RBAC Authorization Issue with OAuth Provider and Role-Based Access Control

[STGIT111]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I am encountering an unexpected behavior in my implementation of Role-Based Access Control (RBAC) using the OAuth provider. Specifically, I am unable to successfully authorize access based on the role type within the subjects configuration of my RBAC policies.

According to the official documentation for the OAuth provider, two subject types are supported for retrieving authentication information: user and role. When I configure an RBAC policy utilizing the user type, access control functions as expected, allowing or denying access based on the provided user value. However, when I attempt to employ the role type to authorize access based on assigned roles retrieved via OAuth, the authorization process fails. No access is granted, even when the associated user is confirmed to possess the specified role. This discrepancy suggests a potential issue with the interpretation or handling of the role subject type within the OAuth integration.

Simplified Configuration Example:

The following configurations demonstrate the observed behavior:

Working Configuration (User-Based Authorization):

subjects:

• provider: oauth
  type: user
  value: "Trump"

Non-Working Configuration (Role-Based Authorization):

subjects:

• provider: oauth
  type: role
  value: "kafka-admins"

The OAuth provider is correctly configured and functioning, successfully retrieving user information.
The user in question is definitively assigned the role “kafka-admins” via the OAuth provider’s role assignment mechanism. This is verified through logging and independent testing of the OAuth configuration.
No errors are reported in logs that indicate a failure during the evaluation of the RBAC policy itself, suggesting the failure occurs prior to the authorization check.

Expected behavior

The expected behavior is for the system to authorize access when a user, authenticated via OAuth, is assigned the role specified in the value field for the role subject type within the RBAC configuration. The current behavior deviates significantly from this expectation. I am requesting assistance in understanding the root cause of this issue and guidance on how to resolve it. I suspect an issue with the RBAC policy evaluation when type: role is used with the OAuth provider.

Your installation details

  1. version: 1.1.0
  2.  version: 1.4.11
  3.  yamlApplicationConfig:
  kafka:
    clusters:
    - name: ft
      bootstrapServers: ft20-kafka-01.test:9092

  auth:
    type: OAUTH2
    oauth2:
      client:
        keycloak:
          clientId: kafka-ui-id
          clientSecret: KAFKA_UI_CLIENT_SECRET
          scope: openid
          issuer-uri: 
          user-name-attribute: preferred_username
          client-name: keycloak
          provider: keycloak
          custom-params:
            type: oauth
            roles-field: roles
  rbac:
    roles:
      - name: "readonly"
        clusters:
          - ft
          - dev
        subjects:
          - provider: oauth
            type: role
            value: "kafka-users"

        permissions:
          - resource: clusterconfig
            actions: [ "view" ]

          - resource: topic
            value: ".*"
            actions:
              - VIEW
              - MESSAGES_READ
              - ANALYSIS_VIEW

          - resource: consumer
            value: ".*"
            actions: [ view ]

          - resource: schema
            value: ".*"
            actions: [ view ]

          - resource: connect
            value: ".*"
            actions: [ view ]

          - resource: acl
            actions: [ view ]

      - name: "admins"
        clusters:
          - ".*"
        subjects:
          - provider: oauth
            type: role
            value: "kafka-admins"

        permissions:
          - resource: applicationconfig
            actions: all

          - resource: clusterconfig
            actions: all

          - resource: topic
            value: ".*"
            actions: all

          - resource: consumer
            value: ".*"
            actions: all

          - resource: schema
            value: ".*"
            actions: all

          - resource: connect
            value: ".*"
            actions: all

          - resource: ksql
            actions: all

          - resource: acl
            actions: [ view ]

Steps to reproduce

I am encountering an unexpected behavior in my implementation of Role-Based Access Control (RBAC) using the OAuth provider. Specifically, I am unable to successfully authorize access based on the role type within the subjects configuration of my RBAC policies.

Working Configuration (User-Based Authorization):

subjects:

• provider: oauth
  type: user
  value: "Trump"

Non-Working Configuration (Role-Based Authorization):

subjects:

• provider: oauth
  type: role
  value: "kafka-admins"

Screenshots

No response

Logs

No response

Additional context

No response

[github-actions]

Hi STGIT111! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[fallen-up]

change
roles-field: roles
to
roles-field: realm_roles

[STGIT111]

@fallen-up
I changed it, but it hadn't fixed the problem.
roles-field: roles - > roles-field: realm_roles

it's from keyclock

"kafka-ui-id": {
"roles": [
"kafka-admins",
"restricted-access",
"kafka-users"
]

[STGIT111]

roles-field: groups

It works!

[exlosir]

I have a similar problem with role mapping, but my role is in realm_access.roles
specifying roles-field: realm_access.groups doesn't help
Can you tell me how to properly configure role access?

[Haarolean]

I have a similar problem with role mapping, but my role is in realm_access.roles
specifying roles-field: realm_access.groups doesn't help
Can you tell me how to properly configure role access?

Inner fields won't work for now. You need a custom mapper to make the field top level.

[exlosir]

I have a similar problem with role mapping, but my role is in realm_access.roles
specifying roles-field: realm_access.groups doesn't help
Can you tell me how to properly configure role access?

Inner fields won't work for now. You need a custom mapper to make the field top level.

Thank you! Are there any plans to add support for arbitrarily specifying a path to the list of roles/groups?