CORE-14879: Migrate "Roles" Admin API v1 Security Endpoints to v2 ConnectRPC API#29072
Conversation
nguyen-andrew
requested review from
a team,
michael-redpanda and
rockwotj
as code owners
There was a problem hiding this comment.
Pull request overview
This PR introduces comprehensive role management capabilities to the Admin API v2 by implementing new ConnectRPC endpoints for creating, retrieving, listing, updating, and deleting roles, along with managing role members. The implementation includes backend services in C++, Python client wrappers, and extensive Ducktape test coverage to ensure functional parity with the v1 RBAC API.
Key Changes:
- Implementation of seven new role management RPC methods in Admin API v2's SecurityService
- Leader-based request proxying for write operations (create, update, delete) while enabling local serving for read operations
- Comprehensive test suite covering authorization, CRUD operations, member management, ACL integration, and persistence across restarts
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| proto/redpanda/core/admin/v2/security.proto | Defines protobuf messages and RPC service methods for role management |
| proto/redpanda/core/admin/v2/BUILD | Adds googleapis dependencies for field_behavior and resource annotations |
| src/v/redpanda/admin/services/security.h | Declares role management method signatures in security_service_impl |
| src/v/redpanda/admin/services/security.cc | Implements role management operations with validation, conversion helpers, and error handling |
| src/v/redpanda/admin/services/BUILD | Adds utils dependency for redirect_to_leader functionality |
| src/v/redpanda/application_admin.cc | Updates security_service_impl instantiation to include metadata_cache reference |
| tests/rptest/clients/admin/proto/redpanda/core/admin/v2/security_pb2.py | Generated Python protobuf code for role management messages |
| tests/rptest/clients/admin/proto/redpanda/core/admin/v2/security_pb2.pyi | Generated Python type stubs for role management |
| tests/rptest/clients/admin/proto/redpanda/core/admin/v2/security_pb2_connect.py | Generated Python ConnectRPC client methods for role operations |
| tests/rptest/tests/rbac_test_v2.py | New comprehensive test suite for Admin API v2 role management |
| tools/type-checking/type-check-strictness.json | Registers new test file for type checking |
rockwotj
left a comment
rockwotj
left a comment
There was a problem hiding this comment.
LGTM, will leave the rest of the review to Mike
| const auto role_opt = _controller->get_role_store().local().get(role_name); | ||
|
|
||
| if (!role_opt) { | ||
| vlog(securitylog.debug, "Role '{}' does not exist", role_name); | ||
| throw serde::pb::rpc::not_found_exception( | ||
| ssx::sformat("Role '{}' does not exist", role_name)); | ||
| } | ||
|
|
||
| auto curr_members = role_opt->members(); | ||
| curr_members.insert(members_to_add.begin(), members_to_add.end()); | ||
|
|
||
| const security::role role{curr_members}; | ||
|
|
||
| const auto err | ||
| = co_await _controller->get_security_frontend().local().update_role( | ||
| role_name, role, model::timeout_clock::now() + role_operation_timeout); |
There was a problem hiding this comment.
probably not a big deal, but there is no consistency guarantees between these operations so it's possible other updates are clobbered in the meantime. The "correct" way to fix this is to have a dedicated controller command for adding/removing members from roles.
Since this isn't possible to do safely today, it's probably OK, but if there is time we should consider following up with a dedicated controller command.
There was a problem hiding this comment.
Good point, I've tried to capture this in a Jira ticket here: https://redpandadata.atlassian.net/browse/CORE-15076
tests/rptest/tests/rbac_test_v2.py
Outdated
| @parametrize(delete_acls=True) | ||
| @parametrize(delete_acls=False) | ||
| @parametrize(delete_acls=None) |
There was a problem hiding this comment.
nit: this turns into 3 different clusters getting spun up and down, consider just having a for loop in the test instead.
