Skip to content

BE: RBAC: Impl default role #1056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

BE: RBAC: Impl default role #1056

wants to merge 12 commits into from
+205 −10

Conversation

seono
Copy link

@seono seono commented May 4, 2025
edited
Loading

I’ve opened a draft PR. If this approach looks okay, I’ll follow up with tests and documentation.

  • Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)
Implement default role
#344

Is there anything you'd like reviewers to focus on?
I updated each extractor’s extract method to return the defaultRole if it’s present, but I’m not sure if this aligns with the original intention of how extract is supposed to be used.

I tested it using the configuration below

rbac:
  default-role:
    name: defaultRole
    permissions:
        - resource: clusterconfig
          actions: [ view ]

        - resource: topic
          value: ".*"
          actions: 
            - VIEW
            - MESSAGES_READ

        - resource: consumer
          value: ".*"
          actions: [ view ]

        - resource: schema
          value: ".*"
          actions: [ view ]

        - resource: connect
          value: ".*"
          actions: [ view ]

        - resource: acl
          actions: [ view ]
  roles: []

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

@kapybro kapybro bot added status/triage Issues pending maintainers triage area/rbac Related to Role Based Access Control feature status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels May 4, 2025
github-actions[bot]
github-actions bot reviewed May 4, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi seono! 👋

Welcome, and thank you for opening your first PR in the repo!

Please wait for triaging by our maintainers.

Please take a look at our contributing guide.

@seono seono mentioned this pull request May 4, 2025
Open
2 tasks
@seono seono marked this pull request as ready for review June 12, 2025 09:55
@seono seono requested a review from a team as a code owner June 12, 2025 09:55
germanosin
germanosin requested changes Jun 12, 2025
View reviewed changes
Copy link
Member

@germanosin germanosin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for PR!
Please check my comments.

seono
seono commented Jun 12, 2025
View reviewed changes
Copy link
Author

@seono seono left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@germanosin
Thanks for the review.
I applied the following updates:

  • use jakarta
  • remove changes from extractors
  • add DefaultRole class.
  • let DefaultRole need cluster definition

I updated the code to work with the RBAC definition below.

...

rbac:
  default-role:
    name: read-only
    clusters:
      - dev-cluster
    permissions:
      - resource: clusterconfig
        actions: [ "view" ]

      - resource: topic
        value: ".*"
        actions: 
          - VIEW
          - MESSAGES_READ

      - resource: consumer
        value: ".*"
        actions: [ view ]

      - resource: schema
        value: ".*"
        actions: [ view ]

      - resource: connect
        value: ".*"
        actions: [ view ]

      - resource: acl
        actions: [ view ]

  roles:
    - name: admin
      clusters:
        - dev-cluster
        - prod-cluster
      subjects:
        - provider: oauth_github
          type: user
          value: "seono"
...

@seono seono requested a review from germanosin June 14, 2025 04:48
germanosin
germanosin requested changes Jun 15, 2025
View reviewed changes
germanosin
germanosin requested changes Jun 15, 2025
View reviewed changes
@seono seono requested a review from germanosin June 16, 2025 03:39
@Haarolean Haarolean self-requested a review June 16, 2025 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot]

@germanosin germanosin

@Haarolean Haarolean

Assignees
No one assigned
Labels
area/rbac Related to Role Based Access Control feature status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@seono @germanosin