RBAC - Prefixed's bindings are too permissives

Question

RBAC - Prefixed's bindings are too permissives

damien-malescot opened this issue 2 years ago · 2 comments

Describe the bug
When we configure topology.acls.optimized=true RBAC bindings are set in mode PREFIXED like this : context.source.projectName*

In some contexts, bindings can be too permissive, for example if with have 2 projects with the same starting name :

context.source.foo bindings will be context.source.foo*
context.source.foobar bindings will be context.source.foobar*

In this example, consumer's in first project (context.source.foo) can read topics in the seconds (context.source.foobar)

To Reproduce
Create 2 topologies with a same project's starting name.
Apply topology

Expected behavior
Authorizations of each projects are separated

Additional context
Quick correction could be to add a dot at the end of bindings :

context.source.foo bindings will be context.source.foo.*
context.source.foobar bindings will be context.source.foobar.*

Answer 1 · 2022-07-31T11:44:43.000Z

This makes complete sense @damien-malescot, thanks a lot for your issue. This should be now fixed with the introduction of #515, this will be released in the next release. Thanks again for your contribution.

Answer 2 · 2022-07-31T11:52:51.000Z

This makes complete sense @damien-malescot, thanks a lot for your issue. This should be now fixed with the introduction of #515, this will be released in the next release. Thanks again for your contribution.

Thanks, you are very reactive 😉