Connect: RBAC won't Filter By Connector Name

[schaubce]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

We have the following configuration (I have removed other resources topic/cluster/etc. for simplicity)

 - name: <adGroupName>
   clusters:
   - <cluster1>
   - <cluster2>
   subjects: []
   permissions: 
   - resource: connect
      value: ibm-mq-src--mqconnector--v1
      actions:
      - VIEW
      - RESTART
      - EDIT

When we refresh configs within Kafka-UI, no connectors are shown. If there is no specific filter (.*), it works appropriately, and shows all connectors.

Expected behavior

Similar to topics configuration (which we have working) , we'd expect to be able to use regex to filter out different connector names to limit who can view specific connectors. We did see this update in the documentation, but unsure if it is related, as the other config examples show it should work with regex:

- resource: connect
  value: "local"
  actions: [ view, edit, create ]
# connectors selector not implemented yet, use connects
#      selector:
#        connector:
#          name: ".*"
#          class: 'com.provectus.connectorName'

vs

- resource: connect
  value: ".*"
  actions: [ view ]

Your installation details

Hash: 56fa824 (Version 0.7.1)

Steps to reproduce

Can use normal set up for topics, cluster etc. Just need to limit the connect resource "value" to a single connector.

  - name: <adGroupName>
    clusters:
    -<cluster1>
    - <cluster2>
    subjects: []
    permissions: 
    - resource: connect
      value: ibm-mq-src--mqconnector--v1
      actions:
      - VIEW
      - RESTART
      - EDIT

Screenshots

No response

Logs

No response

Additional context

• We have tested different connector types to see if that impacted anything
• We have tested different connector name regex: full name, prefix

[github-actions]

Hello there schaubce! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[tufank]

Hello,

We are also having the same issue, and we are not sure what 'use connects' means in the comment 'selector not implemented yet...'., which also makes the meaning of 'value' in 'resource: connect' ambiguous.

Is there currently a way or a workaround to be able to define a regex for connector names? Or any documentation that makes it more clear how to use 'resource: connector' when we want to limit access to connectors?

Thanks in advance for any help.

[Haarolean]

Just to clarify this for everyone here,

there are two things you have: connects (kafka-connect node) and connectors (data apps for KC within a connect).

With a setup like this:

kafka:
  clusters:
    - name: local
      # ...
      kafkaConnect:
        - name: first
          address: http://localhost:8083
        - name: second
          address: http://localhost:8084

You would see something like this:

And if you limit the access with RBAC allowing only "first" connect access it would look like this:

So this works as intended. And the commented-out part of the config suggests that limiting access to specific connectors within a connect is not currently implemented, so, you have to limit the access to the whole connect.

[tufank]

Thank you, I appreciate the clarification. It is now clear that the 'value' field of the 'resource: connect' entry in RBAC definitions corresponds to the name fields of clusters.kafkaConnect entries, and currently it is not possible to limit permissions by the name or regex of the connectors defined within the Connect cluster itself.

[Haarolean]

@tufank yeah, that's right. If you're looking for such a feature, I invite you to raise an issue here: https://github.com/kafbat/kafka-ui as this repo is not maintained anymore (#4255)