Introduce principal_type::role
#16768
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/dt |
oleiman
force-pushed
the
rbac/role-principal
branch
from
0d79ce8
to
d6a5cd9
Compare
|
/dt |
BenPope
reviewed
Feb 29, 2024
oleiman
requested review from
twmb,
r-vasquez and
gene-redpanda
as code owners
Ya, posted something in slack so folks can see, but I'm going to change this. |
oleiman
force-pushed
the
rbac/role-principal
branch
from
d6a5cd9
to
fe3c7ca
Compare
|
force push: "Role:" -> "RedpandaRole:" |
oleiman
force-pushed
the
rbac/role-principal
branch
from
fe3c7ca
to
b8e1c43
Compare
|
force push: typo |
oleiman
force-pushed
the
rbac/role-principal
branch
from
b8e1c43
to
0967e8f
Compare
|
force push rebase to fix merge conflict |
Also adds "RedpandaRole:" prefix handling to conversion helpers: - to_acl_principal(...) - to_kafka_principal(...)
Normally rpk adds a "User:" prefix to any principal name that doesn't include it. This commit adds an exception to the rule.
Verify that we can create them and that ACLs for "RedpandaRole:<name>" don't bleed over to "User:<name>". Verifies that franz-go based clients won't choke on "RedpandaRole:" type principals
oleiman
force-pushed
the
rbac/role-principal
branch
from
0967e8f
to
eb4e275
Compare
|
force push fix test docstring and remove out-of-date linter suppression |
Verifying that Java-based clients won't choke on "RedpandaRole:" Verifying that Redpanda rejects ACL bindings with a bogus principal type and that Java-based clients properly handle the result. In this case that means a non-zero exit status becuase shell scripts are fun!
Verifying that librdkafka-based clients won't choke on "RedpandaRole:". Verifying that ACL bindings with a bogus principal are rejected and that librdkafka-based clients won't choke on the result.
oleiman
force-pushed
the
rbac/role-principal
branch
from
eb4e275
to
ebb1d8d
Compare
|
force push to add tests for invalid role prefix handling (librdkafka and java only b/c |
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45656#018e0c14-762a-4599-8757-b05662a67b42 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a new type of security principal for RBAC.
Updates
security::to_acl_principalandsecurity::to_kafka_principalto support "Role:" prefix.Includes a small
rpkupdate to respect the "Role:" prefix when creating/deleting ACLsCloses https://github.com/redpanda-data/core-internal/issues/1100
Backports Required
Release Notes