feat(acls): introduce new ACL rewrite (#1472)

tchiotludo · Jun 26, 2023 · 4359e54 · 4359e54
1 parent 1172470
commit 4359e54
Show file tree

Hide file tree

Showing 104 changed files with 1,637 additions and 1,342 deletions.
diff --git a/application.example.yml b/application.example.yml
@@ -186,75 +186,86 @@ akhq:
 
   # Auth & Roles (optional)
   security:
+    roles:
+      topic-read:
+        - resources: [ "TOPIC", "TOPIC_DATA" ]
+          actions: [ "READ" ]
+        - resources: [ "TOPIC" ]
+          actions: [ "READ_CONFIG" ]
+      topic-admin:
+        - resources: [ "TOPIC", "TOPIC_DATA" ]
+          actions: [ "READ", "CREATE", "DELETE" ]
+        - resources: [ "TOPIC" ]
+          actions: [ "UPDATE", "READ_CONFIG", "ALTER_CONFIG" ]
+      connect-rw:
+        - resources: [ "CONNECTOR" ]
+          actions: [ "READ", "CREATE", "UPDATE_STATE" ]
+      connect-admin:
+        - resources: [ "CONNECTOR" ]
+          actions: [ "READ", "CREATE", "UPDATE_STATE", "DELETE" ]
+      registry-read:
+        - resources: [ "SCHEMA" ]
+          actions: [ "READ" ]
+      registry-admin:
+        - resources: [ "SCHEMA" ]
+          actions: [ "READ", "CREATE", "UPDATE", "DELETE", "DELETE_VERSION" ]
+      group-read:
+        - resources: [ "CONSUMER_GROUP" ]
+          actions: [ "READ" ]
+      connect-cluster-read:
+        - resources: [ "CONNECT_CLUSTER" ]
+          actions: [ "READ" ]
+      ksqldb-admin:
+        - resources: [ "KSQLDB" ]
+          actions: [ "READ", "EXECUTE" ]
+
     default-group: admin # Default groups for all the user even unlogged user
     # Groups definition
     groups:
-      admin: # unique key
-        name: admin # Group name
-        roles:  # roles for the group
-          - topic/read
-          - topic/insert
-          - topic/delete
-          - topic/config/update
-          - node/read
-          - node/config/update
-          - topic/data/read
-          - topic/data/insert
-          - topic/data/delete
-          - group/read
-          - group/delete
-          - group/offsets/update
-          - registry/read
-          - registry/insert
-          - registry/update
-          - registry/delete
-          - registry/version/delete
-          - acls/read
-          - connect/read
-          - connect/insert
-          - connect/update
-          - connect/delete
-          - connect/state/update
-        attributes:
-          # Regexp list to filter topic available for group
-          topics-filter-regexp:
-            - "test.*"
-          # Regexp list to filter connect configs visible for group
-          connects-filter-regexp:
-            - "^test.*$"
-          # Regexp list to filter consumer groups visible for group
-          consumer-groups-filter-regexp:
-            - "consumer.*"
-      topic-reader: # unique key
-        name: topic-reader # Other group
-        roles:
-          - topic/read
-        attributes:
-          topics-filter-regexp:
-            - "test\\.reader.*"
+      admin:
+        - role: topic-admin
+        - role: connect-admin
+        - role: registry-admin
+        - role: group-read
+        - role: connect-cluster-read
+        - role: ksqldb-admin
+      topic-reader:
+        - role: topic-read
+        - role: registry-admin
+      topic-reader-dev:
+        - role: topic-read
+          clusters: ["dev"]
+        - role: registry-admin
+          clusters: ["dev"]
+      topic-reader-project-prod:
+        - role: topic-read
+          patterns: ["project.*"]
+          clusters: ["prod.*"]
+        - role: registry-admin
+          patterns: ["project.*"]
+          clusters: ["prod.*"]
 
     # Basic auth configuration
     basic-auth:
       - username: user # Username
         password: pass # Password in sha256
         groups: # Groups for the user
           - admin
-          - topic-reader
 
     # Ldap Groups configuration (when using ldap)
     ldap:
       default-group: topic-reader
       groups:
         - name: group-ldap-1
           groups: # Akhq groups list
-            - topic-reader
+            - topic-reader-dev
         - name: group-ldap-2
           groups:
             - admin
       users:
         - username: riemann # ldap user id
           groups: # Akhq groups list
-            - topic-reader
+            - topic-reader-project-prod
         - username: einstein
           groups:
             - admin

diff --git a/client/package-lock.json b/client/package-lock.json
diff --git a/client/package.json b/client/package.json
@@ -15,6 +15,7 @@
     "bootstrap": "^4.6.1",
     "convert-units": "^2.3.4",
     "css-loader": "^3.4.1",
+    "event-source-polyfill": "^1.0.31",
     "font-awesome": "^4.7.0",
     "joi-validation": "^2.0.0",
     "lodash": "^4.17.21",

diff --git a/client/src/components/Root/Root.jsx b/client/src/components/Root/Root.jsx
@@ -27,16 +27,28 @@ class Root extends Component {
   }
 
   getApi(url) {
-    return get(url, { cancelToken: this.cancel.token });
+    return get(url, this.buildConfig());
   }
   postApi(url, body) {
-    return post(url, body, { cancelToken: this.cancel.token });
+    return post(url, body, this.buildConfig());
   }
   putApi(url, body) {
-    return put(url, body, { cancelToken: this.cancel.token });
+    return put(url, body, this.buildConfig());
   }
   removeApi(url, body) {
-    return remove(url, body, { cancelToken: this.cancel.token });
+    return remove(url, body, this.buildConfig());
+  }
+
+  buildConfig() {
+    let config = new Map();
+    config.cancelToken = this.cancel.token;
+
+    if (sessionStorage.getItem('jwtToken')) {
+      config.headers = {};
+      config.headers['Authorization'] = 'Bearer ' + sessionStorage.getItem('jwtToken');
+    }
+
+    return config;
   }
 }
 

diff --git a/client/src/containers/Connect/ConnectDetail/ConnectConfigs/ConnectConfigs.jsx b/client/src/containers/Connect/ConnectDetail/ConnectConfigs/ConnectConfigs.jsx
@@ -189,7 +189,7 @@ class ConnectConfigs extends Form {
             disabled={
               plugin.name === 'name' ||
               plugin.name === 'connector.class' ||
-              !(roles.connect && roles.connect['connect/update'])
+              !(roles.CONNECT && roles.CONNECT.includes('UPDATE'))
             }
             placeholder={plugin.defaultValue > 0 ? plugin.defaultValue : ''}
             onChange={({ currentTarget: input }) => {
@@ -332,7 +332,7 @@ class ConnectConfigs extends Form {
                   <tbody>{display}</tbody>
                 </table>
               </div>
-              {roles.connect && roles.connect['connect/update'] && (
+              {roles.CONNECT && roles.CONNECT.include('UPDATE') && (
                 <div style={{ left: 0, width: '100%' }} className="khq-submit">
                   <button
                     type={'submit'}

diff --git a/client/src/containers/Connect/ConnectDetail/ConnectTasks/ConnectTasks.jsx b/client/src/containers/Connect/ConnectDetail/ConnectTasks/ConnectTasks.jsx
@@ -246,14 +246,14 @@ class ConnectTasks extends Root {
               this.setState({ tableData: data });
             }}
             actions={
-              roles.connect && roles.connect['connect/state/update'] && [constants.TABLE_RESTART]
+              roles.CONNECT && roles.CONNECT.includes('UPDATE_STATE') && [constants.TABLE_RESTART]
             }
             onRestart={row => {
               this.handleAction(this.definitionState.RESTART_TASK, row.id);
             }}
           />
         </div>
-        {roles.connect && roles.connect['connect/state/update'] && (
+        {roles.CONNECT && roles.CONNECT.includes('UPDATE_STATE') && (
           <aside>
             {definition.paused ? (
               <li className="aside-button">

diff --git a/client/src/containers/Connect/ConnectList/ConnectList.jsx b/client/src/containers/Connect/ConnectList/ConnectList.jsx
@@ -137,10 +137,10 @@ class ConnectList extends Root {
     const roles = this.state.roles || {};
     let actions = [];
 
