Skip to content

feat: Add connector-level permissions for Kafka Connect #1541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
joshuaNathaniel wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add connector-level permissions for Kafka Connect #1541

joshuaNathaniel wants to merge 2 commits into from

Conversation

@joshuaNathaniel
Copy link

@joshuaNathaniel joshuaNathaniel commented Nov 29, 2025
edited by Haarolean
Loading

What changes did you make? (Give an overview)

Fixes #614
This PR implements connector-level permissions for Kafka Connect, addressing issue #614. The implementation adds granular permission control at the individual connector level while maintaining backwards compatibility with existing CONNECT-level permissions.

Key changes:

  • Added ActionDropdownItemWithFallback component to support hierarchical permission checking (tries connector-level first, falls back to connect-level)
  • Updated all Kafka Connect UI components to use the new hierarchical permission model
  • Added comprehensive integration tests for connector-level permissions
  • Upgraded Testcontainers to 2.0.2 for Docker Engine 29+ compatibility

The permission hierarchy works as follows:

  • CONNECTOR resource with value connect-name/connector-name for specific connector access
  • Falls back to CONNECT resource with value connect-name for cluster-wide access
  • This ensures backwards compatibility - existing CONNECT permissions continue to work

Is there anything you'd like reviewers to focus on?

Please review the permission fallback logic in ActionDropdownItemWithFallback.tsx to ensure it properly handles the hierarchical permission model without violating React hooks rules.

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • Unit checks
  • Integration checks

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)
🦫

@joshuaNathaniel joshuaNathaniel requested review from a team as code owners November 29, 2025 06:26
@kapybro kapybro bot added status/triage Issues pending maintainers triage status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Nov 29, 2025
@joshuaNathaniel joshuaNathaniel force-pushed the issues/614 branch 3 times, most recently from 922d1e4 to 01a0709 Compare November 29, 2025 15:10
@joshuaNathaniel
feat: Add connector-level permissions for Kafka Connect (kafbat#614)
4cce922 
Implements granular permission control at the individual connector level,
allowing administrators to grant permissions for specific connectors
rather than entire Kafka Connect instances.

Changes:
- Add CONNECTOR resource type and ConnectorAction enum for granular permissions
- Implement hierarchical permission checking (connector-level takes precedence)
- Update frontend to check connector permissions with connect-level fallback
- Add comprehensive tests for connector permission scenarios
- Upgrade Testcontainers to 2.0.2 for Docker Engine 29 compatibility

Features:
- Permission format: `connect-name/connector-name` for specific connectors
- Wildcard patterns supported (e.g., `.*-connect/prod-.*`)
- Backwards compatible with existing CONNECT permissions
- Action hierarchy maintained (EDIT includes VIEW permission)
Haarolean
Haarolean requested changes Dec 1, 2025
View reviewed changes
Copy link
Member

@Haarolean Haarolean left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. let's address the backward compatibility issues first before reviewing any further
  2. please refrain from editing the description / using force push to remove the AI tools attributions.

@Haarolean Haarolean requested a review from germanosin December 5, 2025 10:41
@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes area/rbac Related to Role Based Access Control feature and removed status/triage/manual Manual triage in progress labels Dec 5, 2025
germanosin
germanosin requested changes Dec 6, 2025
View reviewed changes
api/src/main/java/io/kafbat/ui/model/rbac/permission/ConnectorAction.java

public static final Set<ConnectorAction> ALTER_ACTIONS = Set.of(CREATE, EDIT, DELETE, OPERATE, RESET_OFFSETS);

public static final Map<String, PermissibleAction> ALIASES = Map.of(
Copy link
Member

@germanosin germanosin Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original idea behind Aliases was to provide backward compatibility, I'm sure we don't need it here

api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java
.connectorActions(connectorResource, actions)
.build();

return isAccessible(connectorContext)
Copy link
Member

@germanosin germanosin Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this logic should be within context, let's keep service clear

api/src/main/java/io/kafbat/ui/controller/KafkaConnectController.java
String connectorName,
ServerWebExchange exchange) {

String connectorResource = ConnectorAction.buildResourcePath(connectName, connectorName);
Copy link
Member

@germanosin germanosin Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to see it somewhere closer to the check, on API level we should just put connect and connector as a part of the conext

@germanosin
Copy link
Member

germanosin commented Dec 6, 2025

@joshuaNathaniel thanks for contribution and sponsorship, if you are interested in moving this faster, please let us know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@germanosin germanosin germanosin requested changes

@Haarolean Haarolean Awaiting requested review from Haarolean

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

area/rbac Related to Role Based Access Control feature scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Kafka Connect permissions at connector level

3 participants

@joshuaNathaniel @germanosin @Haarolean