Morio Identity and Access Management (IAM) Guide
This guide for Morio provides an overview of how authentication and
authorisation is handled in Morio.
If you are wondering who can do what? And how is that decided?, this guide
should provide answers.
When discussing in Morio, we always need to start by making it clear which wire protocol we are talking about. You see, there are two different ways to communicate with a Morio instance:
- Kafka: This is the protocol to talk to a Morio broker
- HTTP: This is the ubiquitous web protocol used to talk to the various Morio APIs and the web interface.
Each of the sections in this guide will be split up by wire protocol because the technical implementation of those protocols is so vastly different that they require their own approach to IAM.
Authentication
Authentication is the process of establishing who a user is.
Kafka Authentication
Kafka uses for authentication. You need a certificate issued by Morio’s
CA to be able to connect. The value of the certificate’s CN field (common
name) will be used as username.
You can generate your own (client) certificates to connect to a Kafka broker, and you can choose the value of the CN freely.
However, the most common use case is to use the Morio client which is created
by your Morio instance and will come bundled with a client certificate. Below
is an example of the username (the value of the CN field) from a client
certificate that is auto-generated and bundled with the client installer
packages:
de3a8b39-c7c1-4ce3-beeb-5de2cbe41a30.clients.morio.internal
This is the user identity that is used to apply authorisation.
The value of the certificate CN for the Morio client is constructed as:
[client-uuid].clients.morio.internal
- Including the client UUID ensures every client has its own
CNvalue. - Only accepting certificates from Morio’s CA prevents users from generating a
client certificate from a different CA with a
CNvalue designed to bypass authorisation controls.
HTTP Authentication
For HTTP connections to Morio, all authentication is handled by the API. It provides a modular way to configure various authentication backends through the use of identity providers.
As an extra layer of protection, you can enable the ENFORCE_HTTP_MTLS feature
flag, to enforce mTLS on all HTTP endpoints. This will apply in addition to
the authentication described below.
Refer to the reference documentation of the ENFORCE_HTTP_MTLS feature
flag for more details.
A user’s identity is established by combining the username used by the identity provider with the ID of the identity provider. Below is an example:
ad.aswartz
This is the user identity that is used to apply authorisation.
The user identity for HTTP access in Morio is constructed as:
[Identity Provider ID].[Identity Provider Username]
Provider ID
The internal identity providers have a fixed ID. For example mrt, local, or
apikey. Other identity providers, like ldap or oidc have an ID assigned
when configuring that identity provider.
Username
The username field can be configured. For example, when using ldap to point
to Active Directory, the username field is typically configured as sAMAcountName.
Example
If we assume a scenario where a identity provider of type ldap is configured
with ID ad, then a user logging in as aswartz would be know to morio as
ad.aswartz.
Authorisation
Authorisation is the process of establishing what a user can (or cannot) do.
Kafka Authorisation
When connecting over the Kafka protocol, authorisation is governed by the access control list (ACL) that is configured on the broker.
The RedPanda ACL documentation is the authoritative reference on the finer details of ACLs inside a broker node. However, in practice you will almost certainly configure the ACL through the console service.
Below is an example if (a subset of) the default ACL configured by Morio:
PRINCIPAL HOST RESOURCE-TYPE RESOURCE-NAME RESOURCE-PATTERN-TYPE OPERATION PERMISSION
User:*.clients.morio.internal * TOPIC logs LITERAL WRITE ALLOW
User:*.clients.morio.internal * TOPIC logs LITERAL CREATE ALLOW
User:*.clients.morio.internal * TOPIC logs LITERAL DESCRIBE ALLOW
For the purpose of this guide, it sufficient to understand the various fields used in the ACL:
PRINCIPAL
This is made up of type:value where type is always User so in
practice this always is User:id, and it describes the user identity.
Keep in mind that Morio customises the broker configuration to extract the value of
the CN as user identification. This is different from the examples you see in
the RedPanda documentation where the entire certificate string is used.
So in the RedPanda documentation, you might see something like this as the user id:
C=UK,ST=London,L=London,O=Redpanda,OU=engineering,CN=__schema_registry
In morio, the same user would be known as:
__schema_registry
HOST
This allows one to limit the host(s) from which clients are allowed to connect.
We typically set this to * to not impose any restrictions.
