From 0caca8f645fea6358ce588f2f590797824776103 Mon Sep 17 00:00:00 2001 From: amalgawa Date: Tue, 7 Mar 2023 22:22:06 +0530 Subject: [PATCH 1/2] schema linking rbac testing --- .../rbac/delta_configs/schema-registry.properties.delta | 6 +++++- security/rbac/scripts/enable-rbac-schema-registry.sh | 8 ++++++++ security/rbac/scripts/init.sh | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/security/rbac/delta_configs/schema-registry.properties.delta b/security/rbac/delta_configs/schema-registry.properties.delta index 1eaa3ba72..a220cdecb 100644 --- a/security/rbac/delta_configs/schema-registry.properties.delta +++ b/security/rbac/delta_configs/schema-registry.properties.delta @@ -8,7 +8,7 @@ kafkastore.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBe schema.registry.group.id=schema-registry-demo # These properties install the Schema Registry security plugin, and configure it to use RBAC for authorization and OAuth for authentication -schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension +schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension,io.confluent.schema.exporter.SchemaExporterResourceExtension confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler @@ -23,5 +23,9 @@ confluent.metadata.http.auth.credentials.provider=BASIC public.key.path=/tmp/tokenPublicKey.pem # This enables anonymous access with a principal of User:ANONYMOUS +schema.linking.rbac.enable=true confluent.schema.registry.anonymous.principal=true authentication.skip.paths=/* +kafkastore.update.handlers=io.confluent.schema.exporter.storage.SchemaExporterUpdateHandler +password.encoder.secret=mysecret + diff --git a/security/rbac/scripts/enable-rbac-schema-registry.sh b/security/rbac/scripts/enable-rbac-schema-registry.sh index e021bf952..2a57dfd86 100755 --- a/security/rbac/scripts/enable-rbac-schema-registry.sh +++ b/security/rbac/scripts/enable-rbac-schema-registry.sh @@ -42,10 +42,18 @@ login_mds $MDS # Get the Kafka cluster id get_cluster_id_kafka + + echo -e "\n# Grant principal User:$USER_ADMIN_SCHEMA_REGISTRY the ResourceOwner role to Topic:_schemas" echo "confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_schemas --kafka-cluster-id $KAFKA_CLUSTER_ID" confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_schemas --kafka-cluster-id $KAFKA_CLUSTER_ID +echo -e "\n# Grant principal User:$USER_ADMIN_SCHEMA_REGISTRY the ResourceOwner role to Topic:_schemas" +echo "confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_exporter_configs --kafka-cluster-id $KAFKA_CLUSTER_ID" +confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_exporter_configs --kafka-cluster-id $KAFKA_CLUSTER_ID +echo "$KAFKA_CLUSTER_ID" +confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_exporter_states --kafka-cluster-id $KAFKA_CLUSTER_ID + echo -e "\n# Grant principal User:$USER_ADMIN_SCHEMA_REGISTRY the ResourceOwner role to Group:schema-registry-demo" echo "confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Group:schema-registry-demo --kafka-cluster-id $KAFKA_CLUSTER_ID" confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Group:schema-registry-demo --kafka-cluster-id $KAFKA_CLUSTER_ID diff --git a/security/rbac/scripts/init.sh b/security/rbac/scripts/init.sh index 1c306ff88..688d9acc0 100755 --- a/security/rbac/scripts/init.sh +++ b/security/rbac/scripts/init.sh @@ -15,7 +15,7 @@ check_jq || exit 1 mkdir -p /tmp/original_configs mkdir -p /tmp/rbac_configs -./create_login_properties.py +python3 create_login_properties.py # Generate keys openssl genrsa -out /tmp/tokenKeypair.pem 2048 From ac96726b02993806376f33ee1650da94051feaa8 Mon Sep 17 00:00:00 2001 From: amalgawa Date: Thu, 9 Mar 2023 15:57:12 +0530 Subject: [PATCH 2/2] added one more permission for 7.4 --- security/rbac/scripts/enable-rbac-schema-registry.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/rbac/scripts/enable-rbac-schema-registry.sh b/security/rbac/scripts/enable-rbac-schema-registry.sh index 2a57dfd86..00e91d58d 100755 --- a/security/rbac/scripts/enable-rbac-schema-registry.sh +++ b/security/rbac/scripts/enable-rbac-schema-registry.sh @@ -54,6 +54,9 @@ confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGIS echo "$KAFKA_CLUSTER_ID" confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_exporter_states --kafka-cluster-id $KAFKA_CLUSTER_ID +# ONLY NEEDED FOR 7.4.0 +confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_schema_encoders --kafka-cluster-id $KAFKA_CLUSTER_ID + echo -e "\n# Grant principal User:$USER_ADMIN_SCHEMA_REGISTRY the ResourceOwner role to Group:schema-registry-demo" echo "confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Group:schema-registry-demo --kafka-cluster-id $KAFKA_CLUSTER_ID" confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Group:schema-registry-demo --kafka-cluster-id $KAFKA_CLUSTER_ID