Azure SSO and RBAC and Helm

[dimashenkov]

Im trying this configuration for RBAC and Azure but its not working , I can login with admin role but cant see my cluster in the UI. Is this the right way ?

yamlApplicationConfig:
   auth:
      type: OAUTH2
      oauth2:
        client:
          azure:
            provider: azure
            clientId: 2******
            clientSecret: *******
            scope: "openid"
            clientName: "azure"
            redirect-uri: https://kafka-ui.dev.product.frankfurt.bla.cloud/login/oauth2/code/azure
            issuerUri: "https://login.microsoftonline.com/707*******/v2.0"
            user-name-attribute: name
            custom-params:
              type: oauth #must be 'oauth'
              roles-field: roles # roles claim contains all granted roles for a user
    
  rbac:
    roles:
      - name: "admin"
        clusters:
          - kafka-cluster-dev
        subjects:
          - provider: oauth  # Added your Azure provider
            type: user
            value: "[email protected]"  # Your email as admin        
          - provider: oauth  # Added your Azure provider
            type: user
            value: "[email protected]"  # Your email as admin
        permissions:
          - resource: clusterconfig
            actions: all
          - resource: topic
            value: ".*"
            actions: [ "view", "create", "edit", "delete", "messages_produce" ]
          - resource: consumer
            value: ".*"
            actions: all
          - resource: schema
            value: ".*"
            actions: all
          - resource: connect
            value: ".*"
            actions: all
          - resource: ksql
            actions: all
      - name: "readonly"
        clusters:
          - kafka-cluster-dev
        subjects:
          - provider: oauth
            type: domain
            value: "bla.org"
        permissions:
          - resource: clusterconfig
            actions: [ "view" ]
          - resource: topic
            value: ".*"
            actions: [ "view" ]
          - resource: consumer
            value: ".*"
            actions: [ "view" ]
          - resource: schema
            value: ".*"
            actions: [ "view" ]
          - resource: connect
            value: ".*"
            actions: [ "view" ] 

[Haarolean]

Hi, yes, your config looks valid. The issue might be that the field you're looking for (roles) is either missing in your token or is empty.

You can debug this like that:

1. Add the following logging level:

yamlApplicationConfig:
  logging:
    level:
      io.kafbat.ui.service.rbac.extractor: TRACE

2. Restart the app, autenticate and grep logs for OauthAuthorityExtractor, this should help.

Let me know how it goes.

[dimashenkov]

2024-04-15 15:16:09,417 WARN [boundedElastic-2] o.s.b.a.l.LdapHealthIndicator: LDAP health check failed
Caused by: javax.naming.CommunicationException: localhost:389

Readiness probe failed: Get "http://10.2.47.233:8080/actuator/health": dial tcp 10.2.47.233:8080: connect: connection refused

[Haarolean]

it's a warn, you can ignore that.

[dimashenkov]

Readiness probe failed is the problem , my chart cant start with this image

[Haarolean]

please disable the probes for now as this is a demo image

[dimashenkov]

Yes I see that, looks like the user doesnt have attached role .

2024-04-16 06:26:04,412 TRACE [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Extracting OAuth2 user authorities
2024-04-16 06:26:04,412 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Principal name is: [Smit Sth]matches [Smit Sth]? [false]
2024-04-16 06:26:04,413 TRACE [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: [[email protected]] matches [SMit Sth]? [false]
2024-04-16 06:26:04,413 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Matched roles by username: []
2024-04-16 06:26:04,413 WARN  [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Param missing in attributes, nothing to do
2024-04-16 06:26:04,413 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Principal [Smit Sth] doesn't have any roles, nothing to do

[dimashenkov]

Hi, yes, your config looks valid. The issue might be that the field you're looking for (roles) is either missing in your token or is empty.

You can debug this like that:

1. Add the following logging level:

yamlApplicationConfig:
  logging:
    level:
      io.kafbat.ui.service.rbac.extractor: TRACE

2. Restart the app, autenticate and grep logs for OauthAuthorityExtractor, this should help.

Let me know how it goes.

nothing new comes up in the logs :( after this change

[Haarolean]

My config now:

Corresponding logs:

In Principal name I have removed my email id, just kept the username in the screenshot though I have used this

user-name-attribute: email

It's type: role, not "roles"

[prashanthm10]

Thank you that works.

[prashanthm10]

Also please let us know when it's merged to main so that we can use the versioned tag. Thank you once again.

[prashanthm10]

@Haarolean when will "test_oauth" go into production. I am using helm charts to deploy this so waiting for the latest version of that.

[Haarolean]

@prashanthm10 it's available in "main"-tagged image

[Haarolean]

@dimashenkov

Based on logs from #290 (reply in thread):

"Principal name" in log is the value of the field user-name-attribute. We use that value to match the subjects in RBAC.

This obviously doesn't work, as your email is not equal to your name.

I suggest either changing user-name-attribute to email field or specifying the username instead of email in RBAC config.

Please consider sponsoring our activities (link) if you appreciate the provided support.

[fedeostrit]

hi @Haarolean, I have authentication errors with OAuth and Azure, I enabled logging but I don't see anything in the authentication logs.

    logging:
      level:
        root: INFO
        io.kafbat.ui: DEBUG
        io.kafbat.ui.service.rbac.extractor: DEBUG
        reactor.netty.http.server.AccessLog: DEBUG
        org.hibernate.validator: WARN

my config:

auth:
     type: OAUTH2
     oauth2:
       client:
         azure:
           client-name: azure
           clientId: xxxxxxxx
           clientSecret: xxxxxx
           issuer-uri: https://login.microsoftonline.com/xxxxx/v2.0
           jwk-set-uri: https://login.microsoftonline.com/xxxxx/discovery/v2.0/keys
           provider: azure
           scope: openid
           user-name-attribute: name
           custom-params:
             type: oauth
             roles-field: roles