Enabling RBAC check for ACL

2023-05-11 16:35:58 +04:00 · 2023-05-11 16:35:58 +04:00 · 7b33fbf7eb
commit 7b33fbf7eb
parent e7429ce6c6
1 changed files with 19 additions and 1 deletions
--- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/service/rbac/AccessControlService.java
+++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/service/rbac/AccessControlService.java
@ -108,7 +108,8 @@ public class AccessControlService {
                  && isConnectAccessible(context, user)
                  && isConnectorAccessible(context, user) // TODO connector selectors
                  && isSchemaAccessible(context, user)
-                  && isKsqlAccessible(context, user);
+                  && isKsqlAccessible(context, user)
+                  && isAclAccessible(context, user);

          if (!accessGranted) {
            throw new AccessDeniedException("Access denied");
@ -364,6 +365,23 @@ public class AccessControlService {
    return isAccessible(Resource.KSQL, null, user, context, requiredActions);
  }

+  private boolean isAclAccessible(AccessContext context, AuthenticatedUser user) {
+    if (!rbacEnabled) {
+      return true;
+    }
+
+    if (context.getAclActions().isEmpty()) {
+      return true;
+    }
+
+    Set<String> requiredActions = context.getAclActions()
+        .stream()
+        .map(a -> a.toString().toUpperCase())
+        .collect(Collectors.toSet());
+
+    return isAccessible(Resource.ACL, null, user, context, requiredActions);
+  }
+
  public Set<ProviderAuthorityExtractor> getOauthExtractors() {
    return oauthExtractors;
  }