Improve authN and authZ topics #1115

JakeSCahill · 2025-05-07T16:02:28Z

Description

Resolves https://redpandadata.atlassian.net/browse/DOC-1293
Review deadline: May 12

This pull request includes updates to the documentation and configuration files for Redpanda, focusing on improvements to authentication documentation. The most significant changes include adding new navigation links, reorganizing sections for better clarity, and enhancing the authentication documentation with additional details and examples.

Documentation and Navigation Updates:

Added new navigation links in modules/ROOT/nav.adoc for features such as "Edit Topic Configuration," "Filter Messages," and "Deserialize Messages." These changes improve discoverability of specific features.
Reorganized the navigation structure in modules/ROOT/nav.adoc to move "Upgrade" and "Migrate" sections to a more logical position, ensuring a clearer hierarchy. [1] [2]

Authentication Documentation Enhancements:

Improved the authentication.adoc file by clarifying the integration of authentication methods (OIDC and basic authentication) with Redpanda APIs, and added detailed examples for configuration. This includes runtime acquisition and static token modes for OIDC. [1] [2]
Simplified and restructured sections to make the authentication setup process more user-friendly, including clearer prerequisites and step-by-step instructions.

Page previews

Checks

New feature
Content gap
Support Follow-up
Small fix (typos, links, copyedits, etc)

… ACLs

coderabbitai · 2025-05-07T16:02:35Z

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The changes reorganize and clarify the documentation related to Redpanda Console authentication, authorization, and navigation. The navigation structure was updated to move UI-related links to the "Develop" section and flatten the console configuration hierarchy. The authentication and authorization documentation was extensively rewritten to clarify the distinction between using Redpanda's RBAC/ACLs (via impersonation) versus Console role bindings, with improved examples and configuration guidance. New documentation was added to explicitly describe OIDC limitations and migration steps from Console role bindings to Redpanda ACLs, including concrete examples and summary tables. Some files were deleted or updated to reflect the new documentation structure.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Console
    participant Redpanda

    User->>Console: Login (OIDC/Basic)
    Console->>Console: Authenticate User
    alt Impersonation Enabled
        Console->>Redpanda: Forward API requests with user identity
        Redpanda->>Redpanda: Authorize via RBAC/ACLs
        Redpanda-->>Console: API Response
    else Impersonation Disabled
        Console->>Console: Authorize via Console roleBindings
        Console-->>User: UI/API Response
    end

Assessment against linked issues

Objective	Addressed	Explanation
Provide guidance on migrating from role bindings in Console to ACLs in Redpanda (DOC-1293)	✅
Authorization doc should call out the two options for authZ: Delegate to Redpanda (impersonation) and Use Console role bindings (DOC-1293)	✅

Suggested reviewers

asimms41
Feediver1

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

netlify · 2025-05-07T16:02:44Z

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	`5cdb567`
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/683096b65cde26000897d18b
😎 Deploy Preview	https://deploy-preview-1115--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

coderabbitai

Actionable comments posted: 3

🧹 Nitpick comments (9)

modules/manage/partials/security/oidc/limitations.adoc (1)

3-10: Nitpick: unify bullet sentence style. Consider starting each point with “The rpk CLI” or “Redpanda Console” for consistency across bullets.

modules/migrate/pages/console-v3.adoc (1)

215-222: Suggest using an admonition for emphasis. The note about impersonation ignoring roleBindings is critical—consider wrapping it in an [IMPORTANT] or [NOTE] block to improve visibility.

modules/ROOT/nav.adoc (1)

48-49: Optional: Reorder for alphabetical consistency. Consider listing Filter Messages and Deserialize Messages in alphabetical order or grouping by function for easier scanning.

modules/console/pages/config/security/authentication.adoc (2)

22-29: Eliminate redundant introduction and unify terminology
The two opening paragraphs (lines 22 and 24) overlap in content. Consider merging them for conciseness and harmonize the bullet list capitalization (e.g., “Basic Authentication” instead of “basic authentication”) for consistency.

107-109: Clarify OIDC redirect and token refresh behavior
The redirectUrl, accessType, and prompt fields are well explained. Consider adding a cross-reference to the “HTTP path rewrites” topic for users using custom hostnames.

modules/console/pages/config/security/authorization.adoc (4)

31-33: Merge repetitive role disclaimer
Lines 31 and 33 both note that Console roles apply only when impersonation is disabled and require Redpanda ACLs. Consider combining to avoid redundancy.