RESOURCE-TYPE
This describes the type of resource. It can be one of TOPIC, CLUSTER,
GROUP, or TRANSACTIONAL_ID.
You can almost certainly ignore all but TOPIC since that is the resource type
that controls who can read and write data to the topics.
RESOURCE-NAME
This is the name of the resource, so its exact meaning depends on the resource
type. For example, when the resource type of TOPIC, this will be the topic
name.
RESOURCE-PATTERN-TYPE
This controls how the resource name will be matched. Possible options are:
match: Check a wildcard match. Usingbana*will matchbanana.prefix: Check a prefix. Usingbanawill matchbanana.literal: Match only exactly. Onlybananawill matchbanana.any: Combinesprefixandliteral.
Using literal is the safest option.
So it is also what Morio uses in the auto-generated ACL rules.
OPERATION
The operation describes the action taken on a resource. It is one of
READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, DESCRIBE_CONFIGS,
ALTER_CONFIGS, or ALL.
To produce to a topic, or to write data to the broker if you will, you need the
WRITE, and DESCRIBE rights. If the topic needs to be created if it does
not already exist, you also need the CREATE operation.
PERMISSION
Permission can be one of ALLOW or DENY. Given that DENY is the default,
you typically will never use it unless you need to deny something specific
before hitting a broader allow rule in your ACL.
Managing Kafka authorisation
You can manage the broker ACL through RedPanda console, aka the console service.
In the Morio web interface, click Status and then RedPanda Console.
In the console, click Security in the sidebar, then the ACLs tab.
You can also get there directly by navigating to /console/security/acls.
Alternatively, you can manage the ACL directly on the broker via the command line. For example, to see the current ACL, run this command on a broker node:
docker exec -it morio-broker rpk security acl list
To learn how to manage the ACL from the command line, run:
docker exec -it morio-broker rpk security acl -h
There is currently no API to manage the broker ACL
HTTP Authorisation
Authorisation for HTTP is divided in two different levels of granularity:
- : Role Based Access Control is implemented by the Morio developers
- : Attribute Based Access Control allows you to write a custom access policy
In other words, Morio ships with RBAC enabled, and you can not turn it off. But you can — optinally — write an ABAC access policy that will take precendence over the default RBAC access.
Another way to look at this is that RBAC implements the default access control in Morio. And ABAC is a way to alter those defaults.
RBAC
Role-based access control governs which roles can do what when it comes to managing Morio. For example, creating users, or updating the Morio settings. Under the hood, each API endpoint requires a minimum role, and this cannot be changed.
The role with the lowest access level is the base user role. But there are
various other roles that have elevated permissions to allow users with that
role to make changes to the system.
Note that roles are cumulative, so every higher role can do everything the
roles below it can. The lowest role is user, the highest role is root.
The table below includes all roles, from lowest to highest:
| Role | Description | Audience |
|---|---|---|
user | Minimal role needed to be able to sign in to Morio | All users in your organisation |
manager | Allows the creation of local Morio user accounts | Team leaders, IT support staff |
operator | Allows changing the Morio settings | IT Operations staff |
engineer | Allows decryption of Morio data | IT Engineers, or staff doing Morio troubleshooting |
root | Allows exporting key data | Break-glass access |
We recommend using to manage your Morio deployments. This not only negates the need to have a bunch of people who have the ability to update the Morio settings, it also creates an audit trail and keeps your settings under version control.
Refer to the gitops guide for more details.
Assigning roles to identities
Now that we know which roles are available, there’s still the matter of how to assign a given role to a specific user.
The exact process differs based on the identity provider in use:
mrt: You cannot assign any roles with this provider. There is only one user (root) and its role is alwaysroot.local: When you create a new account, you decide on its (maximum) role. You can never create an account with a role higher than your own.apikey: When you create a new API key, you decide on its (maximum) role. You can never create an API key with a role higher than your own.ldap: Theldapidentity provider allows configuring the assignment of Morio roles based on any field of the LDAP user object. Refer to the Identity Providers Guide for details.oidc: Theoidc(OpenID Connect) identity provider allows configuring the assignment of Morio roles based on any property provided by the OpenID provider. Refer to the Identity Providers Guide for details.
ABAC
Attribute-based access control allows you to implement more granular access control inside Morio by writing your own access policy. So unlike RBAC, ABAC is something you have to configure yourself.
For all details, please refer to the Morio Access Policy Guide.