RBAC - Prefixed's bindings are too permissives
damien-malescot opened this issue · comments
Describe the bug
When we configure topology.acls.optimized=true RBAC bindings are set in mode PREFIXED like this : context.source.projectName*
In some contexts, bindings can be too permissive, for example if with have 2 projects with the same starting name :
- context.source.foo bindings will be context.source.foo*
- context.source.foobar bindings will be context.source.foobar*
In this example, consumer's in first project (context.source.foo) can read topics in the seconds (context.source.foobar)
To Reproduce
Create 2 topologies with a same project's starting name.
Apply topology
Expected behavior
Authorizations of each projects are separated
Additional context
Quick correction could be to add a dot at the end of bindings :
- context.source.foo bindings will be context.source.foo.*
- context.source.foobar bindings will be context.source.foobar.*
This makes complete sense @damien-malescot, thanks a lot for your issue. This should be now fixed with the introduction of #515, this will be released in the next release. Thanks again for your contribution.
This makes complete sense @damien-malescot, thanks a lot for your issue. This should be now fixed with the introduction of #515, this will be released in the next release. Thanks again for your contribution.
Thanks, you are very reactive 😉