Okta provider and RBAC error "Provider [okta] doesn't contain a roles field param name, mapping won't be performed" #4076
Description
Issue submitter TODO list
- I've looked up my issue in FAQ
- I've searched for an already existing issues here
- I've tried running
master-labeled docker image and the issue still persists there - I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
We tried to configure RBAC with Okta provider and we got this error:
DEBUG [reactor-http-epoll-4] c.p.k.u.s.r.e.OauthAuthorityExtractor: Provider [okta] doesn't contain a roles field param name, mapping won't be performed
env:
- name: AUTH_TYPE
value: OAUTH2
- name: AUTH_OAUTH2_CLIENT_OKTA_AUTHORIZATION_GRANT_TYPE
value: authorization_code
- name: AUTH_OAUTH2_CLIENT_OKTA_CLIENTID
value: XXXXXXXX
- name: AUTH_OAUTH2_CLIENT_OKTA_CLIENTSECRET
value: vXXXXX
- name: AUTH_OAUTH2_CLIENT_OKTA_AUTHORIZATION_URI
value: https://XXXX.okta.com/oauth2/v1/authorize
- name: AUTH_OAUTH2_CLIENT_OKTA_TOKEN_URI
value: https://XXXXX.okta.com/oauth2/v1/token
- name: AUTH_OAUTH2_CLIENT_OKTA_USER_INFO_URI
value: https://XXXXXx.okta.com/oauth2/v1/userinfo
- name: AUTH_OAUTH2_CLIENT_OKTA_JWK_SET_URI
value: https://XXXXX.okta.com/oauth2/v1/keys
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_0_
value: "openid"
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_1_
value: "profile"
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_2_
value: "email"
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_3_
value: "groups"
- name: AUTH_OAUTH2_CLIENT_OKTA_PROVIDER
value: okta
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_AUTHORIZATION_URI
value: https://XXXXX.okta.com/oauth2/v1/authorize
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_TOKEN_URI
value: https://XXXXX.okta.com/oauth2/v1/token
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_USER_INFO_URI
value: https://XXXX.okta.com/oauth2/v1/userinfo
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_JWK_SET_URI
value: https://XXXX.okta.com/oauth2/v1/keys
- name: KAFKA_CLUSTERS_0_NAME
value: MSK
- name: KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS
value: kafka-consumer:9092
- name: KAFKA_CLUSTERS_0_READONLY
value: "false"
- name: KAFKA_CLUSTERS_0_SCHEMAREGISTRY
value: https://aXXXXXX.XXX.com
- name: AUTH_OAUTH2_CLIENT_OKTA_CUSTOMPARAMS_TYPE
value: oauth
- name: AUTH_OAUTH2_CLIENT_OKTA_CUSTOMPARAMS_ROLESFIELD
value: groups
- name: SPRING_CONFIG_ADDITIONAL-LOCATION
value: /roles.yml
- name: AUTH_OAUTH2_CLIENT_OKTA_USERNAMEATTRIBUTE
value: email
volumeMounts:
- name: roles-file
mountPath: /roles.yml
subPath: roles.yml
RBAC:
rbac:
roles:
- name: "readonlytech"
clusters:
- MSK
subjects:
- provider: oauth
type: role
value: "Tech"
permissions:
- resource: clusterconfig
actions: ["view"]
- resource: topic
value: ".*"
actions:
- VIEW
- MESSAGES_READ
- resource: consumer
value: ".*"
actions: [view]
- resource: schema
value: ".*"
actions: [view]
- resource: connect
value: ".*"
actions: [view]
- resource: acl
value: ".*"
actions: [view]
Expected behavior
We can't see the cluster in read-only permissions:
Your installation details
The application is running in K8s:
apiVersion: apps/v1
kind: Deployment
metadata:
name: kafka-ui
namespace: kafka-ui
labels:
app: kafka-ui
spec:
replicas: 2
revisionHistoryLimit: 1
selector:
matchLabels:
app: kafka-ui
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: kafka-ui
spec:
serviceAccount: kafka-ui
containers:
- name: kafka-ui
image: docker-registry/provectuslabs/kafka-ui:v0.7.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /
port: 8080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 5
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: AUTH_TYPE
value: OAUTH2
- name: AUTH_OAUTH2_CLIENT_OKTA_AUTHORIZATION_GRANT_TYPE
value: authorization_code
- name: AUTH_OAUTH2_CLIENT_OKTA_CLIENTID
value:XXXXX
- name: AUTH_OAUTH2_CLIENT_OKTA_CLIENTSECRET
value: vXXXXXXX
- name: AUTH_OAUTH2_CLIENT_OKTA_AUTHORIZATION_URI
value: https://XXXX.okta.com/oauth2/v1/authorize
- name: AUTH_OAUTH2_CLIENT_OKTA_TOKEN_URI
value: https://XXX.okta.com/oauth2/v1/token
- name: AUTH_OAUTH2_CLIENT_OKTA_USER_INFO_URI
value: https://XXXX.okta.com/oauth2/v1/userinfo
- name: AUTH_OAUTH2_CLIENT_OKTA_JWK_SET_URI
value: https://XXXX.okta.com/oauth2/v1/keys
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_0_
value: "openid"
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_1_
value: "profile"
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_2_
value: "email"
- name: AUTH_OAUTH2_CLIENT_OKTA_SCOPE_3_
value: "groups"
- name: AUTH_OAUTH2_CLIENT_OKTA_PROVIDER
value: okta
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_AUTHORIZATION_URI
value: https://XXX.okta.com/oauth2/v1/authorize
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_TOKEN_URI
value: https://XXX.okta.com/oauth2/v1/token
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_USER_INFO_URI
value: https://XXX.okta.com/oauth2/v1/userinfo
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_JWK_SET_URI
value: https://XXXx.okta.com/oauth2/v1/keys
- name: KAFKA_CLUSTERS_0_NAME
value: MSK
- name: KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS
value: kafka-consumer:9092
- name: KAFKA_CLUSTERS_0_READONLY
value: "false"
- name: KAFKA_CLUSTERS_0_SCHEMAREGISTRY
value: https://XXXXXXX
- name: AUTH_OAUTH2_CLIENT_OKTA_CUSTOMPARAMS_TYPE
value: oauth
- name: AUTH_OAUTH2_CLIENT_OKTA_CUSTOMPARAMS_ROLESFIELD
value: groups
- name: SPRING_CONFIG_ADDITIONAL-LOCATION
value: /roles.yml
- name: AUTH_OAUTH2_CLIENT_OKTA_USERNAMEATTRIBUTE
value: email
volumeMounts:
- name: roles-file
mountPath: /roles.yml
subPath: roles.yml
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 750m
memory: 768Mi
volumes:
- name: roles-file
configMap:
name: roles-rbac-kafkaui
items:
- key: roles.yml
path: roles.yml
okta claims groups:
Steps to reproduce
you only need to configure RBAC with okta provider.
Screenshots
No response
Logs
DEBUG [reactor-http-epoll-4] c.p.k.u.s.r.e.OauthAuthorityExtractor: Provider [okta] doesn't contain a roles field param name, mapping won't be performed
Additional context
No response