Skip to content

Login not authorized when a user belong to two groups #524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
apellegr06 opened this issue Nov 24, 2020 · 27 comments
Closed

Login not authorized when a user belong to two groups #524

apellegr06 opened this issue Nov 24, 2020 · 27 comments
Labels
backend Need a backend update bug Something isn't working login Login & Acls on AKHQ

Comments

@apellegr06
Copy link

Hi,

I have the ldap authentification configured and I have an issue since I update from 0.12.0 to 0.16.0

My user belong to two groups defined into the yml and the connection issue is related to that.
If I remove one of the groups than I can connect, otherwise I have an error "Wrong Username or Password!"
If I rollback to 0.12.0 I don't have this issue.

Regards
Alain
@tchiotludo
Copy link
Owner

Can you share the configuration files please to have a direct reproduction please ?

@ronrother ronrother mentioned this issue Nov 24, 2020
Merged
@apellegr06
Copy link
Author

apellegr06 commented Nov 25, 2020
edited
Loading

Here is my config :

micronaut:
  server:
    port: 8081
  security:
    enabled: true
    ldap:
      default:
        enabled: true
        context:
          server: 'ldaps://xxxxxxxxxx:636'
          managerDn: 'uid=xxxxxxxxxx,ou=xxxxxxxxxxxxxx,dc=xxxxxxxxx,dc=xx'
          managerPassword: 'xxxxxxx'
        search:
          base: 'dc=xxxxxxxxx,dc=xx'
        groups:
          enabled: true
          base: 'ou=xxxxx,dc=xxxxxxxxx,dc=xx'

akhq:
  server:
    base-path: "" # if behind a reverse proxy, path to kafkahq without trailing slash (optional). Example: kafkahq is
                  # behind a reverse proxy with url http://my-server/kafkahq, set base-path: "/kafkahq".
                  # Not needed if you're behind a reverse proxy with subdomain http://kafkahq.my-server/
    access-log: # Access log configuration (optional)
      enabled: true # true by default
      name: org.akhq.log.access # Logger name
      format: "[Date: {}] [Duration: {} ms] [Url: {} {}] [Status: {}] [Ip: {}] [User: {}]" # Logger format

  # default kafka properties for each clients, available for admin / producer / consumer (optional)
  clients-defaults:
    consumer:
      properties:
        isolation.level: read_committed
        default.api.timeout.ms: 60000

  # list of kafka cluster available for kafkahq
  connections:
# ---- [ ADD CLUSTER CONNECTION AFTER THIS LINE ] ----
    XXXXXXXXXXXXX:
      properties:
        bootstrap.servers: "xxxxxxxxxxxxxxxxxxxxxx"
        security.protocol: SASL_PLAINTEXT
        sasl.jaas.config: com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="xxxxxxxxxxxx" storeKey=true useTicketCache=false serviceName="kafka" principal="xxxxxx";

  pagination:
    page-size: 25 # number of elements per page (default : 25)
    threads: 16 # Number of parallel threads to resolve page

  # Topic list display options (optional)
  topic:
    retention: 172800000 # default retention period when creating topic
    partition: 3 #  default number of partition when creating topic
    replication: 3 # default number of replicas when creating topic
    internal-regexps: # list of regexp to be considered as internal (internal topic can't be deleted or updated)
      - "^_.*$"
      - "^.*_schemas$"
      - "^.*connect-config$"
      - "^.*connect-offsets$1"
      - "^.*connect-status$"
    stream-regexps: # list of regexp to be considered as internal stream topic
      - "^.*-changelog$"
      - "^.*-repartition$"
      - "^.*-rekey$"
    skip-consumer-groups: false # Skip loading consumer group information when showing topics
    skip-last-record: false # Skip loading last record date information when showing topics

  # Topic display data options (optional)
  topic-data:
    size: 50 # max record per page (default: 50)
    poll-timeout: 1000 # The time, in milliseconds, spent waiting in poll if data is not available in the buffer.

  # Ui Global Options (optional)
  ui-options:
    topic:
      default-view: HIDE_INTERNAL  # default list view (ALL, HIDE_INTERNAL, HIDE_INTERNAL_STREAM, HIDE_STREAM). Overrides default
      skip-consumer-groups: false # Skip loading consumer group information when showing topics. Overrides default
      skip-last-record: true  # Skip loading last record date information when showing topics.  Overrides default
    topic-data:
      sort: NEWEST # default sort order (OLDEST, NEWEST) (default: OLDEST).  Overrides default

