confluentinc/kafka-rest

Kafka Rest Proxy basic auth 403 !role

rpbeckoh opened this issue · 4 comments

rpbeckoh commented

Have configured confluentinc/cp-kafka-rest:5.5.9-1-ubi8 in eks and all is working. however when enabling BASIC auth we keep getting back 403 errors.

"servlet":"default",
"message":"!role",
"url":"/topics",
"status":"403"

Env vars

- name: KAFKA_REST_AUTHENTICATION_METHOD
  value: "BASIC"
- name: KAFKA_REST_AUTHENTICATION_REALM
  value: "KafkaRest"
- name: KAFKA_REST_AUTHENTICATION_ROLES
  value: "*"
- name: KAFKAREST_OPTS
  value: "-Djava.security.auth.login.config=/etc/kafka-rest-interface/jass-config/configuration.jaas"

apiVersion: v1
kind: ConfigMap
metadata:
  name: kafka-rest-interface-jaas-configuration
data:
  configuration.jaas: |+
    KafkaRest {
      org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
      debug="true"
      file="/etc/kafka-rest-interface/password.properties";
    };

the user is being picked up because if the password is wrong we get a 401. It is the community addition so no Principal Propagation and should be no RBAC restrictions from the cluster side.

Confused as to what is missing any help would be appreciated

ozhiwei commented

After my testing

the value of KAFKA_REST_AUTHENTICATION_ROLES must be the same as the value of the role in password.properties

like this:

KAFKA_REST_AUTHENTICATION_ROLES: admin

in password.properties file

``` username: passwd,admin ````

  • 👍1
ajbisht commented

Hi,

I am also trying the same setup. I mounted the password.properties file, with a username,password and role.. But its giving 401 error.
Need to understand how to create this username and password in rest?

ajbisht commented

its fixed now

  • 👀1
post-human-world commented

I got same error when i enable BASIC Auth and set authentication.roles=*, but after i change * to admin the problem disappear. However, Kafka REST proxy doc says this configuration tells which user roles are allowed to authenticate with REST Proxy through HTTP Basic Authentication. This is a docs issue?

[appuser@kafka-schema-registry-559447d94b-2cj46 ~]$ curl -v -X POST --insecure \
>      -u krp_superuser:q6Zm \
>      -H "Content-Type: application/vnd.kafka.json.v2+json" \
>      -H "Accept: application/vnd.kafka.v2+json" \
>      --data '{"records":[{"key":"jsmith","value":"alarm clock"},{"key":"htanaka","value":"batteries"},{"key":"awalther","value":"bookshelves"}]}' \
>      "https://kafka-rest-proxy.kafka.svc.cluster.local:8080/topics/purchases"
...
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 403 
< cache-control: must-revalidate,no-cache,no-store
< content-length: 0
< 
* Connection #0 to host kafka-rest-proxy.kafka.svc.cluster.local left intact