47-47: Review role limitations for consistency
The Viewer and Editor rows use “Cannot…”, while Admin uses “No limitations.” For parallel style, consider “None” or “N/A” in the Admin row to match the sentence fragment pattern.

Also applies to: 56-56, 63-63

111-116: Clarify nesting of authentication in example
The snippet intermixes Kafka SASL and Console’s authentication: section without explicit top-level context. Recommend adding a comment or header indicating that both kafka: and top-level authentication: live at the root of the same config file.

122-122: Quote example usernames for clarity
Wrap name: Peter in quotes ("Peter") to avoid YAML parsing issues and match other examples.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6517e1a and 6789aa8.

📒 Files selected for processing (8)

modules/ROOT/nav.adoc (2 hunks)
modules/console/pages/config/index.adoc (0 hunks)
modules/console/pages/config/security/authentication.adoc (5 hunks)
modules/console/pages/config/security/authorization.adoc (3 hunks)
modules/manage/pages/console/index.adoc (1 hunks)
modules/manage/partials/authentication.adoc (1 hunks)
modules/manage/partials/security/oidc/limitations.adoc (1 hunks)
modules/migrate/pages/console-v3.adoc (2 hunks)

💤 Files with no reviewable changes (1)

modules/console/pages/config/index.adoc

⏰ Context from checks skipped due to timeout of 90000ms (3)

GitHub Check: Redirect rules - redpanda-docs-preview
GitHub Check: Header rules - redpanda-docs-preview
GitHub Check: Pages changed - redpanda-docs-preview

🔇 Additional comments (15)

modules/manage/partials/security/oidc/limitations.adoc (1)

1-10: Approve addition of OIDC limitations section. This succinctly outlines current constraints relevant to users.

modules/manage/pages/console/index.adoc (1)

4-4: Approve addition of page alias. This preserves backward compatibility for references to the old console configuration index.

modules/migrate/pages/console-v3.adoc (2)

176-179: Approve clarification on roleBindings migration. The new paragraphs clearly explain how v3 consolidates roleBindings into the main configuration.

223-245: Approve rpk ACL examples. The Bash snippet provides clear, actionable commands for mapping Console roles to Redpanda ACLs.

modules/ROOT/nav.adoc (2)

40-40: Approve addition of UI links under Develop. Moving these console UI topics to the Develop section improves discoverability for developer workflows.

199-206: Verify nav entries align with new file structure. Ensure that the promoted xref:console:config/... pages exist at the specified paths and that the :page-aliases: in modules/manage/pages/console/index.adoc correctly covers console:config/index.adoc.

modules/console/pages/config/security/authentication.adoc (5)

92-93: Configure JWT signing and cookie security correctly
The jwtSigningKey and useSecureCookies settings are clear and well documented. Using secure cookies (useSecureCookies: true) is recommended in production to prevent token leakage.

95-98: OIDC runtime acquisition parameters are well detailed
The oidc block clearly explains required fields (enabled, issuerUrl, clientId, clientSecret). Ensure that the issuerUrl matches your IdP’s v2.0 endpoint.

100-102: Additional scopes and TLS options are comprehensive
Including additionalScopes and issuerTls options provides necessary flexibility for mTLS and scope requests. The use of comments (# <7>, # <8>) is consistent with the rest of the doc.

134-134: Static token mode succinctly documented
The token field is correctly placed and noted as pre-acquired. A reminder about token rotation or expiration handling in the limitations section could be helpful.

185-186: Entra ID scopes example aligns with Azure requirements
Good addition of the api://<client-id>/entraid.v2-access-tokens scope pattern and accompanying note referencing Microsoft docs.

modules/console/pages/config/security/authorization.adoc (4)

82-85: Static Kafka credentials example is clear
The impersonateUser: false block with username, password, and mechanism is correctly illustrated. The inline footnotes explain context well.

87-91: RoleBindings mapping example is correct
The roleBindings: section and loginType: basic mapping are properly formatted and explained by the footnote.

130-130: Approve multi-role assignment explanation
The new description of multiple roles producing a union of permissions is clear and well-placed.

139-143: Multi-role example formatting is accurate
The example shows separate - roleName entries for viewer and editor correctly, reinforcing that duplicate roles are idempotent.

modules/manage/partials/authentication.adoc

modules/migrate/pages/console-v3.adoc