RBAC for ACL Management

[joelpavlovsky]

Issue submitter TODO list

• I've searched for an already existing issues here
• I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

Today we can set the ACL RBAC action only for view & edit, and we don't have the option to set the value or some specific ACL action (e.g. ACL type, Resource type).

### Current RBAC role config
        - resource: acl
          actions: [view, edit]

Describe the feature you're interested in

We need the ability to set actions & values for each RBAC role and ACL resource/type
Resource type

actions:

• view
• edit
• delete
• custom_acl
• producer_acl
• consumer_acl
• stream_acl

value: (for custom_acl, edit & view, filter by resource type)

• TOPIC
• GROUP
• CLUSTER
• TRANSACTIONAL_ID
• DELEGATION_TOKEN
• USER

For Example:

### Requested RBAC role config
        - resource: acl
          value: ["TOPIC", "GROUP"]
          actions: [view, edit, custom_acl, producer_acl, consumer_acl]

Describe alternatives you've considered

No response

Version you're running

v1.0.0

Additional context

No response

[github-actions]

Hi joelpavlovsky! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper.

[joelpavlovsky]

Thank you for your response.

The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes.

My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions.

[joelpavlovsky]

Thank you for your response. The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes. My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions.

…

On Thu, May 2, 2024, 01:11 Roman Zabaluev ***@***.***> wrote: Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper. — Reply to this email directly, view it on GitHub <#288 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO3VNE5URLLU7COFAIZBKV3ZAFSANAVCNFSM6AAAAABGGBDJQOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBZGIYTSNBZGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>