GITBOOK-48: Add some misc config props

SUMMARY.md

@@ -21,7 +21,7 @@
   * [Without Docker](development/building/without-docker.md)
 * [WIP: Testing](development/wip-testing.md)
 
-## 👷♂ 👷♂ 👷♂ Configuration
+## 👷♂ Configuration
 
 * [Quick Start](configuration/quick-start/README.md)
   * [via AWS Marketplace](configuration/quick-start/via-aws-marketplace.md)

configuration/authentication/oauth2.md

@@ -1,6 +1,32 @@
+---
+description: Examples of setups for different OAuth providers
+---
+
 # OAuth2
 
-## Examples to set up different oauth providers
+In general, the structure of the config looks like this:
+
+For specific providers (like github (non-enterprise) and google, see further) you don't have to specify URLs as they're [well-known](https://github.com/spring-projects/spring-security/blob/main/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java#L35).
+
+```
+auth:
+  type: OAUTH2
+  oauth2:
+    client:
+      <unique_name>:
+        clientId: xxx
+        clientSecret: yyy
+        scope: openid
+        client-name: cognito # will be displayed on the login page
+        provider: <provider>
+        redirect-uri: http://localhost:8080/login/oauth2/code/<provider>
+        authorization-grant-type: authorization_code
+        issuer-uri: https://xxx
+        jwk-set-uri: https://yyy/.well-known/jwks.json
+        user-name-attribute: <zzz>
+        custom-params:
+          type: <provider_type> # fill this if you're gonna use RBAC AND the type is one of the supported RBAC providers
+```
 
 ### Cognito
 
@@ -28,7 +54,7 @@ auth:
         user-name-attribute: cognito:username
         custom-params:
           type: cognito
-          logoutUrl: https://<XXX>>.eu-central-1.amazoncognito.com/logout
+          logoutUrl: https://<XXX>>.eu-central-1.amazoncognito.com/logout #required just for cognito
 ```
 
 ### Google
@@ -51,8 +77,7 @@ auth:
         user-name-attribute: email
         custom-params:
           type: google
-          allowedDomain: provectus.com
-
+          allowedDomain: provectus.com # for RBAC
 ```
 
 ### GitHub
@@ -78,8 +103,7 @@ auth:
         provider: github
         clientId: xxx
         clientSecret: yyy
-        scope:
-          - read:org
+        scope: read:org
         user-name-attribute: login
         custom-params:
           type: github
@@ -87,6 +111,8 @@ auth:
 
 #### Self-hosted/Cloud (GitHub Enterprise Server)
 
+Replace `HOSTNAME` by your self-hosted platform FQDN.
+
 ```yaml
 kafka:
   clusters:
@@ -102,14 +128,33 @@ auth:
         provider: github
         clientId: xxx
         clientSecret: yyy
-        scope:
-          - read:org
+        scope: read:org
         user-name-attribute: login
-        custom-params:
-          type: github
         authorization-uri: http(s)://HOSTNAME/login/oauth/authorize
         token-uri: http(s)://HOSTNAME/login/oauth/access_token
         user-info-uri: http(s)://HOSTNAME/api/v3/user
+        custom-params:
+          type: github      
 ```
 
-Replace `HOSTNAME` by your self-hosted platform FQDN.
+### Okta
+
+```yaml
+auth:
+  type: OAUTH2
+  oauth2:
+    client:
+      okta:
+        clientId: xxx
+        clientSecret: yyy
+        scope: [ 'openid', 'profile', 'email' ] # default for okta
+        client-name: Okta
+        provider: okta
+        redirect-uri: http://localhost:8080/login/oauth2/code/okta
+        authorization-grant-type: authorization_code
+        issuer-uri: https://xxx
+        jwk-set-uri: https://yyy/.well-known/jwks.json
+        user-name-attribute: sub # default for okta
+        custom-params:
+          type: <provider_type> # fill this if you're gonna use RBAC AND the type is one of the supported RBAC providers
+```

configuration/misc-configuration-properties.md

@@ -59,4 +59,7 @@ kafka:
 | `TOPIC_RECREATE_DELAY_SECONDS`                        | Time delay between topic deletion and topic creation attempts for topic recreate functionality. Default: 1                                                       |
 | `TOPIC_RECREATE_MAXRETRIES`                           | Number of attempts of topic creation after topic deletion for topic recreate functionality. Default: 15                                                          |
 | `DYNAMIC_CONFIG_ENABLED`                              | Allow to change application config in runtime. Default: false.                                                                                                   |
-| kafka\_clusters\_internalTopicPrefix                  | Set a prefix for internal topics. Defaults to "\_".                                                                                                              |
+| kafka\_internalTopicPrefix                            | Set a prefix for internal topics. Defaults to "\_".                                                                                                              |
+| kafka.polling.pollTimeoutMs                           | Messages: Used as kafka consumer poll time (default is 1000). Useful if your message viewing fails with a slow broker                                            |
+| kafka.polling.partitionPollTimeout                    | Messages: Used as consumer poll time when polling one specific partition (used for newest first mode). The default is 200. Will increase result generation time. |
+| kafka.polling.noDataEmptyPolls                        | Messages: It's a count of subsequent empty polls after that we assume that no more data is left in the topic/partition. The default is 3.                        |

configuration/rbac-role-based-access-control/README.md

@@ -36,7 +36,7 @@ Alternatively, you can append the roles file contents to your main config file.
 