  # Auth & Roles (optional)
  security:
    default-group: no-roles # Default groups for all the user even unlogged user

    # Groups definition
    groups:
      - name: admin # Group name
        roles:  # roles for the group
          - topic/read
          - topic/insert
          - topic/delete
          - topic/config/update
          - node/read
          - topic/data/read
          - topic/data/insert
          - topic/data/delete
          - group/read
          - group/delete
          - group/offsets/update
        attributes:
          # Regexp to filter topic available for group
          topics-filter-regexp: ".*"
      - name: exploit # Group name
        roles:  # roles for the group
          - topic/read
          - node/read
          - topic/data/read
          - group/read
        attributes:
          # Regexp to filter topic available for group
          topics-filter-regexp: "TOPIC.EXPLOIT.001"

    # Basic auth configuration
    basic-auth:
      - username: admin
        password: 7163948be1bf17e36c189ed4548962026ac45f65c4d0004a698d53730baa5197
        groups:
          - no-groups

    # Ldap Groups configuration (when using ldap)
    ldap:
      groups:
        - name: gr_admin
          groups:
            - admin
        - name: gr_exploit
          groups:
            - exploit

@tchiotludo
Copy link
Owner

Please format or join as file please

@apellegr06
Copy link
Author

it's now formatted

@apellegr06
Copy link
Author

Very strange, without changing nothing sometimes I succeed to connect ! And after disconnecting it doesn't work again

@tchiotludo tchiotludo added backend Need a backend update bug Something isn't working login Login & Acls on AKHQ labels Dec 4, 2020
@tchiotludo
Copy link
Owner

Can you try with last dev version please ?
I think you are hitting this issue #526

@apellegr06
Copy link
Author

Yes I can, but I think I have to change the format of my yml file no ?
If it's the case, I don't understand the new format.

@tchiotludo
Copy link
Owner

Yes, the same than before a map of groups instead of list of groups, like at the application example there is admin group for example

@apellegr06
Copy link
Author

I test the dev version after adapting the config file but the behavior is the same.
I will try to target the problem in the config file because it seems to be not so simple as I said.

@apellegr06
Copy link
Author

I have a clue, maybe the length of the field topics-filter-regexp. What is the limit for this field ?

@tchiotludo
Copy link
Owner

no limits as I know 🤔

@apellegr06
Copy link
Author

It seems yes, I made several test and with 2636 characters it's ok, after not

@apellegr06
Copy link
Author

is there a possibility to define a list of regex instead of a long unique one ?

@tchiotludo
Copy link
Owner

Strange behaviour here !
Can you try with multiline string ? https://yaml-multiline.info/ with a >- ?

@apellegr06
Copy link
Author

If I put :

topics-filter-regexp: >-
TOPIC1|
TOPIC2

Only the TOPIC1 is available

@tchiotludo
Copy link
Owner

don't use enter, just trying with | because I think there is no limit on size

@apellegr06
Copy link
Author

like that ?

topics-filter-regexp: "TOPIC1|TOPIC2"

@tchiotludo
Copy link
Owner

like that :

topics-filter-regexp: >-
  TOPIC1|TOPIC2

@apellegr06
Copy link
Author

OK, so it's working with 2 topics but when I put the problematic line I obtain the same error

@apellegr06
Copy link
Author

I don't have this problem in 0.12.0

@tchiotludo
Copy link
Owner

What is the exact error ?
Can you share the topics-filter-regexp you are trying to have ?

@apellegr06
Copy link
Author

apellegr06 commented Dec 24, 2020
edited
Loading

When I'm on login page and click on "Login", I got "Wrong Username or Password", but it's the good one. It occurs only when the topics-filter-regexp of my ldap family have a value longer than 2636.
And the regex is like that :
"TOPIC1|TOPIC2|TOPIC2......"

@tchiotludo
Copy link
Owner

I have made some try to reproduce your issue and I'm not able.
Can you make a new try with dev version please ?
There is a fix maybe on that ?
If it's not working, please send me a configuration files please.

@apellegr06
Copy link
Author

apellegr06 commented Feb 15, 2021
edited
Loading

Hi,

I finally install the last version of akhq (0.17.0) to do more testing and I still have the same issue.
I succeed to do a light minimal configuration file to reproduce the behaviour :

micronaut:
  ssl:
    enabled: true
    port: 8082
    key-store:
      path: file:yyyyyyy.p12
      password: xxxxxxx
      type: JKS
  security:
    enabled: true

akhq:
  server:
    base-path: ""
    access-log:
      enabled: true
      name: org.kafkahq.log.access
      format: "[Date: {}] [Duration: {} ms] [Url: {} {} {}] [Status: {}] [Ip: {}] [Length: {}] [Port: {}]"

  clients-defaults:
    consumer:
      properties:
        isolation.level: read_committed
        default.api.timeout.ms: 60000

  connections:
    test:
      properties:
        bootstrap.servers: hostname:port
        security.protocol: PLAINTEXT


