provectus/kafka-ui

[RBAC] Deny access to user with no permissions

Open

#2946 opened on Nov 16, 2022

View on GitHub
 (8 comments) (1 reaction) (0 assignees)Java (7,799 stars) (977 forks)batch import
area/rbacgood first issuescope/frontendstatus/acceptedtype/enhancement

Description

Might be taken into work after the #753

Which version of the app are you running?

5900f8e

Is your proposal related to a problem?

User, that can pass the authentication, gets to the page with no clusters on it. Which is a bit strange.

Describe the solution you'd like

User with no permissions on any cluster, should be declined access instead.

Describe alternatives you've considered

Separate page with "No permissions provided for the user! Contact your administrator for support" message

Additional context

Contributor guide

Tech stack
javaspringreact
Domain
authenticationauthorizationfull stack
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Knowledge of RBAC conceptsFamiliarity with Spring Security
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
First, investigate the existing RBAC implementation in the codebase, particularly how permissions are checked after authentication. The commit 5900f8e may be relevant. Also, review issue #753 to understand the current state of RBAC. The desired behavior is to deny access to users with no permissions. Look at the frontend routing and backend controllers to implement a check that redirects or returns a 403 error.