Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Console over-restrains allowed role names #1469

Open
JFlath opened this issue Oct 4, 2024 · 6 comments
Open

Console over-restrains allowed role names #1469

JFlath opened this issue Oct 4, 2024 · 6 comments

Comments

@JFlath
Copy link
Contributor

JFlath commented Oct 4, 2024

In Console we apply this filter:

console/proto/redpanda/api/console/v1alpha1/security.proto

Line 80 in c99b26e

(buf.validate.field).string.pattern = "^[a-zA-Z0-9-_]+$"

However Redpanda itself isn't so strict:

https://github.com/redpanda-data/redpanda/blob/dev/src/v/redpanda/admin/security.cc#L293
vvv
https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L362
vvv
https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L193
vvv
https://github.com/redpanda-data/redpanda/blob/0c0a3db581140bb2b8e0d6624cb4eabb697449d7/src/v/security/scram_algorithm.cc#L34-L45

Redpanda's implementation seems inkeeping with others. Notably, Console doesn't allow . in a Role
@JFlath
Copy link
Contributor Author

JFlath commented Oct 4, 2024

N.B. The line referenced is one example, but the same applies for all requests in that file (and possibly more broadly)

@weeco
Copy link
Contributor

weeco commented Oct 4, 2024

I think we had discussions about constraining the character set for roles to the same rules that apply to topics. Reason being things such as:

  • More complex characters usually not needed / desired
  • URL encoding (in Console and Admin API)
  • We'd need to ensure we can display all allowed characters and length accordingly
  • We may want to be a bit opinionated to establish some convention on the naming
  • We can always become less strict but not the other way round, hence we started with this character set

Is there a specific reason to relax the requirements?

@JFlath
Copy link
Contributor Author

JFlath commented Oct 4, 2024

So at the moment you can use rpk to create a role called my.team - Console will then fail to work with that correctly even though it's a real role that exists within Redpanda. I agree with the points raised, but the convention/standard has already been defined by what we allow in Redpanda itself

@weeco
Copy link
Contributor

weeco commented Oct 4, 2024

The API is cloud exclusive and RPK uses that API as well. In RP Cloud no one can create a role with a different convention because everything has to go through console

@JFlath
Copy link
Contributor Author

JFlath commented Oct 4, 2024

We may be talking cross purposes here, not sure - rpk security role create my.team uses Redpanda's Admin API directly (/v1/security/roles) and is available on Self Hosted clusters. I do see this in the code though that seems to suggest we permanently gate this?

https://github.com/redpanda-data/console/blob/master/frontend/src/state/supportedFeatures.ts#L54-L56

@burandobata
Copy link

I think we had discussions about constraining the character set for roles to the same rules that apply to topics. Reason being things such as:

Currently with console you can also create a topic containing . like test.example, but you can't create role like that. So this is not consistent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JFlath @weeco @burandobata