Skip to content

RBAC: Cognito roles matching regression #4157

New issue
New issue
Closed
#4171
Closed
RBAC: Cognito roles matching regression#4157
#4171
Assignees
FreddyMcRay
Labels
area/rbacscope/backendstatus/acceptedAn issue which has passed triage and has been acceptedstatus/confirmedA bug which actuality is confirmedtype/bugSomething isn't workingtype/regressionSomething that has been previously fixed but got broken again
Milestone
0.7.2
@maikelmertens

Description

@maikelmertens
maikelmertens
opened on Aug 24, 2023

Issue submitter TODO list

  • I've looked up my issue in FAQ
  • I've searched for an already existing issues here
  • I've tried running master-labeled docker image and the issue still persists there
  • I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I'm currently having difficulties enforcing RBAC on Cognito groups. We've set up AWS Cognito, defined a few groups, and I've added myself to one of the groups for testing.

Post configuration, I'm denied access. Investigating the debug logs provides the attached information.

From this, it's evident that the cognito:groups field matches my RBAC configuration (kafka-ui_ADMIN). It's also clear the groups field is empty, which, from my understanding, is the expected behavior in Cognito. Furthermore, I noticed the correct implementation of this in your source code, particularly here.

Given this information, is there something misconfigured in my configuration?

In a related query, I'm also keen to know if it's feasible for multiple RBAC roles to overlap for a singular Cognito group? Ideally, I'd like an RBAC role policy that provides full access to the DEV and TST clusters, while restricting some access, like reading messages, on ACC and PRD clusters. Can I structure this with two roles (one for DEV & TST, another for ACC & PRD) for one group or can this even be achieved in one single RBAC role?

Appreciate any insight you can provide on this. Thanks in advance!

Expected behavior

No response

Your installation details

App version: 56fa824 v0.7.1

Configuration:

        - name: AUTH_TYPE
          value: oauth2
        - name: AUTH_OAUTH2_CLIENT_COGNITO_PROVIDER
          value: cognito
        - name: AUTH_OAUTH2_CLIENT_COGNITO_CLIENT_NAME
          value: cognito
        - name: AUTH_OAUTH2_CLIENT_COGNITO_CLIENTID
          value: ***
        - name: AUTH_OAUTH2_CLIENT_COGNITO_CLIENTSECRET
          value: ***
        - name: AUTH_OAUTH2_CLIENT_COGNITO_ISSUER_URI
          value: https://***/***
        - name: AUTH_OAUTH2_CLIENT_COGNITO_REDIRECT_URI
          value: https://***/login/oauth2/code/cognito
        - name: AUTH_OAUTH2_CLIENT_COGNITO_SCOPE
          value: openid
        - name: AUTH_OAUTH2_CLIENT_COGNITO_USER_NAME_ATTRIBUTE
          value: name

RBAC configuration:

   rbac:
      roles:
        - name: ADMIN
          clusters:
            - DEV

          subjects:
            - provider: oauth_cognito
              type: group
              value: "kafka-ui_ADMIN"

          permissions:
            - resource: applicationconfig
              actions: all

            - resource: clusterconfig
              actions: all

            - resource: topic
              value: ".*"
              actions: all

            - resource: consumer
              value: ".*"
              actions: all

            - resource: schema
              value: ".*"
              actions: all

            - resource: connect
              value: ".*"
              actions: all

            - resource: ksql
              actions: all

            - resource: acl
              value: ".*"
              actions: all

Steps to reproduce

  1. Set up Cognito
  2. Change App Config with excerpt provided
  3. RBAC Config with excerpt provided
  4. Run & Test:
    Start your app.
    Try logging in with your user.
    You should be denied access (even though you're in the kafka-ui_ADMIN group).
  5. Logs:
    Peek at your app logs.
    Spot the o.s.s.w.s.c.WebSessionServerSecurityContextRepository log.
    cognito:groups should show kafka-ui_ADMIN, but groups will be empty.

Screenshots

No response

Logs

o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=RbacOidcUser[user=Name: [maikel.mertens@***], Granted Authorities: [[OIDC_USER]], User Attributes: [{at_hash=asdasd, sub=3e695ed8-7715-asdasd-a9be-5e4fdasdasd, cognito:groups=[kafka-ui_ADMIN], email_verified=false, iss=https://***, cognito:username=azuread_maikel.mertens@***, given_name=Maikel, nonce=asdasd, origin_jti=asdasd, aud=[asdasd], identities=[{userId=maikel.mertens@***, providerName=AzureAD, providerType=SAML, issuer=https://sts.windows.net/asdasd/, primary=true, dateCreated=asdasd}], token_use=id, auth_time=2023-08-24T12:35:54Z, name=maikel.mertens@***, exp=2023-08-24T13:35:54Z, iat=2023-08-24T12:35:54Z, family_name=Mertens, jti=asdasd, email=maikel.mertens@***}], groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[OIDC_USER]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@6217eb9a'

Additional context

No response

Metadata

Metadata

Assignees

Labels

area/rbacscope/backendstatus/acceptedAn issue which has passed triage and has been acceptedstatus/confirmedA bug which actuality is confirmedtype/bugSomething isn't workingtype/regressionSomething that has been previously fixed but got broken again

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions