to track the most wanted and also you can add some comments about the reason and special idea you may have !

Thanks for your help !

[tchiotludo]

One way will be to have this kind of configurations :

group:
  - name: my-group-name 
    roles: 
     - topic/read
    conditions: 
     - type: cluster
       values: 
       - prd 
     - type: topic 
       values:
       - "test\\.reader.*"
     - type: group
       values:
       - "group\\.reader.*"
       - "group\\.writer.*"
     - type: connect-cluster
       values:
       - "connect\\.reader.*"
     - type: connect-task
       values:
       - "connect\\.task.*

I think you will be able to to do anythings you want, and it will be extensible in the future

[tchiotludo]

One more standard ways will be :

groups:
  - name: admin
    cluster: prd 
    topics: 
      - "topic.*prd.*"
    groups: 
      - "group\\.reader.*"
      - "group\\.writer.*"
    connect-cluster: 
      - cluster-1
    connect-task: 
      - "task\\.jdbc.*"
    roles:  
      - topic/read
      - topic/insert
      - topic/delete
      - topic/config/update

[tchiotludo]

Any suggest ?

[twobeeb]

Let me expose some use case I might have in the next few months.
As a reminder, we use AKHQ for read-only purpose on topics and connects.

For a given LDAP group, I want to be able :

• allow all topics prefixed with "something.*" to be visible on all clusters (or a rather big list)
• allow some topics to be visible in certain clusters
• allow other topics to be visible in other clusters

I believe that solution 2 is clearer than solution 1. In both scenario my use-case is covered.
Example with solution 2:

akhq:
  security:
    groups:
      - name: project_1-cluster1
        cluster: cluster1
        topics: 
          - "project_1.*"
          - "fixed_topic_001"
        roles:  
          - topic/read
      - name: project_1-cluster2
        cluster: cluster2
        topics: 
          - "project_1.*"
          - "fixed_topic_002"
        roles:  
          - topic/read
    ldap:
      groups:
        - name: LDAP-PROJECT-1
          groups:
            - project_1-cluster1
            - project_1-cluster2

But solution 2 seems not to address #456

[sverrehu]

Maybe consider moving the akhq.security section, or at least the parts that deal with access to the cluster, to akhq.connections.<foo>.security. In my mind defining who has access to read/write/delete topics has more to do with the cluster in question than with AKHQ as a front-end to possibly multiple clusters.

This approach will make it much easier to read what is permitted, than tracing through a long list of global rules that have cluster-conditions sprinkled around.

Of course this splitting may lead to duplicated rules, particularly for clusters that are mostly identical (ie. the same regexps make sense throughout and any cluster-side ACLs/RBACs are equivalent).

To avoid making it a breaking change, the current, global approach could be kept as a default.

[eddyv]

Hey, I'd be willing to contribute for this! I kind of like the way that acls are defined currently. The only modification I'd make is to bind any attributes defined to a specific group-role.

Example yaml file:

akhq:
  security:
    default-group: no-roles
    groups:
      dev-reader:
        name: dev-reader # an example of a dev user that has read permissions to kafkahq
        roles:
          - topic/read
          - node/read
          - group/read
          - acls/read
          - registry/read
          - connect/read
      connect-topic-reader: # an example of topic data read permissions only on kconnect-* topics
        name: connect-topic-reader
        roles:
          - topic/read
          - topic/data/read
        attributes:
          - topics-filter-regexp: "^kconnect-.*"
      ops-reader: # ops has permissions to read all topics
        name: topic-reader
        roles:
          - topic/read
        attributes:
          - topics-filter-regexp: ".*"
    ldap:
      groups:
        - name: ops
          groups:
            - dev-reader
            - ops-reader
        - name: dev
          groups:
            - dev-reader
        - name: connect
          groups:
            - dev-reader
            - connect-topic-reader

My expectation is for the above to let ops have all the access of dev + read access to all topic data, dev to only have read access to topic/cluster/schema/... metadata and for connect to have all the access of dev + topic data for topics starting with kconnect-*.

I like both approaches for cluster-specific ACLs as specified by @sverrehu and @twobeeb, but I do think @sverrehu's method may be more flexible.

[angeloxx]

My case is slightly different because we run a cluster that support username/password authentication based on Active Directory, so the cluster is able to authenticate directly user. My expectation is that in this case AKHQ runs as a pure web interface that use provided credential to connect to the cluster and discover permission and accessible topic. In this way is easy, for us, audit the access to the cluster by user because authentication is performed on the Kafka cluster.
I understand that is a corner case but I think that support this configuration could be possible.

