Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: add a consumer group role configuration #529

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Feat: add a consumer group role configuration #529

wants to merge 1 commit into from

Conversation

ludovic-boutros
Copy link
Contributor

  • Please check if the PR fulfills these requirements
  • The commit messages are descriptive
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)
  • An issue has been created for the pull requests. Some issues might require previous discussion.

purbon
purbon reviewed Aug 15, 2022
View reviewed changes
src/main/java/com/purbon/kafka/topology/model/users/Consumer.java
import java.util.Objects;
import java.util.Optional;

public class Consumer extends User {

private Optional<String> group;

@JsonProperty(value = "group-role")
private String groupRole = RBACPredefinedRoles.RESOURCE_OWNER;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This model is used for both RBAC and ACLs permissions and might be even used later on for other integrations (I know some people who tried to do it with Ranger, for example).

I think we should not be using here:

  • The variable name as group-role, as with ACLs there are no roles per se.
  • The default value as RESOURCE_OWNER as it is Confluent RBAC dependant.

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, I will try to see how to deal with this point.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we add a level called "rbac" in the configuration of a consumer, would it be okay for you ?

consumers:
     - principal: "Group:CONSUMER_READ"
       rbac:
           role: DeveloperRead
     - principal: "Group:CONSUMER_VIEW"
       rbac:
            role: DeveloperRead

We should do the same in the schema configuration I guess, even if currently, ACLs are only available with RBAC for schemas.
WDYT ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@purbon kind reminder on the proposal :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@purbon purbon purbon left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RBAC - Add possibility to change consumersGroup role
2 participants
@ludovic-boutros @purbon