The Ultimate Engineering Toolkit for Apache Kafka®
Search…
kPow User Guide
About
Introduction
Our Team
Releases
Trials and Licenses
Support
Data Collection
Installation
Quick Start
System Requirements
Deployment Notes
Minimum ACL Permissions
Application Logs
OpenShift
AWS Marketplace
Troubleshooting
Configuration
Environment Variables
Kafka Cluster
Schema Registry
Kafka Connect
Multi-Cluster Management
Azure Event Hubs
Confluent Cloud
Redpanda
User Authentication
Overview
LdapLoginModule
PropertyFileLoginModule
JDBCLoginModule
OpenID/OAuth 2.0
GitHub
Okta
SAML
User Authorization
Overview
Simple Access Control
Role Based Access Control
Multi-Tenancy
Administration
Features
Kafka Streams
Data Governance (Audit Log)
Data Policies
HTTPS Connections
Live Mode
Data Inspect
Data Produce
Prometheus Integration
Slack Integration
Kafka Management
Topics
Groups
Brokers
ACLs
Connect
Schema Registry
Powered By GitBook
GitHub
Secure kPow with Github SSO (OAuth2) and RBAC
Configure RBAC and set the organisation field to restrict access to your organisation.

User Authentication

Create a Github OAuth2 Application

  1. 1.
    Login to GitHub and navigate to the organisation you wish to integrate with kPow.
  2. 2.
    Navigate to Settings > Developer Settings > OAuth Apps > New Oath Application
  3. 3.
    Fill out the Register a new OAuth application form:
    • Application Name: The name of your kPow instance, e.g. 'kPow Staging'.
    • Homepage URL: The absolute URL to your kPow instance, e.g. https://kpow.stage.mycorp.com
    • Authorization callback URL: The absolute URL for authorization callback, e.g. https://kpow.stage.mycorp.com/oauth2/github/callback
  4. 4.
    Open your freshly created OAuth App and make note of the Client ID and Client Secret.

Integrate kPow with Github OAuth2

Set the following environment variables and start kPow:
  • AUTH_PROVIDER_TYPE=github
  • OPENID_AUTH_URI= The URI to authorize Github users, e.g.
    1
    https://github.com/login/oauth/authorize, or
    2
    [Github Enterprise Host]/login/oauth/authorize
    Copied!
  • OPENID_TOKEN_URI= The URI to retrieve an OAuth token, e.g.
    1
    https://github.com/login/oauth/access_token, or
    2
    [Github Enterprise Host]/login/oauth/access_token
    Copied!
  • GITHUB_API_ENDPOINT= The URI to perform user actions, e.g.
    1
    https://api.github.com/, or
    2
    [Github Enterprise Host]/api/v3/
    Copied!
  • OPENID_CLIENT_ID= the Client ID found in the OAuth Apps page (required)
  • OPENID_CLIENT_SECRET= the Client Secret found in the OAuth Apps page (required)
  • AUTH_LANDING_URI= The absolute kPow URI, e.g.
    1
    https://kpow.stage.mycorp.org
    Copied!
kPow will now authenticate users with Github via OAuth2.

User Authorization

See the guide to Role Based Access Control for full configuration details.

Integrate Github SSO and RBAC

When RBAC is enabled kPow will request orgs:read scope to view a user's roles.

Default Github Roles

Github Organisation roles are restricted to admin or member so they are the two default roles you can configure with kPow RBAC when using Github SSO.
kPow makes a request to the GitHub API for user membership state and role information by querying GET /orgs/:org/memberships/:username. Specify the github key inside your rbac-config.yaml to define the Github Organisation to query for role information, and optional role_field to use.

Using Github Teams for Roles

Note: Github Teams configuration requires extra OAuth scopes: user and repo
kPow can use the teams associated with the authenticated user as roles in kPow. You can do this by specifying a custom roles_field in the RBAC yaml:
1
# Specifically restrict Auth to a single Github Organization
2
# Specify that a user's teams field should be used to identify roles
3
github:
4
org: operatr-io
5
role_field: teams
Copied!
Once enabled, kPow will use the list teams API call to query for roles.

Configuration

This sample configuration specifies:
  • Who may access kPow
  • Which users are kPow admins
  • What RBAC policies are in place
  • Access is restricted to one Github organisation
  • Github Teams are used as user-roles for RBAC
See: Role Based Access Control for more information.
1
# Allow all users who can authenticate access to kPow
2
authorized_roles:
3
- "*"
4
5
# Specify that users with 'admin' role are kPow Admins
6
admin_roles:
7
- "admin"
8
9
# Define some RBAC policies
10
policies:
11
- resource: ["cluster", "N9xnGujkR32eYxHICeaHuQ"]
12
effect: "Allow"
13
actions: ["TOPIC_INSPECT", "TOPIC_PRODUCE"]
14
role: "admin"
15
16
# Specifically restrict Auth to a single Github Organization
17
# Specify that a user's teams field should be used to identify roles
18
github:
19
org: operatr-io
20
role_field: teams
Copied!
User Authentication - Previous
OpenID/OAuth 2.0
Next
Okta
Last modified 4mo ago
Copy link
Contents
User Authentication
Create a Github OAuth2 Application
Integrate kPow with Github OAuth2
User Authorization
Integrate Github SSO and RBAC
Default Github Roles
Using Github Teams for Roles
Configuration