Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion kick-off for extending RBAC support to Keyclock authentication in addition to Kubernetes clusters #448

Open
1 of 4 tasks
tadayosi opened this issue Jul 19, 2023 · 3 comments
Open
1 of 4 tasks

Discussion kick-off for extending RBAC support to Keyclock authentication in addition to Kubernetes clusters #448

tadayosi opened this issue Jul 19, 2023 · 3 comments
Labels
area/rbac kind/discussion

Comments

@tadayosi
Copy link
Member

tadayosi commented Jul 19, 2023
edited
Loading

Extracted to a new issue from #36 comment.

Discussion kick-off for extending RBAC support to Keyclock authentication in addition to Kubernetes clusters.

Idea

  • Extend RBAC canInvoke for the Add button in the Endpoints View (disabled if canInvoke is false)
  • Implement keycloak support for authentication in a sample app tied into hawtio (embedded or standalone???)
  • Add role to keycloak specifically disabling support for Add button - something like can add new stuff to app
  • Tie the role to the rbac tree processor / canInvoke permissions

Further Considerations

  • Legacy hawtio has provision for disablling UI elements already and we should consider porting this. However, the implementation was considered fairly ad-hoc so need to look at consistent and overarching architecture for all elements.

References

Originally posted by @phantomjinx in #36 (comment)
@tadayosi
Copy link
Member Author

  • Tie the role to the rbac tree processor / canInvoke permissions

This is actually what JMXSecurityMBean does. It's just the API front-end for the backend ACL implementation per runtime, and each runtime must provide the ACL (Access Lists) implementation (e.g. Karaf and Hawtio Online) to map roles to allowed operations.
https://github.com/hawtio/hawtio/blob/hawtio-3.0-M8/hawtio-system/src/main/java/io/hawt/jmx/JMXSecurity.java

  • Legacy hawtio has provision for disablling UI elements already and we should consider porting this. However, the implementation was considered fairly ad-hoc so need to look at consistent and overarching architecture for all elements.

Yes, the legacy hawtio RBAC implementation wasn't so cool, so we don't need to port everything from there. For now, the ported MBeanNode.hasInvokeRights() seems to be enough for RBAC, so let's see until we need to port more.

hawtio-next/packages/hawtio/src/plugins/shared/tree/node.ts

Line 467 in 09983da

hasInvokeRights(...methods: string[]): boolean {

@tadayosi
Copy link
Member Author

@phantomjinx I think it's nice to support RBAC for Keycloak, but it's something that should be done through a runtime instead of the hawtio-react side. To support RBAC with Keycloak:

  • Quarkus or Spring Boot (or anything else) should provide some integration with Keycloak to share the role information and a way to protect operations on JMX MBeans against the role.
  • hawtio-react should make sure that the RBAC information provided by the runtime is applied to the UI.

But at this moment, there's not so much thing we can do at hawtio-react. So, do you agree to close the issue?

@hawtio-ci
Copy link

Yes. I agree with that analysis.

@lhein lhein moved this from New to Backlog in Kanban Board Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rbac kind/discussion
Projects
Kanban Board
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tadayosi @hawtio-ci