[twobeeb]

Let's break everything 💣 💥

1. No more AKHQ groups
2. Many simple single scope AccessControlEntry

     acls:
     - id: topic-admin-all
       clusters: [ ".*"] # List
       resource: TOPIC # One of TOPIC, GROUP, SUBJECT, CONNECT_CLUSTER, CONNECT_TASK
       patterns: [ ".*" ] # List
       roles: ["READ", "WRITE", "CREATE", "DELETE", "ALTER", "DESCRIBE"]
     - id: connect-tasks-admin-all
       clusters: [ ".*"]
       resource: CONNECT
       connect-clusters: [ ".*" ] #Only used for resource CONNECT 
       patterns: [ ".*" ]
       roles: ["READ", "DEPLOY", "DELETE", "RESTART"]
     - id: topic-project1
       clusters: [ "cluster1"]
       resource: TOPIC
       patterns: [ "project1-.*" ]
       roles: ["WRITE"]
     - id: connect-project1
       clusters: [ "cluster1"]
       resource: CONNECT
       connect-clusters: [ "connect-cluster-1" ] #Only used for resource CONNECT 
       patterns: [ "project1-.*" ]
       roles: ["READ"]

3. Compose ACLs for users or LDAP/OIDC groups

   ldap: # or oauth
     groups:
       - name: LDAP-ADMIN-GROUP
         acls: [ "topic-admin-all", "connect-clusters-all", "connect-tasks-admin-all" ]
       - name: LDAP-READER-PROJECT1
         acls: [ "topic-project1", "connect-clusters-all", "connect-project1" ]
   basic-auth:
     - username: user
       password: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
       acls: ["topic-project1", ... ]

4. Unauthenticated users (security disabled)

   security.default-acls: [ "acl1", "acl2", ... ]

5. JWT claim stores a list of ACL

{
"username": "user",
"exp": 123456789,
"iat": 123456789,
"acls": [
    {
      "clusters": [ ".*"],
      "resource": "TOPIC",
      "patterns": [ "project1-.*" ],
      "roles": ["READ", "WRITE"]
    },
    {
      "clusters": [ ".*"],
      "resource": "CONNECT",
      "connect-clusters": [ "connect-cluster-1" ],
      "patterns": [ "project1-.*" ],
      "roles": ["READ", "DEPLOY"]
    },
    {
      "clusters": [ ".*"],
      "resource": "GROUPS",
      "patterns": [ "project1-.*" ],
      "roles": ["READ"]
    }
  ]
}

6. External Claim returns List<AccessControlEntry>

  {
    "clusters": [ ".*"],
    "resource": "TOPIC",
    "patterns": [ "project1-.*" ],
    "roles": ["READ", "WRITE"]
  },
  {
    "clusters": [ ".*"],
    "resource": "CONNECT",
     "connect-clusters": [ "connect-cluster-1" ],
    "patterns": [ "project1-.*" ],
    "roles": ["READ", "DEPLOY"]
  },
  {
    "clusters": [ ".*"],
    "resource": "GROUPS",
    "patterns": [ "project1-.*" ],
    "roles": ["READ"]
  }

7. This makes anything possible
   • User can create or write into topics project1-* but can only read from topics other-*
   • Auditor can view everything but can't modify anything
   • Cluster administrator A can do anything on dev cluster but not prod cluster
   • User/LDAP members can view and create project1-* topics in cluster xyz and only view topics replica_xyz.project1-* on cluster abc

roles are now depending on resource:

Resource	Roles
TOPIC	READ, WRITE, CREATE, DELETE, DESCRIBE_CONFIG, ALTER_CONFIG
GROUP	READ, ALTER (DELETE)
CONNECT	READ, DEPLOY, DELETE, RESTART
SUBJECT	READ, REGISTER, DELETE

In terms of implementation (API side only, I didn't consider UI side):

• remove Micronaut @Secured everywhere
• Every controller calls must go through a new global isUserAllowed(ResourceType resourceType, String resourceName, String action)
  • isUserAllowed(ResourceType.CONNECT, "project1-jdbcsink-table1", "DEPLOY")
  • isUserAllowed(ResourceType.TOPIC, "project1-topic", "READ")
  • ...
• Every listing must go through a matching filter public List<T> filterWithACLs(List<T>, List<AccessControlEntry> acls)

[tchiotludo]

I like the idea overall @twobeeb !
Based on your idea, here is mine :

resource & action :

