|
3 | 3 | :page-categories: Management, Security |
4 | 4 | // tag::single-source[] |
5 | 5 |
|
| 6 | +ifdef::env-cloud[:gbac-doc: security:authorization/gbac.adoc] |
| 7 | +ifndef::env-cloud[:gbac-doc: manage:security/authorization/gbac.adoc] |
| 8 | + |
6 | 9 | ifndef::env-cloud[] |
7 | 10 | [NOTE] |
8 | 11 | ==== |
@@ -80,6 +83,59 @@ This scenario shows the message resulting from an admin using rpk with successfu |
80 | 83 | ---- |
81 | 84 | ==== |
82 | 85 |
|
| 86 | +.Authentication successful (OIDC with group claims) |
| 87 | +[%collapsible] |
| 88 | +==== |
| 89 | +This scenario shows a successful OIDC authentication event that includes the user's IdP group memberships in the `user.groups` field. Group memberships are extracted from the OIDC token and included in all authentication events for OIDC users. |
| 90 | +[,json] |
| 91 | +---- |
| 92 | +{ |
| 93 | + "category_uid": 3, |
| 94 | + "class_uid": 3002, |
| 95 | + "metadata": { |
| 96 | + "product": { |
| 97 | + "name": "Redpanda", |
| 98 | + "uid": "0", |
| 99 | + "vendor_name": "Redpanda Data, Inc.", |
| 100 | + "version": "v26.1.1" |
| 101 | + }, |
| 102 | + "version": "1.0.0" |
| 103 | + }, |
| 104 | + "severity_id": 1, |
| 105 | + "time": 1700533469078, |
| 106 | + "type_uid": 300201, |
| 107 | + "activity_id": 1, |
| 108 | + "auth_protocol": "SASL-OAUTHBEARER", |
| 109 | + "auth_protocol_id": 99, |
| 110 | + "dst_endpoint": { |
| 111 | + "ip": "127.0.0.1", |
| 112 | + "port": 9092, |
| 113 | + "svc_name": "kafka rpc protocol" |
| 114 | + }, |
| 115 | + "is_cleartext": false, |
| 116 | + "is_mfa": false, |
| 117 | + "service": { |
| 118 | + "name": "kafka rpc protocol" |
| 119 | + }, |
| 120 | + "src_endpoint": { |
| 121 | + "ip": "10.0.1.50", |
| 122 | + "name": "kafka-client", |
| 123 | + "port": 48210 |
| 124 | + }, |
| 125 | + "status_id": 1, |
| 126 | + // IdP group memberships extracted from the OIDC token |
| 127 | + "user": { |
| 128 | + "name": "alice@example.com", |
| 129 | + "type_id": 1, |
| 130 | + "groups": [ |
| 131 | + {"type": "idp_group", "name": "engineering"}, |
| 132 | + {"type": "idp_group", "name": "analytics"} |
| 133 | + ] |
| 134 | + } |
| 135 | +} |
| 136 | +---- |
| 137 | +==== |
| 138 | + |
83 | 139 | .Authentication failed |
84 | 140 | [%collapsible] |
85 | 141 | ==== |
@@ -237,6 +293,93 @@ This example illustrates an ACL update that also requires a superuser authentica |
237 | 293 | ---- |
238 | 294 | ==== |
239 | 295 |
|
| 296 | +.Authorization matched on a group ACL |
| 297 | +[%collapsible] |
| 298 | +==== |
| 299 | +This example shows an API Activity (6003) where the authorization decision matched an ALLOW ACL on a `Group:` principal. The `actor.user.groups` field includes the matched group with type `idp_group`, and the `authorization_metadata` shows the group ACL that granted access. See xref:{gbac-doc}[Group-Based Access Control]. |
| 300 | +
|
| 301 | +[,json] |
| 302 | +---- |
| 303 | +{ |
| 304 | + "category_uid": 6, |
| 305 | + "class_uid": 6003, |
| 306 | + "metadata": { |
| 307 | + "product": { |
| 308 | + "name": "Redpanda", |
| 309 | + "uid": "0", |
| 310 | + "vendor_name": "Redpanda Data, Inc.", |
| 311 | + "version": "v26.1.0" |
| 312 | + }, |
| 313 | + "version": "1.0.0" |
| 314 | + }, |
| 315 | + "severity_id": 1, |
| 316 | + "time": 1774544504327, |
| 317 | + "type_uid": 600303, |
| 318 | + "activity_id": 3, |
| 319 | + "actor": { |
| 320 | + "authorizations": [ |
| 321 | + { |
| 322 | + "decision": "authorized", |
| 323 | + "policy": { |
| 324 | + "desc": "acl: {principal type {group} name {/sales} host {{any_host}} op all perm allow}, resource: type {topic} name {sales-topic} pattern {literal}", |
| 325 | + "name": "aclAuthorization" |
| 326 | + } |
| 327 | + } |
| 328 | + ], |
| 329 | + // The matched group appears in the user's groups field |
| 330 | + "user": { |
| 331 | + "name": "alice", |
| 332 | + "type_id": 1, |
| 333 | + "groups": [ |
| 334 | + { |
| 335 | + "type": "idp_group", |
| 336 | + "name": "/sales" |
| 337 | + } |
| 338 | + ] |
| 339 | + } |
| 340 | + }, |
| 341 | + "api": { |
| 342 | + "operation": "produce", |
| 343 | + "service": { |
| 344 | + "name": "kafka rpc protocol" |
| 345 | + } |
| 346 | + }, |
| 347 | + "dst_endpoint": { |
| 348 | + "ip": "127.0.1.1", |
| 349 | + "port": 9092, |
| 350 | + "svc_name": "kafka rpc protocol" |
| 351 | + }, |
| 352 | + "resources": [ |
| 353 | + { |
| 354 | + "name": "sales-topic", |
| 355 | + "type": "topic" |
| 356 | + } |
| 357 | + ], |
| 358 | + "src_endpoint": { |
| 359 | + "ip": "127.0.0.1", |
| 360 | + "name": "rdkafka", |
| 361 | + "port": 42728 |
| 362 | + }, |
| 363 | + "status_id": 1, |
| 364 | + "unmapped": { |
| 365 | + "authorization_metadata": { |
| 366 | + "acl_authorization": { |
| 367 | + "host": "{{any_host}}", |
| 368 | + "op": "all", |
| 369 | + "permission_type": "allow", |
| 370 | + "principal": "type {group} name {/sales}" |
| 371 | + }, |
| 372 | + "resource": { |
| 373 | + "name": "sales-topic", |
| 374 | + "pattern": "literal", |
| 375 | + "type": "topic" |
| 376 | + } |
| 377 | + } |
| 378 | + } |
| 379 | +} |
| 380 | +---- |
| 381 | +==== |
| 382 | + |
240 | 383 | .Metadata request (with counts) |
241 | 384 | [%collapsible] |
242 | 385 | ==== |
|
0 commit comments