-    if (roles.connect && roles.connect['connect/read']) {
+    if (roles.CONNECT && roles.CONNECT.includes('READ')) {
       actions.push(constants.TABLE_DETAILS);
     }
-    if (roles.connect && roles.connect['connect/delete']) {
+    if (roles.CONNECT && roles.CONNECT.includes('DELETE')) {
       actions.push(constants.TABLE_DELETE);
     }
 
@@ -356,7 +356,7 @@ class ConnectList extends Root {
           }}
           noContent={'No connectors available'}
         />
-        {roles.connect && roles.connect['connect/insert'] && (
+        {roles.CONNECT && roles.CONNECT.includes('CREATE') && (
           <aside>
             <Link to={`/ui/${clusterId}/connect/${connectId}/create`} className="btn btn-primary">
               Create a definition

diff --git a/client/src/containers/ConsumerGroup/ConsumerGroupDetail/ConsumerGroup.jsx b/client/src/containers/ConsumerGroup/ConsumerGroupDetail/ConsumerGroup.jsx
@@ -113,7 +113,7 @@ class ConsumerGroup extends Component {
                 Members
               </Link>
             </li>
-            {roles.acls && roles.acls['acls/read'] && (
+            {roles.ACL && roles.ACL.includes('READ') && (
               <li className="nav-item">
                 <Link
                   to={`/ui/${clusterId}/group/${consumerGroupId}/acls`}
@@ -132,19 +132,20 @@ class ConsumerGroup extends Component {
           </div>
         </div>
 
-        {roles.group &&
-          (roles.group['group/offsets/delete'] || roles.group['group/offsets/update']) && (
+        {roles.CONSUMER_GROUP &&
+          (roles.CONSUMER_GROUP.includes('DELETE_OFFSET') ||
+            roles.CONSUMER_GROUP.includes('UPDATE_OFFSET')) && (
             <aside>
               <li className="aside-button">
-                {roles.group['group/offsets/delete'] && (
+                {roles.CONSUMER_GROUP.includes('DELETE_OFFSET') && (
                   <Link
                     to={`/ui/${clusterId}/group/${consumerGroupId}/offsetsdelete`}
                     className="btn btn-secondary mr-2"
                   >
                     Delete Offsets
                   </Link>
                 )}
-                {roles.group['group/offsets/update'] && (
+                {roles.CONSUMER_GROUP.includes('UPDATE_OFFSET') && (
                   <Link
                     to={`/ui/${clusterId}/group/${consumerGroupId}/offsets`}
                     className="btn btn-primary"

diff --git a/client/src/containers/ConsumerGroup/ConsumerGroupList/ConsumerGroupList.jsx b/client/src/containers/ConsumerGroup/ConsumerGroupList/ConsumerGroupList.jsx
@@ -248,7 +248,7 @@ class ConsumerGroupList extends Root {
           }}
           onDetails={id => `/ui/${selectedCluster}/group/${encodeURIComponent(id)}`}
           actions={
-            roles.group && roles.group['group/delete']
+            roles.CONSUMER_GROUP && roles.CONSUMER_GROUP.includes('DELETE')
               ? [constants.TABLE_DELETE, constants.TABLE_DETAILS]
               : [constants.TABLE_DETAILS]
           }

diff --git a/client/src/containers/Header/Header.jsx b/client/src/containers/Header/Header.jsx
@@ -39,6 +39,7 @@ class Header extends Root {
       sessionStorage.setItem('login', currentUserData.logged);
       sessionStorage.setItem('user', 'default');
       sessionStorage.setItem('roles', organizeRoles(currentUserData.roles));
+      sessionStorage.removeItem('jwtToken');
       this.setState({ login: currentUserData.logged }, () => {
         this.props.history.replace({
           pathname: '/ui/login',

diff --git a/client/src/containers/KsqlDB/KsqlDBList/KsqlDBList.jsx b/client/src/containers/KsqlDB/KsqlDBList/KsqlDBList.jsx
@@ -107,7 +107,7 @@ class KsqlDBList extends Component {
             </div>
           </div>
         </div>
-        {roles && roles.ksqldb && roles.ksqldb['ksqldb/execute'] && (
+        {roles && roles.KSQDLDB && roles.KSQLDB.includes('EXECUTE') && (
           <aside>
             <li className="aside-button">
               <Link

diff --git a/client/src/containers/Login/Login.jsx b/client/src/containers/Login/Login.jsx
@@ -38,8 +38,18 @@ class Login extends Form {
         password: formData.password
       };
 
