Improve JWT format with namespaces grouping #500
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yraffin
approved these changes
Jan 8, 2025
loicgreffier
approved these changes
Jan 14, 2025
There was a problem hiding this comment.
@ThomasCAI-mlv Everything LGTM. Tests are good as well. I pushed an additional commit to remove the RoleBindingRepository roleBindingRepository; which was unused in ResourceBasedSecurityRule.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is about reducing the size of the JWT (
access_token) generated by the/loginendpoint, which is then used to authenticate in other endpoints. This would heavily reduce the risk of reaching thehttp.client.max-content-lengthlimit in the future when the namespaces number increases, and have better performance in the logging process.Example of the current JWT roleBindings format:
"roleBindings": [ { "namespace": "namespace1", "verbs": [ "GET", "POST", "PUT", "DELETE" ], "resourceTypes": [ "schemas", "schemas/config", "topics", "topics/delete-records" ] }, { "namespace": "namespace2", "verbs": [ "GET", "POST", "PUT", "DELETE" ], "resourceTypes": [ "schemas", "schemas/config", "topics", "topics/delete-records" ] }, { "namespace": "namespace3", "verbs": [ "GET", "POST", "PUT", "DELETE" ], "resourceTypes": [ "schemas", "schemas/config", "topics", "topics/delete-records" ] } ]This PR changes the format of the JWT so the namespaces are grouped if they have the same
verbsandresourceTypesfields.The previous example becomes:
"roleBindings": [ { "namespaces": [ "namespace1", "namespace2", "namespace3" ], "verbs": [ "GET", "POST", "PUT", "DELETE" ], "resourceTypes": [ "schemas", "schemas/config", "topics", "topics/delete-records" ] } ]The string
namespacefield is replaced by a list of stringnamespacesfield.This PR is linked with this kafkactl PR.