The 'all-topics' view does not display according to the RBAC filter

[javihernanp]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I was working with RBAC to filter permissions by topics, and the issue I'm facing is that in the "all-topics" URI, unlike with schemas or other tabs, it doesn't display the filtered topic unless I search for them in the search bar.

Expected behavior

It should display, like in the rest of the tabs, only the topics that comply with the RBAC configuration.

Your installation details

1 - 7.0 version
2 - Im not using it
3 - This is the RBAC that I'm using

resource: topic
value: "dev.*"
actions: all

Steps to reproduce

Simply modify the configuration file in the topic permissions section to allow access only to specific topics.

Screenshots

Logs

No response

Additional context

1 - I have tried all the methods listed in the documentation to define permissions on a topic

[github-actions]

Hello there javihernanp! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[Haarolean]

Hey, it seems to be working for me:

        - resource: topic
          value: "dev.*"
          actions: all

Please provide your full config and responses for /api/authorization and /api/clusters/local/topics requests, could be found in network tab within browser's dev console.

[javihernanp]

Hello,

Thank you for your quick response,

This is the config file that I'm using:

kafka:
  clusters:
    -
      name: LAB01
      bootstrapServers: cluster1.confluent.cloud:9092
      properties.security.protocol: SASL_SSL
      properties.sasl.mechanism: PLAIN
      properties.sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="****" password="****";'
    -
      name: NON_PROD_AWS_EU-WEST-3
      bootstrapServers: cluster2.confluent.cloud:9092
      properties.security.protocol: SASL_SSL
      properties.sasl.mechanism: PLAIN
      properties.sasl.jaas.config: 'org.apache.kafka.common.security.plain.PlainLoginModule required username="****" password="****";'
      schemaRegistry: https://example
      schemaRegistryAuth:
        username:  username
        password: password

auth:
  type: OAUTH2
  oauth2:
    client:
      github:
        provider: github
        clientId: ****
        clientSecret: ****
        scope:
          - read:org
        user-name-attribute: login
        usernameattribute: login
        custom-params:
          type: github
        authorization-uri: https://example/login/oauth/authorize
        token-uri: https://example/login/oauth/access_token
        tokenuri: https://example/login/oauth/access_token
        user-info-uri: https://example/api/v3/user
        redirect-uri: https://ui.example/login/oauth2/code/github

rbac:
  roles:
    - name: "Admin Team"
      subjects:
      - provider: oauth_github
        type: organization
        value: "organization"
      clusters:
      - LAB01
      - NON_PROD_AWS_EU-WEST-3
      permissions:
      - resource: clusterconfig
        actions: all
      - resource: topic
        value: ".*"
        actions: all
      - resource: consumer
        value: ".*"
        actions: all
      - resource: schema
        value: ".*"
        actions: all
      - resource: connect
        value: ".*"
        actions: all
      - resource: ksql
        actions: all
        value: ".*"
      - resource: acl
        value: ".*"
        actions: all
    - name: "test"
      subjects:
      - provider: oauth_github
        type: user
        value: "fcojavier-hernandez"
      clusters:
      - NON_PROD_AWS_EU-WEST-3
      permissions:
      - resource: clusterconfig
        value: ".*"
        actions: all
      - resource: topic
        value: "dev.*"
        actions: all
      - resource: consumer
        value: ".*"
        actions: all
      - resource: schema
        value: ".*"
        actions: all
      - resource: connect
        value: ".*"
        actions: all
      - resource: ksql
        actions: all
        value: ".*"
      - resource: acl
        value: ".*"
        actions: all

For the two outputs you requested, here are both screenshots:

I would like to ask if you are using the release 0.7

Kind regards.

[Haarolean]

@javihernanp

I would like to ask if you are using the release 0.7
Even better, master branch.

Which cluster stores the topic in question? Your screenshots are cropped, no way to determine that.
Is that the same cluster that returns topics: []?

[javihernanp]

Hello,

Indeed, the cluster I obtain for topic[] is the same as the one I have configured, namely "NON_PROD_AWS_EU-WEST-3". I have continued testing, and it works correctly with a Confluent Cloud Basic cluster. However, if I configure a Confluent Cloud Dedicated cluster, such as "NON_PROD_AWS_EU-WEST-3", it doesn't work correctly. I have checked the Service Accounts I am using, and they have the same permissions in both types of clusters. Furthermore, it is worth mentioning that I am also using the code from the master branch.

Kind regards.

[Haarolean]

1. Do you have these topics available if RBAC is disabled (no roles specified in config)?
2. Are there any cluster/topic authorization errors in logs?

[javihernanp]

Hello,

Do you have these topics available if RBAC is disabled (no roles specified in config)?

• Yes

Are there any cluster/topic authorization errors in logs?

• I could not see configuring different levels of logs, nothing related to authorization errors

Kind regards

[Haarolean]

@javihernanp please try running this image:
public.ecr.aws/provectus/kafka-ui-custom-build:3914
with the following config property:
logging.level.com.provectus.kafka.ui.service.rbac=TRACE
Open the topic list page, also try searching by the topic name as you did, and extract the logs after that.

[javihernanp]

Hello @Haarolean,

I have been testing by modifying the log level as you indicated, and I have used that version, but I still haven't been able to see anything different in the console output. Would it be possible to have a quick meeting to explain in detail the issue and the different tests we have been conducting?

Kind regards

[Haarolean]

@javihernanp Sure, let's talk. Got discord? The invite link here.

[dmalik16]

@Haarolean, we have seen the same/similar behavior, but can add a bit more context. In our case, we RBAC topic filter on "a." and "B." as a test. What happens is we still see 39 pages of topics as if there was no RBAC topic filter but most pages are blank. Topics "B." show up on page #1 and topics "a." show up on pages 10-11. So sorted by case and the filter just prevents the topics from showing on the page were it would be. If you do try to add a non-allowed topic name to the URL directly, you do get a 403.

[javihernanp]

Hello @Haarolean,

I'm sorry, but at that time I was already disconnected and couldn't see that you sent me a link. I have been testing what @dmalik16 mentioned in the previous comment, and indeed, that is the cause of the error. I have been testing it, and it does show up on the original pages as if all the topics were displayed, just as explained. Since we already know the origin of the issue, I believe it is no longer necessary to have a call to further investigate the issue. Please let me know if you need more information. I would like to know an estimated time for the resolution of the issue., and thank you very much for the support and work done so far.

Best regards.

[Haarolean]

@javihernanp @dmalik16 could you please try this docker image and tell me if you experience any problems now?
image: public.ecr.aws/provectus/kafka-ui-custom-build:3946

[dmalik16]

@Haarolean, we pulled that image down and tested it out. It now displays as expected. In our case the filtered topics appeared over 2 pages total as if they were the only topics.
Thanks!

[javihernanp]

Hello @Haarolean ,

I have tested the changes, and now it is working correctly with the applied RBAC configuration. Thank you very much for resolving the issue promptly. I was wondering if these changes will be included in the main branch in the next patch. If so, could you please let me know the estimated release date for that patch? Once again, I would like to express my appreciation for the work done and the speed at which it was resolved.

Best regards.