Resource	Action
TOPIC	READ, CREATE, UPDATE (partition, replication factor), DELETE
TOPIC_CONFIG	READ, UPDATE
TOPIC_DATA	READ, CREATE (no more delete as create can delete with simple null)
NODE	READ
NODE_CONFIG	READ, UPDATE
CONSUMER_GROUP	READ, CREATE, DELETE
CONSUMER_OFFSET	READ, UPDATE, DELETE
REGISTRY_SCHEMA	READ, CREATE, UPDATE, DELETE
CONNECT_CLUSTER	READ
CONNECT_CONFIG	READ, CREATE, UPDATE, DELETE
CONNECT_TASK	READ, UPDATE
ACL	READ, (CREATE, UPDATE, DELETE) when available

permissions

Permissions will be a set of predefined :

  permissions:
    topic-admin: 
      resource: TOPIC
      roles: ["READ", "WRITE", "CREATE", "DELETE"]

bindings

I will keep groups (rename to bindings) to make configuration easy for noob with default bindings : admin, reader, no-permission. Bindings will be a set of permissions of clusters & pattern

  bindings:
    admin: 
      permissions: [ "topic-admin-all"] 
      clusters: [ ".*"] # List
      patterns: [ ".*" ] # List

With this, the default config will provide a full list permissions in order to have a default group working

patterns & clusters behaviour

• if not defined, we allow all
• if defined, we limit only on matching entry by regexp
• patterns will be applied for each resource on different properties (for CONNECT_CONFIG on definition name, for REGISTRY_SCHEMA on schema name, TOPIC / TOPIC_CONFIG / TOPIC_DATA on topic name, ...)
• composition of binding will be used for special connect case, we must have CONNECT_CLUSTER & CONNECT_CONFIG, role READ on the cluster to be able any thing on connect

User bindings

• Compose ACLs for users or LDAP/OIDC groups

auth: 
  ldap: 
    groups:
      - name: LDAP-ADMIN-GROUP:
        bindings: ["admin", "admin-only-dev" ]
      - name: LDAP-READER-PROJECT1:
        bindings: ["reader"]
    users: 
      - name: "[email protected]": 
        bindings: ["reader"]

  header:
    groups: 
      - name: header-admin-group
        bindings: ["reader"]
    users: 
      - name: my-username
        bindings: ["reader"]
        
  oidc:
    groups: 
      - name: oidc-admin-group
        bindings: ["reader"]
    users: 
      - name: my-username
        bindings: ["reader"]
        

  basic-auth:
    - username: user
      password: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
      bindings: ["admin", "admin-only-dev" ]

• Unauthenticated users (security disabled)

security.default-bindings: [ "binding1", "binding2", ... ]

What do you think @twobeeb ?

[twobeeb]

It gets even worse because for TOPIC, you want to manage 3 resources : TOPIC, TOPIC_DATA, TOPIC_CONFIG
If you really make permissions mostly static, maybe we can regroup TOPIC related stuff into only one concept and create more roles instead ?

[tchiotludo]

It's possible with TOPIC for example:

• READ
• CREATE
• UPDATE
• DELETE
• CONSUME
• PRODUCE
• READ_CONFIG
• UPDATE_CONFIG

Just the is always the trouble that user can map strange config like : NODE with CONSUME, it's a non sense but people will try 😕

[twobeeb]

If I take this into account, as well as the new rule "one permission per pattern/cluster":

akhq: 
  security: 
    permissions:
      topic-admin: 
        resource: TOPIC
        roles: ["READ", "CREATE", "UPDATE", "DELETE", "CONSUME", "PRODUCE", "READ_CONFIG", "UPDATE_CONFIG"]
      topic-reader:
        resource: TOPIC
        roles: ["READ", "CONSUME", "READ_CONFIG"]
      # Repeat for GROUP, CONNECT, SCHEMAS
    bindings:
      full-admin: 
        - permission: "topic-admin" # Implicit all cluster and  .* patterns
        - permission: "registry-admin" 
        - permission: "connect-admin"
        - permission: "registry-admin"
      project1-reader: # Implicit all clusters
        - permission: "topic-reader"
          patterns: ["project1-.*"]
        - permission: "connect-reader"
          patterns: ["project1-.*"]
        - permission: "group-reader"
          patterns: ["project1-.*", "connect-project1-.*"]
    auth: 
      basic-auth:
        - username: admin
          password: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
          bindings: ["full-admin"]
        - username: project1-user
          password: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
          bindings: ["project1-reader"]

I'm fine with this if you are.
Important permissions:

• <resource>-admin: all access
• <resource>-reader
• <resource>-writer

[tchiotludo]

I'm almost fine with this, just hope people will understand this 🙏

[twobeeb]

At some point (not necessary today), we will need a detailled explanation for the roles

Topics

Everything is further restricted by clusters and patterns

Role	Meaning
READ	User can list the topics ?
CREATE	User can create topics
UPDATE	???
DELETE	User can delete topics
PRODUCE	User can produce into the topics
CONSUME	User can view topics data
DESCRIBE_CONFIG	User can see topic configs
ALTER_CONFIG	User can alter topic configs

[christofluethi]

Tried to use the External roles and attributes mapping functionality but stumbled across the limitation that only one object of "roles", "topic-filters", ... is usable and not a list as response object. So i'm commenting here.