 #### Clusters
 
-In the roles file we define roles, duh. Every each role has an access to defined clusters:
+In the roles file we define roles, duh. Every each role has access to defined clusters:
 
 ```
 rbac:
@@ -51,7 +51,7 @@ rbac:
 
 #### Subjects
 
-A role also has a list of _subjects_ which are the entities we will use to assign roles to. They are provider-dependant, in general they can be users, groups or some other entities (github orgs, google domains, LDAP queries, etc.) In this example we define a role `memelords` which will contain all the users within Google domain `memelord.lol` and, additionally, a GitHub user `Haarolean`. You can combine as many subjects as you want within a role.
+A role also has a list of _subjects_ which are the entities we will use to assign roles to. They are provider-dependant, in general, they can be users, groups, or some other entities (github orgs, google domains, LDAP queries, etc.) In this example we define a role `memelords` that will contain all the users within the Google domain `memelord.lol` and, additionally, a GitHub user `Haarolean`. You can combine as many subjects as you want within a role.
 
 ```
     - name: "memelords"
@@ -80,7 +80,7 @@ Find the more detailed examples in a full example file lower.
 
 The next thing which is present in your roles file is, surprisingly, permissions. They consist of:
 
-1. Resource Can be one of the: `CLUSTERCONFIG`, `TOPIC`, `CONSUMER`, `SCHEMA`, `CONNECT`, `KSQL`.
+1. Resource Can be one of the: `CLUSTERCONFIG`, `TOPIC`, `CONSUMER`, `SCHEMA`, `CONNECT`, `KSQL`, `ACL`.
 2. The resource value is either a fixed string or a regular expression identifying a resource. Value is not applicable to `clusterconfig` and `ksql` resources. Please do not fill it out.
 3. Actions It's a list of actions (the possible values depend on the resource, see the lists below) that will be applied to the certain permission. Also, note, there's a special action for any of the resources called "all", it will virtually grant all the actions within the corresponding resource. An example for enabling viewing and creating topics whose name start with "derp":
 
@@ -95,12 +95,14 @@ The next thing which is present in your roles file is, surprisingly, permissions
 
 A list of all the actions for the corresponding resources (please note neither resource nor action names are case-sensitive):
 
+* `applicationconfig`: `view`, `edit`
 * `clusterconfig`: `view`, `edit`
 * `topic`: `view`, `create`, `edit`, `delete`, `messages_read`, `messages_produce`, `messages_delete`
 * `consumer`: `view`, `delete`, `reset_offsets`
 * `schema`: `view`, `create`, `delete`, `edit`, `modify_global_compatibility`
 * `connect`: `view`, `edit`, `create`
 * `ksql`: `execute`
+* `acl`: `view`, `edit`
 
 ## Example file
 
@@ -146,14 +148,18 @@ rbac:
           value: "cn=germanosin,dc=planetexpress,dc=com"
 
       permissions:
+        - resource: applicationconfig
+          # value not applicable for applicationconfig
+          actions: [ "view", "edit" ] # can be with or without quotes
+      
         - resource: clusterconfig
           # value not applicable for clusterconfig
-          actions: [ "view", "edit" ] # can be with or without quotes
+          actions: [ "view", "edit" ] 
 
         - resource: topic
           value: "ololo.*"
           actions: # can be a multiline list
-            - VIEW # can be upper or lower case
+            - VIEW # can be upper or lowercase
             - CREATE
             - EDIT
             - DELETE
@@ -182,6 +188,10 @@ rbac:
           # value not applicable for ksql
           actions: [ execute ]
 
+        - resource: acl
+          # value not applicable for acl
+          actions: [ view, edit ]
+
 ```
 
 **A read-only setup:**
@@ -216,6 +226,9 @@ rbac:
           value: ".*"
           actions: [ view ]
 
+        - resource: acl
+          actions: [ view ]
+
 ```
 
 **An admin-group setup example:**
@@ -229,6 +242,9 @@ rbac:
       subjects:
         # FILL THIS
       permissions:
+        - resource: applicationconfig
+          actions: all
+      
         - resource: clusterconfig
           actions: all
 
@@ -250,5 +266,8 @@ rbac:
 
         - resource: ksql
           actions: all
+          
+        - resource: acl
+          actions: [ view ]
 
 ```