Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add way to manage ACLs and Quotas for Service Accounts through the User Operator #10353

Open
scholzj opened this issue Jul 18, 2024 · 3 comments
Open

Add way to manage ACLs and Quotas for Service Accounts through the User Operator #10353

scholzj opened this issue Jul 18, 2024 · 3 comments
Labels
enhancement help wanted needs-proposal

Comments

@scholzj
Copy link
Member

scholzj commented Jul 18, 2024

With #10317 we add support for service-account-based authentication. We should also add a way to manage Simple ACLs and Quotas with KafkaUser resources and User Operator.
@scholzj
Copy link
Member Author

scholzj commented Jul 18, 2024

The tricky part he is how to deal with namespaces 🤔

@scholzj
Copy link
Member Author

scholzj commented Aug 8, 2024

Triaged on the Community call on 8.8.2024: This would make sense. But given the complication with namespaces, a proposal should be written first.

@sebypp
Copy link

sebypp commented Jan 19, 2025

Background and simplified overview for OAuth auth/authz

  1. authn: Principal username is extracted from token (defaults to sub claim). More information here.
  2. authz: username obtained from [1] is matched against Principals defined via KafkaUser CRD and appropriate authz is applied.

Problem statement

KafkaUser CRD maps the metadata.name to actual Kafka Principal, which imposes restrictions on what usernames can look like. In plain English, a Kubernetes JWT token (example below) would default to its sub.

{
  "aud": [
    "https://kubernetes.default.svc"
  ],
  "exp": 1731613413,
  "iat": 1700077413,
  "iss": "https://kubernetes.default.svc",
  "jti": "ea28ed49-2e11-4280-9ec5-bc3d1d84661a", 
  "kubernetes.io": {
    "namespace": "kube-system",
    "node": {
      "name": "127.0.0.1",
      "uid": "58456cb0-dd00-45ed-b797-5578fdceaced"
    },
    "pod": {
      "name": "coredns-69cbfb9798-jv9gn",
      "uid": "778a530c-b3f4-47c0-9cd5-ab018fb64f33"
    },
    "serviceaccount": {
      "name": "coredns",
      "uid": "a087d5a0-e1dd-43ec-93ac-f13d89cd13af"
    },
    "warnafter": 1700081020
  },
  "nbf": 1700077413,
  "sub": "system:serviceaccount:kube-system:coredns" # This would be the actual Kafka Principal username.
}

The system:serviceaccount:kube-system:coredns is not a valid username that we can use for the KafkaUser CRD resource.

Possible solutions

1.Implement advanced parsing for userNameClaim using JsonPath and/or jackson-jq to something more dynamic than just extracting a claim.
2. Add a custom annotation to the KafkaUser CRD that will be used as Kafka Principal username instead of the metadata.username defined in the CRD.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted needs-proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scholzj @sebypp