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
from
8792780 to
0d6d47f
Compare
|
Force push: minor adjustments to address PR comments. |
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
2 times, most recently
from
861b1be to
802f8d6
Compare
|
Force pushes:
|
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
from
802f8d6 to
f65adde
Compare
|
Retry command for Build#78409please wait until all jobs are finished before running the slash command |
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
from
f65adde to
42a0d46
Compare
|
Force push to rebase on latest dev. |
michael-redpanda
left a comment
michael-redpanda
left a comment
There was a problem hiding this comment.
looks good - I'm not sure we need the last two commits - should you just change the tests to use the v2 endpoint rather than duplicating them?
| // The Role to create. | ||
| Role role = 1 [(google.api.field_behavior) = REQUIRED]; |
There was a problem hiding this comment.
I can't remember where the discussion landed by can a user provide RoleMembers when creating a role?
There was a problem hiding this comment.
Yes, with this approach you can provide RoleMembers when creating the role. The CreateRoleRequest message includes the entire Role resource, so you'd be able to specify its RoleMembers as well. Here's an example:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" --data '{"role": {"name": "role1", "members": [{"user": {"name": "admin"}}, {"user": {"name": "testuser1"}}]}}'
@michael-redpanda |
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
2 times, most recently
from
0b73a01 to
f2413a1
Compare
|
Force pushes:
|
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
from
f2413a1 to
0887b37
Compare
|
Force push to rebase on latest dev. |
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
from
0887b37 to
c1271c7
Compare
|
Force push again to rebase on actual latest dev (to fix "out-of-date with the base branch" error). |
This commit adds the protobuf messages and RPCs for role management for the Admin API V2, and it extends the security service implementation to include unimplemented stubs for the new role management methods: - CreateRole - GetRole - ListRoles - AddRoleMembers - RemoveRoleMembers - DeleteRole - ListCurrentUserRoles
Generate Ducktape protobuf clients to test the new Admin API v2 Roles security endpoints.
Implemented the Role Management endpoints for the Admin API v2, allowing administrators to get, list, create, and delete roles as well as manage their members. All write operations are proxied to the controller leader while read operations can be served locally. This is consistent with the existing behavior of the v1 Admin API.
Added a new file to test the Admin API v2 for role management. This file will be based on the existing rbac_tests.py and will aim to provide the same level of functional testing and coverage by using the original rbac_tests.py as a reference. This initial commit will replicate most of the tests from the RBACTest class for the v2 API (some TODOs remain). Additionally, updated tools/type-checking/type-check-strictness.json to include the new rbac_test_v2.py file for type checking.
Replicating the RBACEndToEndTest class from rbac_test.py to ensure comprehensive testing of RBAC functionalities in the Admin API v2.
Replicating the RolePersistenceTest class from rbac_test.py to ensure comprehensive testing of RBAC functionalities in the Admin API v2.
Adds unit tests for the Admin API v2 security service role management functionality, covering: - Role name validation (valid names, invalid characters, edge cases) - Conversion between protobuf role types and security subsystem types - Round-trip conversion correctness for single/multiple members - Member deduplication behavior in security roles These tests validate the transformation layer between the Admin API v2 protobuf interface and the internal security subsystem, ensuring role and member data is correctly converted in both directions.
nguyen-andrew
force-pushed
the
admin-api-v2-roles
branch
from
c1271c7 to
2fc835b
Compare
|
Force push to rebase against dev again... last rebase was on a broken dev. |
| with expect_role_error(ConnectErrorCode.INVALID_ARGUMENT): | ||
| self.superuser_admin.create_role( | ||
| role=self.ROLE_NAME0, members=[invalid_member] | ||
| ) |
There was a problem hiding this comment.
The test test_invalid_create_role validates role name rejection for invalid characters, but it doesn't test validation for role names exceeding maximum length limits (if any exist). Consider adding a test case for excessively long role names.
| @ignore | ||
| @cluster(num_nodes=3) | ||
| def test_list_role_filter(self): |
There was a problem hiding this comment.
This test is marked with @ignore and has no implementation. Since v2 list_roles doesn't support filters yet (as indicated by the TODO on line 232 in security.cc), consider removing this placeholder test or adding a clear TODO comment explaining when this functionality will be implemented.
4 participants
This PR introduces comprehensive support and testing for Role Management in the Admin API v2.
The main changes include:
https://redpandadata.atlassian.net/browse/CORE-14879
Backports Required
Release Notes
Features