Authentication via Gitlab doesn't match with allowed-roles

[eanikindfi]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

We deploy Kafka UI with helm-chart (0.7.6) and try to make Gitlab (self-hosted) integration for oauth.
We've managed to make it, but authorization doesn't work exactly how we want to.
We are trying to use allowed-roles option in Kafka Ui config, but it does nothing pretty much — any user who has access to valid gitlab account can actually access Kafka UI now.

Note: probably not a bug but misconfigured Kafka UI <> Gitlab integration.

Expected behavior

We have some groups in our Gitlab and when we use allowed-roles option we expect it to filter some of them and reject accesses. For example:
We have gitlab group — my-org/acl/kafka-ui/my-app/dev
In Kafka UI we have parameter:

allowed-roles:
  - my-org/acl/kafka-ui/my-app/dev

If a user has membership in this gitlab group they will have an access to Kafka UI. Otherwise they will not.
But now every gitlab user has an access — membership has no control over it.

Your installation details

helm-chart version = 0.7.6
image version = docker.io/provectuslabs/kafka-ui:v0.7.2

In values we use this block:

yamlApplicationConfig:
  auth:
    type: OAUTH2
    oauth2:
      client:
        gitlab:
          clientId: my_id
          clientSecret: my_secret
          client-name: GitLab
          client-authentication-method: client_secret_post
          authorization-grant-type: authorization_code
          authorization-uri: https://my-gitlab.com/oauth/authorize
          issuer-uri: https://my-gitlab.com
          jwk-set-uri: https://my-gitlab.com/oauth/discovery/keys
          user-name-attribute: name
          provider: oauth
          redirect-uri: https://my-kafka.net/login/oauth2/code/gitlab
          scope: openid
          token-uri: https://my-gitlab.com/oauth/token
          custom-params:
            type: oauth
            roles-field: groups
            allowed-roles:
              - my-org/acl/kafka-ui/my-app/dev

Steps to reproduce

For clientId we create a gitlab application with this scope:

• openid
• profile
• email

Screenshots

No response

Logs

No response

Additional context

No response

[github-actions]

Hello there eanikindfi! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[Haarolean]

#4255 -> https://github.com/kafbat/kafka-ui

[eanikindfi]

@Haarolean Oh man, didn't see the news.
So I guess we should try kafbat helm-chart then?

Do you have a quick suggestion for this issue? If we just implement same config in kafbat should it work as expected with Gitlab?

[Haarolean]

@Haarolean Oh man, didn't see the news. So I guess we should try kafbat helm-chart then?

Do you have a quick suggestion for this issue? If we just implement same config in kafbat should it work as expected with Gitlab?

So I guess we should try kafbat helm-chart then?

yeah, we neither maintain nor support this repo.

work as expected with Gitlab?

Idk where you got that allowed-roles field in your custom params, it doesn't exist. To limit roles, you could use RBAC with gitlab as your OIDC provider, docs here.

[eanikindfi]

@Haarolean Thank you for your answer!
So we have migrated to the kafbat and have found the appropriate configuration for us.
More in-depth info here in feature request.