-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: Wire up RBAC role to OCSF user::groups #17359
Conversation
Signed-off-by: Ben Pope <ben@redpanda.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks great to me. small omission in the DT test
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46689#018e73a8-6122-4fb3-8e52-858ae795523d ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46710#018e7693-906c-401c-8f29-ba33a8a4775b ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46710#018e7693-9065-4227-81a7-de44af3c9206 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/46710#018e76bc-0008-4194-8465-60c8944ef115 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, just address @oleiman
Check the audit events for the `describe` permission during the `metadata` request of list topics. Signed-off-by: Ben Pope <ben@redpanda.com>
Signed-off-by: Ben Pope <ben@redpanda.com>
Changes in force-push
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
new failures in https://buildkite.com/redpanda/redpanda/builds/46710#018e7693-906e-4770-8ff0-14c090f831c3:
|
// A collection or association of entities, such as users, policies, or devices. | ||
// https://schema.ocsf.io/1.0.0/objects/group?extensions= | ||
struct group { | ||
enum class type_id : int { unknown = 0, role = 1 }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: if int
is there for serde, it's unnecessary since serde will override and always use a fixed-size integer type. otherwise, int is already the default i think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough, I was just following the pattern from:
// Characteristics of a user/person or security principal
// https://schema.ocsf.io/1.0.0/objects/user?extensions=
struct user {
enum class type : int {
New failure is unrelated. |
@michael-redpanda can you confirm or deny that the role -> group mapping is not expected for authentication, but is expected for authorized operations? |
Yes, roles are just authZ related and should only effect the authZ audit message |
Fixes https://github.com/redpanda-data/core-internal/issues/1102
Backports Required
Release Notes