RBAC - Service accounts prefix filter a primary criteria is not correct when config has topic filter.

Question

RBAC - Service accounts prefix filter a primary criteria is not correct when config has topic filter.

damien-malescot opened this issue 2 years ago · comments

Describe the bug
In PR 418 service account take now precedence over all if configured. But if we have service account AND topic managed in configuration filter is not correct.

To Reproduce
New code in PR 418 :

// regardless. Filtering by service account will always take precedence if defined
    if (haveServiceAccountPrefixFilters() || resourceName.equals("*")) {
      return matchesServiceAccountPrefixList(principle);
    }

If we have an RBAC right like this in cluster :

       Principal       |      Role      | ResourceType |          Name          | PatternType
+----------------------+----------------+--------------+------------------------+-------------+
  Group:G_FOO_BAR_READ | DeveloperWrite | Topic        | d.customers.example.my-topic.1| LITERAL

Create a new topoology file :

context: "d"
source: "foo"
projects:
  - name: "bar"
    consumers:
      - principal: "Group:G_FOO_BAR_READ"
    topics:
      - name: "my-topic.1"
        plan: "one-partition"

with configs

topology.topic.managed.prefixes.0=d.foo.bar
topology.service.accounts.managed.prefixes.0="Group:G_FOO_BAR_READ"

After execution first binding is delete

       Principal       |     Role      | ResourceType |   Name    | PatternType
+----------------------+---------------+--------------+-----------+-------------+
  Group:G_FOO_BAR_READ | DeveloperRead | Topic        | d.foo.bar | PREFIXED
  Group:G_FOO_BAR_READ | ResourceOwner | Group        | *         | LITERAL

In fact, binding match service account but topic is not is this file, so julieops delete this binding.

topology.topic.managed.prefixes is not used in this case to filter serviceaccount AND topic matching.

Expected behavior
Service account should not always take precedence if configured.

Additional context
JulieOps master branch

Pere Urbón · Answer 1 · Wed Aug 03 2022 23:08:47 GMT+0800 (China Standard Time)

Thanks again @damien-malescot for your list of interesting issues, I'm really grateful for your help and interest on making JulieOps a bit better. If I understand you better, you are proposing to have something like this kind of filter (if maching):

if (serviceAccount.Filter.IsDefined and topicName.Filter.IsDefined) -> serviceAccount AND topicName
if (serviceAccount.Filter.IsDefined) -> serviceAccount
if (topicName.Filter.IsDefined) -> topicName

In this order, for AccessControlManager.

would that be accurate map of your suggestion here?

Ludovic Boutros · Answer 2 · Thu Aug 04 2022 16:57:34 GMT+0800 (China Standard Time)

Hi @purbon, indeed that should fix this bug.
Julie should only manage service account for the defined topic filters if any.

Thanks.

Pere Urbón · Answer 3 · Thu Aug 04 2022 17:33:35 GMT+0800 (China Standard Time)

Fair enough! Let me shot your way a proposal PR and let me know if that fits it, ok?

Pere Urbón · Answer 4 · Fri Aug 05 2022 00:38:17 GMT+0800 (China Standard Time)

@ludovic-boutros @damien-malescot as shared, I have created #521 as the proposed amend for this. Does this paint your thoughts and proposals in the issue?