-      login(uriLogin(), body).then(() => {
-        this.getData();
+      login(uriLogin(), body).then(res => {
+        if (res.body) {
+          res.json().then(r => {
+            // Support JWT authentication through access_token
+            if (r.access_token) {
+              sessionStorage.setItem('jwtToken', r.access_token);
+              this.getData();
+            }
+          });
+        } else {
+          this.getData();
+        }
       });
     } catch (err) {
       toast.error('Wrong Username or Password!');

diff --git a/client/src/containers/Node/NodeDetail/NodeConfigs/NodeConfigs.jsx b/client/src/containers/Node/NodeDetail/NodeConfigs/NodeConfigs.jsx
@@ -269,7 +269,7 @@ class NodeConfigs extends Form {
               this.setState({ data });
             }}
           />
-          {roles.node['node/config/update'] &&
+          {roles.NODE.includes('ALTER_CONFIG') &&
             this.renderButton('Update configs', this.handleSubmit, undefined, 'submit')}
         </div>
       </form>

diff --git a/client/src/containers/Schema/SchemaDetail/Schema.jsx b/client/src/containers/Schema/SchemaDetail/Schema.jsx
@@ -40,7 +40,7 @@ class Schema extends Root {
     const { clusterId, schemaId, roles } = this.state;
     let tabSelected = getSelectedTab(this.props, this.tabs);
 
-    if (!roles.registry['registry/update'] && tabSelected === 'update') {
+    if (!roles.SCHEMA.includes('UPDATE') && tabSelected === 'update') {
       tabSelected = 'versions';
     }
 
@@ -108,7 +108,7 @@ class Schema extends Root {
         <Header title={`Schema: ${decodeURIComponent(schemaId)}`} history={this.props.history} />
         <div className="tabs-container">
           <ul className="nav nav-tabs" role="tablist">
-            {roles.registry['registry/update'] && (
+            {roles.SCHEMA.includes('UPDATE') && (
               <li className="nav-item">
                 <Link
                   to={`/ui/${clusterId}/schema/details/${schemaId}/update`}

diff --git a/client/src/containers/Schema/SchemaDetail/SchemaUpdate/SchemaUpdate.jsx b/client/src/containers/Schema/SchemaDetail/SchemaUpdate/SchemaUpdate.jsx
@@ -148,7 +148,7 @@ class SchemaUpdate extends Form {
             },
             'col-sm-10'
           )}
-          {roles.registry['registry/update'] &&
+          {roles.SCHEMA.includes('UPDATE') &&
             this.renderButton('Update', undefined, undefined, 'submit')}
         </fieldset>
       </form>

diff --git a/client/src/containers/Schema/SchemaDetail/SchemaVersions/SchemaVersions.jsx b/client/src/containers/Schema/SchemaDetail/SchemaVersions/SchemaVersions.jsx
@@ -164,9 +164,7 @@ class SchemaVersions extends Root {
             this.handleOnDelete(schema);
           }}
           actions={
-            roles.registry && roles.registry['registry/version/delete']
-              ? [constants.TABLE_DELETE]
-              : []
+            roles.SCHEMA && roles.SCHEMA.includes('DELETE_VERSION') ? [constants.TABLE_DELETE] : []
           }
           extraRow
           noStripes

diff --git a/client/src/containers/Schema/SchemaList/SchemaList.jsx b/client/src/containers/Schema/SchemaList/SchemaList.jsx
@@ -267,7 +267,7 @@ class SchemaList extends Root {
             return `/ui/${selectedCluster}/schema/details/${encodeURIComponent(subject)}`;
           }}
           actions={
-            roles.registry && roles.registry['registry/delete']
+            roles.SCHEMA && roles.SCHEMA.includes('DELETE')
               ? [constants.TABLE_DELETE, constants.TABLE_DETAILS]
               : [constants.TABLE_DETAILS]
           }
@@ -297,7 +297,7 @@ class SchemaList extends Root {
           }}
           noContent={'No schemas available'}
         />
-        {roles.registry && roles.registry['registry/insert'] && (
+        {roles.SCHEMA && roles.SCHEMA.includes('CREATE') && (
           <aside>
             <Link
               to={{