is there any way to control user authorization for listing consumer groups in Apache Kafka?
There is Read and Describe permission, however user can list all consumer groups.
I tried to set prefixed permissions for specific user to be authorized only for specific groups (Create, Read, Describe, Write), however they can list all groups.
When I use Kafka-UI, user lists all groups and try to describe group by group. For those, where no Describe permission is allowed Kafka-UI fails.
Thanks.
Related
I want to automatize creating users and adding permissisons. Is it possible in grafana, to dynamicaly adds permission to user based on AD group?
Lets say user inputs his data including AD group he is in, and the app will create folder, and sets read/edit permissions only to users that are in AD group (that can be any group )?
I know you can set viewer/editor/admin roles to people based on AD group in config file, but is it possible to do so dynamicaly, with their http api?
You can set permissions for folders and permissions for dashboards using the Grafana HTTP API:
Folder Permissions API
Dashboard Permissions API
The logic, what permission should be set for which user, needs to be determined in your code (e.g. based on the user input you mentioned) before making the request.
Scenerio :
Use Groups for multi tenancy (One user working for different organizations) -
Create one group for each org like group_org1, group_org2 etc.
Provide permissions to above groups using group policy (using confidential client authorization tab). Ex :- group_org1 has permission on resource1 and group_org2 has permission on resource2.
Assign above groups to a user , hence user will have 2 groups and, permission on resource1 & resource1.
Now groups fetched for this user will be used as organizations in application.
When selected org1 then application will work according to the permissions attached to group org1 i.e. permission only on resource1.
Question :
As of now if I try to fetch authorization permissions for a user then keycloak will give me combined permissions attached to both the groups i.e. on resource1 and resource2 . I need to fetch permissions attached to single group using keycloak rest-api. (after fetching this specific permissions I can authorize user in the application for given resource)
Hope I made my question a bit clear.
I have configured Keycloak with user self-registration. The keycloak instance will hold users of multiple customers which I plan to put into groups (so each customer can have admins that can manage these users through fine-grained permissions).
To map users that are self-registering to appropriate groups (using their email address, e.g.) I'd like to put them in their default group upon registering. Is this possible using either configuration or implementing an SPI? Or are there other possibilities to achieve a similar behavior?
I'm in the process of developing a websocket API using socket.io, on top of an existing REST API.
There are a couple of main models at the moment - User and Order.
For someone with customer level permissions, they can subscribe to the socket.io namespace /Customers and the room :customer-id and they will only see create/update/delete events for Orders they own.
For someone with admin level permissions, I was thinking they could subscribe to the /Orders namespace and the room :order-id to only see events for a particular order.
However, this has some problems:
Admins cannot see create events, since they have an ID which is not determined until creation
If I open up the /Orders namespace to all events, this could potentially grow in size massively as the app scales (seeing all events from all orders, regardless if they are rendered on screen)
Is there any type of common abstraction/grouping for websocket based APIs to limit the events that an admin will be subscribed to?
Take a look at https://github.com/facundoolano/socketio-auth to check the user authenticated and possibly groups and permissions.
I am currently working on a project in which there are many threads that users can create. User's have different permissions for the threads that can be specified by users with admin permission. User's need to be added to the thread before they have access to it.
When a user is added to the thread, they are given either read, write or admin permission. Users can also be part of groups. These groups can then be added to a thread in which case, all users in the group will be added along with the permission that is specified for the group.
thread: {id: xxxxx, users:[{id:user01, permission: write, discovery: non}, {id:user02, permission: read, discovery: GroupA}]}
So a user can be added with an individual permission or they can be added with permission given to the group they are a part of. Discovery would specify whether the user was added individually or as a group.
I am wondering if this would be the best method of setting up Mongo for this sort of permission system and also how I would actually define this schema using Mongoose? I think that it would be fastest to have all these aspects embedded into each thread.