What we try to achieve:

1. ldap or other mechanism for authentication: gives us username and groups
2. for authorization: mapping username and groups to a set of permissions within AKHQ using an external rest service.

We do have an external service which would be able to map username and groups to kafka like permissions. Using a rest-service like the current akhq.security.rest.url would be great. But the service should be able to return something similar as @twobeeb described with List<AccessControlEntry>

  {
    "clusters": [ ".*"],
    "resource": "TOPIC",
    "patterns": [ "project1-.*" ],
    "roles": ["READ", "WRITE"]
  },
  {
    "clusters": [ ".*"],
    "resource": "CONNECT",
     "connect-clusters": [ "connect-cluster-1" ],
    "patterns": [ "project1-.*" ],
    "roles": ["READ", "DEPLOY"]
  },
  {
    "clusters": [ ".*"],
    "resource": "GROUPS",
    "patterns": [ "project1-.*" ],
    "roles": ["READ"]
  }

From the discussion above I'm not sure if you still plan to provide a way to completely delegate the authorization/permissions to an external service (which is actually what we need). we would prefere to have no definition of permissions/groups/bindings in akhq itself. mainly due to the fact that we need finegrained permissions on resource level (user a should be able to read from topics XY but not from topics Z).

[christofluethi]

first of all: thanks for the work on the new acl system. we would be fine with these changes as it covers our needs.

here are some changes we would prefer:

1. using permissions and bindings: this would need that for every combination of resource and roles a permission has to be defined. I'm currently not aware how many combinations we would actually need - probably 3 to 5 for topic. If you define a new permission you have to alter the external service (as it needs to map to this new permission). The configuration and its meaning "leaks" to the external service. Using the resource and roles directly from the external service would be more flexible and a more dynamic provisioning (given that resource and roles are defined enums which are not expected to change frequently). Would it be possible to allow both variants from the external service (reference bindings or provide resource, roles, patterns and probably also clusters)?

2. this is just cosmetics: if possible i would align the roles from akhq with the ones from the kafka acls. mixing could be somehow misleading (e.g. READ). for topic it would be probably something like this:

Role	Meaning
READ -> DESCRIBE	User can list the topics
CREATE	User can create topics
UPDATE -> ALTER	Change partitions and replication factor
DELETE	User can delete topics
PRODUCE -> WRITE	User can produce into the topics
CONSUME -> READ	User can view topics data
DESCRIBE_CONFIG	User can see topic configs
ALTER_CONFIG	User can alter topic configs

this is only a suggestion and we are not using multiple clusters per akhq (which i understand that it makes the acl design more complex).

[twobeeb]

I originally pushed for this recommendation as well to not use permission but resource+role instead.
I will try to convince you, feel free to not agree.

Consider the permissions to be an abstraction of resource+role.
Also, consider you will not need to define them : they will be provided by AKHQ in standard.
Typically, you will be able to use the following permissions by default (for topic for example) :

• topic-reader ( resource=TOPIC, role = READ+CONSUME )
• topic-writer ( resource=TOPIC, role = READ+CONSUME+WRITE )
• topic-admin ( resource=TOPIC, role = READ+CONSUME+WRITE+...)

Our ambition is to cover 90% of the use cases with permissions that makes sense.

Regarding the roles names and meaning:
I agree completely with you with 2 side notes:

• We need to consider all other resource types (schemas, consumer group, connectors)
• We should never have to work with roles (because permissions)

@tchiotludo what do you think ?

[christofluethi]

fully understand the design and i agree that its probably easier for a lot of people which are using predefined permissions.

my main concern is that you have to define the abstraction in akhq config and then use this one in the external service. therefore you are not completely free in the external service. if you have a new combination which is not covered by an abstraction you have to alter akhq and the external service. permissions that makes sense are not infinite so i think we would be fine with the design.

