RBAC - Schema registry subjects bindings are never deleted
See original GitHub issueDescribe the bug When we remove subjects from a topoligy, bindings are not removed from RBAC
To Reproduce Create a topology file like this :
context: "DEV"
source: "example"
projects:
- name: "demo"
schemas:
- principal: "Group:G_DEMO_READ"
subjects:
- "transactions"
consumers:
- principal: "Group:G_DEMO_READ"
topics:
- name: "personne.1"
plan: "one-partition-compact"
Bindings are created :
Principal | Role | ResourceType | Name | PatternType
+------------------------+---------------+--------------+------------------+-------------+
Group:G_DEMO_READ | DeveloperRead | Topic | DEV.example.demo | PREFIXED
Group:G_DEMO_READ | ResourceOwner | Group | * | LITERAL
Principal | Role | ResourceType | Name | PatternType
+------------------------+---------------+--------------+--------------+-------------+
Group:G_DEMO_READ | ResourceOwner | Subject | transactions | LITERAL
Remove all from topology and apply :
context: "DEV"
source: "example"
projects:
- name: "demo"
Subject’s bindings is still present :
-------------------------------------------------------------------------------
Principal | Role | ResourceType | Name | PatternType
+-----------+------+--------------+------+-------------+
Principal | Role | ResourceType | Name | PatternType
+------------------------+---------------+--------------+--------------+-------------+
Group:G_DEMO_READ | ResourceOwner | Subject | transactions | LITERAL
Expected behavior Subjects’s bindings must be removed when they are deleted from topology files.
You should use a property like for topics to recognize managed subjects :
topology.subject.managed.prefixes";
Issue Analytics
- State:
- Created a year ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Configuring Role-Based Access Control for Schema Registry
With RBAC enabled, Schema Registry can authenticate incoming requests and authorize them based on role bindings. This allows schema evolution management to ...
Read more >Issues · kafka-ops/julie - GitHub
RBAC - Schema registry subjects bindings are never deleted bug Something isn't working under-investigation. #513 opened on Jul 29 by damien-malescot.
Read more >Using RBAC Authorization | Kubernetes
Requiring a binding to be deleted/recreated in order to change the roleRef ensures the full list of subjects in the binding is intended...
Read more >Azure built-in roles - Azure RBAC | Microsoft Learn
Built‑in role Description ID
User Access Administrator Lets you manage user access to Azure resources. 18d7d88d‑d...
CDN Endpoint Reader Can view CDN endpoints, but can't...
Read more >kafka-topology-builder/community - Gitter
E.g. by using Schema Registry REST API directly. Can JulieOps then register ... Does KTB support deletion of RBAC bindings from cluster?
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@ludovic-boutros, feel free to push a PR if that is ok for you! I’m very open to that kind of contribution! and I think that would help the project a lot.
Thanks a lot for all your efforts and help! it is honestly much appreciated.
Hi @purbon , indeed it works with the master version. I will have to double check with @damien-malescot when he will be back, because I think this modification seems to fix the described issue: If not filtered, just apply updates.
Just to let you know, we have added a subject management prefix filter in our fork.
We would like to use the official version or at least something really similar in order to reduce our maintenance work. that’s why we are creating all these issues in order to improve Julie. Hope this helps 😃