From 786f0470362598286e044d193ce876dce3d86f60 Mon Sep 17 00:00:00 2001 From: Ivan Georgiev Ivanov Date: Fri, 15 Aug 2025 22:11:45 +0300 Subject: [PATCH] Example config for AzureAD OAUTH2 with RBAC. --- oauth2-azure-rbac/README.md | 15 ++++++ oauth2-azure-rbac/values.yaml | 90 +++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 oauth2-azure-rbac/README.md create mode 100644 oauth2-azure-rbac/values.yaml diff --git a/oauth2-azure-rbac/README.md b/oauth2-azure-rbac/README.md new file mode 100644 index 0000000..859562b --- /dev/null +++ b/oauth2-azure-rbac/README.md @@ -0,0 +1,15 @@ +# AzureAD OAUTH2 setup + +1. Install kafka-ui Helm Chart from https://kafbat.github.io/helm-charts repository. +2. Append the provided configuration to your ```yamlApplicationConfig``` in yours values.yaml + +When logging in, you should see the following in the logs: + +```log +2025-08-15 17:25:20,219 TRACE [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Extracting OAuth2 user authorities +2025-08-15 17:25:20,221 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Principal name is: [user.name@memelords.lol] +2025-08-15 17:25:20,225 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Matched roles by username: [] +2025-08-15 17:25:20,227 TRACE [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: The field is either a set or a list, returning as is +2025-08-15 17:25:20,228 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Token's groups: [admin] +2025-08-15 17:25:20,231 DEBUG [reactor-http-epoll-4] i.k.u.s.r.e.OauthAuthorityExtractor: Matched group roles: [admin] +``` diff --git a/oauth2-azure-rbac/values.yaml b/oauth2-azure-rbac/values.yaml new file mode 100644 index 0000000..2712699 --- /dev/null +++ b/oauth2-azure-rbac/values.yaml @@ -0,0 +1,90 @@ +yamlApplicationConfig: + logging: + level: + io.kafbat.ui.service.rbac.extractor: TRACE + io.kafbat.ui: TRACE + + auth: + type: OAUTH2 + oauth2: + client: + azure: + clientId: ${CLIENT_ID} + clientSecret: ${CLIENT_SECRET} + scope: openid + client-name: AzureAD + provider: azure + redirect-uri: "https://${kafbat-ui-fqdn}/login/oauth2/code/azure" + authorization-grant-type: authorization_code + issuer-uri: "https://login.microsoftonline.com/${Tenant_ID}/v2.0" + jwk-set-uri: "https://login.microsoftonline.com/${Tenant_ID}/discovery/v2.0/keys" + user-name-attribute: email + custom-params: + type: oauth + roles-field: roles + + + rbac: + roles: + - name: admin + clusters: + - cluster1 + subjects: + - provider: oauth + type: role + value: admin + permissions: + - resource: applicationconfig + value: ".*" + actions: all + - resource: clusterconfig + value: ".*" + actions: all + - resource: topic + value: ".*" + actions: all + - resource: consumer + value: ".*" + actions: all + - resource: schema + value: ".*" + actions: all + - resource: connect + value: ".*" + actions: all + - resource: ksql + actions: all + - resource: acl + actions: all + - resource: audit + actions: all + - name: readonly + clusters: + - cluster1 + subjects: + - provider: oauth + type: role + value: read + permissions: + - resource: applicationconfig + value: ".*" + actions: [ view ] + - resource: clusterconfig + value: ".*" + actions: [ view ] + - resource: topic + value: ".*" + actions: [ view ] + - resource: consumer + value: ".*" + actions: [ view ] + - resource: schema + value: ".*" + actions: [ view ] + - resource: connect + value: ".*" + actions: [ view ] + - resource: acl + actions: [ view ] + - resource: audit + actions: [ view ]