  pagination:
    page-size: 25
    threads: 16

  topic:
    retention: 172800000
    partition: 3
    replication: 3
    default-view: HIDE_INTERNAL
    internal-regexps:
      - "^_.*$"
      - "^.*_schemas$"
      - "^.*connect-config$"
      - "^.*connect-offsets$1"
      - "^.*connect-status$"
    stream-regexps:
      - "^.*-changelog$"
      - "^.*-repartition$"
      - "^.*-rekey$"

  topic-data:
    sort: OLDEST
    size: 50
    poll-timeout: 1000

  security:
    default-group: admin

    groups:
      test1:
        name: test1
        roles:
          - topic/read
          - group/read
          - topic/data/read
          - topic/data/insert
          - group/offsets/update
        attributes:
          topics-filter-regexp: "TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST"

      test2:
        name: test2
        roles:
          - topic/read
          - group/read
          - topic/data/read
          - topic/data/insert
          - group/offsets/update
        attributes:
          topics-filter-regexp: "TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST"

    basic-auth:
      - username: admin1
        password: zzzzzzzz
        groups:
          - test1
      - username: admin2
        password: zzzzzzzz
        groups:
          - test2
  • One group "test1" linked to a username "admin1" with a topics-filter-regexp with a length of 2749 characters.
  • One group "test2" linked to a username "admin2" with a topics-filter-regexp with a length of 2754 characters.
  • default-group to "admin"

With this configuration, if I try to connect with "admin1" it works fine.
If I try to connect with "admin2" it failed with error "Wrong Username or Password!".
And without connecting (so with defaut-group), it works fine.

For information, admin1 and admin2 users have the same password.
And in my real usage topics-filter-regexp have a real list of topic, but I done the test with this above configuration for testing.

I hope with all these information you will find the problem.

Thanks

@tchiotludo tchiotludo mentioned this issue Apr 7, 2021
Closed
@apellegr06
Copy link
Author

apellegr06 commented Apr 22, 2021
edited
Loading

Hi,

Finally I now use the right jar file :)

And with this previous config file I got the same error when I try to connect.
Also if I use the list for topics-filter-regexp, exactly with 67 lines of :

- "TEST"

With 66 it's ok !

@tchiotludo
Copy link
Owner

Please give me a docker compose file to reproduce the issue, I never have the issue on my side

@apellegr06
Copy link
Author

I'm sorry, I don't know how to make a docker compose file, but I reproduce the same behaviour on a docker instance by running this command : docker run -d -p 8080:8080 -v /tmp/kafkahq.yml:/app/application.yml tchiotludo/akhq:dev

with following /tmp/kafkahq.yml :

micronaut:
  security:
    enabled: true

akhq:
  server:
    access-log:
      enabled: true
      name: org.akhq.log.access
      format: "[Date: {}] [Duration: {} ms] [Url: {} {}] [Status: {}] [Ip: {}] [User: {}]"

  clients-defaults:
    consumer:
      properties:
        isolation.level: read_committed
        default.api.timeout.ms: 60000

  connections:
    TEST:
      properties:
        bootstrap.servers: "xxxxx"
        security.protocol: PLAINTEXT


  pagination:
    page-size: 25
    threads: 16

  topic:
    retention: 172800000
    partition: 3
    replication: 3
    default-view: HIDE_INTERNAL
    internal-regexps:
      - "^_.*$"
      - "^.*_schemas$"
      - "^.*connect-config$"
      - "^.*connect-offsets$1"
      - "^.*connect-status$"
    stream-regexps:
      - "^.*-changelog$"
      - "^.*-repartition$"
      - "^.*-rekey$"

  topic-data:
    sort: OLDEST
    size: 50
    poll-timeout: 1000

  security:
    default-group: admin

    groups:
      test1:
        name: test1
        roles:
          - topic/read
          - group/read
          - topic/data/read
          - topic/data/insert
          - group/offsets/update
        attributes:
          topics-filter-regexp: "TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST|TEST"

      test2:
        name: test2
        roles:
          - topic/read
          - group/read
          - topic/data/read
          - topic/data/insert
          - group/offsets/update
        attributes:
          topics-filter-regexp:
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"
            - "TEST"

    basic-auth:
      - username: admin1
        password: xxxx
        groups:
          - test1
      - username: admin2
        password: xxxx
        groups:
          - test2

With admin1 login with old fashion topics-filter-regexp it works because I'm under the length limit (if I add some topics it failed).
Adn with admin2 with new fashion topics-filter-regexp it failed because I'm over the number of element limit (if I remove some of tehm it works).

Normally you should have the same behaviour with the same docker file and same config yml file, no ?

@tchiotludo tchiotludo moved this to Done in Backlog Jun 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend Need a backend update bug Something isn't working login Login & Acls on AKHQ
Projects
Backlog
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tchiotludo @apellegr06