[christofluethi]

@twobeeb Another short question about this one. Just to be sure i got it right

When the MR is done, your external service would return this kind of response (the json equivalent of this):

- permission: "topic-reader"
  patterns: ["project1-.*"]
- permission: "connect-reader"
  patterns: ["project1-.*"]
- permission: "group-reader"
  patterns: ["project1-.*", "connect-project1-.*"]

According to ClaimResponse.java the external Service returns a List<Binding>. Therefore there external service is allowed to return the following (including clusters)

- permission: "topic-reader"
  patterns: ["project1-.*"]
  clusters: ["dev"]

I was unsure how to reference the cluster but after reading ClaimResponse.java i think it is how i described above. could you please confirm?

[twobeeb]

I confirm, patterns and clusters are optional, with default value .*

[ebrard]

We also have what I think is an interesting use case: when a topic is created, the topic owner (the team) get full ownership of that topics will all rights, other teams (users) can only view the topic name and its configurations/parameters. As of now because the user who created the topic is not tracked nor persisted/sent to another backend, we cannot use akhq for that flow (we use it for everything else though), but if we could I would love to get rid of our internal tooling.

[ebrard]

@tchiotludo any update on this?

[tchiotludo]

@ebrard : no news as I know

• @twobeeb started something and he will not finished this one
• I don't have any time to work on this bug one soon

Sorry ... Feel free to take it 🙏

[ebrard]

Ok I see that the claims and in particular the topic/cg... regexes are used in the the authorization response, in the attributes. These are then use here and there in the code to filter the list of things visible and actable on.

I would rather introduce a RBAC module that authorises or denies any possible action. This would also mean that an external service could authorize it as well instead of akhq itself.

It's a little bit more work but this will make RBAC as precise as needed (to the specific topic rule for example, instead of a match).

WDYT?

[tchiotludo]

So you have some design implementation to share?
Maybe some json object example?

[ebrard]

Actually I read again what @twobeeb described and this is very close the only different is the level, instead of just a pattern I would introduce a pattern and/or exact matches (so just like the kafka ACL really), and instead of calling an external service to get the claims, I would just make the external service send the auth ok or deny directly. Ofc, as mentioned by twobeed for listing controller the answer will be used to discard objects (topics, consumer groups...) from the list.

All in all Kafka ACL themselves would be a good basis, we would only need an "extension" for schema management.

So the idea, someone identified as user1 tries to create a topic, the controller generate a ACL "claim":

{
	"operation": "create",
	"resource_type": "topic",
	"resource_name": "topicA",
	"pattern_type": "LITERAL",
	"principal": "User:userA"
}

The implementation or external service checks against the pre-defined rules (again exact match and pattern) and answer true or false, or eventually return the matching ACL.

Yes it can be a bit heavy to have to define all the necessary rules (or get them computed by an external service) but at least we are as fine grained as Kafka itself.

As a matter of fact a possible implementation of the "RBAC" interface, could be to check against kafka acl themselves (at least for non schema things) which means we get closer to what @angeloxx mentioned (user management would still need to be in akhq and we would either need a mapping or a pass through, I think).

I also like the idea to re-use the kafka acl concept itself because ppl are getting familiar with it now.

[ebrard]

We currently do something similar in our own tooling, except that the permission is at the "owner" scope (if you own a topic, you get full permissions, otherwise you can just see that it exists and see some of the topic configuration):

    var isAuthorized = rbacService.authorize(user, topic.get());

    if (!isAuthorized) {
      return new ResponseEntity<>(
          new DeleteTopicResponse(topicName, true, "Delete operation denied"),
          HttpStatus.UNAUTHORIZED);
    }

We use Spring.

[tchiotludo]

as discussed with @AlexisSouquiere, new design:

  roles:
    custom-role: 
      - resources: ["TOPIC", "TOPIC_DATA"]
        actions: ["READ", "WRITE", "CREATE", "DELETE"]
      - resources: ["GROUPS"]
        actions: ["READ"]

    groups:
      full-admin: 
        - role: "admin" # Implicit all cluster and  .* patterns
        - role: "registry-admin" 
        - role: "connect-admin"
        - role: "registry-admin"
      project1-reader: # Implicit all clusters
        - role: "topic-reader"
          patterns: ["project1-.*"]
        - role: "connect-reader"
          cluster: ["dev-.*"]
          patterns: ["project1-.*"]
        - role: "group-reader"
          patterns: ["project1-.*", "connect-project1-.*"]

    auth: 
      basic-auth:
        - username: admin
          password: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
          groups: ["full-admin"]
        - username: project1-user
          password: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
          groups: ["project1-reader"]

[AlexisSouquiere]

For those you want to follow, the draft PR is here #1472