unique filters per role across multiple group-roles

[evaisman-tc]

Hi, I was wondering if it was possible to restrict topics-filter-regexp to the roles it's being assigned to.

For example, I'd like to set the below configuration:

akhq:
  security:
    default-group: no-roles
    groups:
      dev-reader:
        name: dev-reader # an example of a dev user that has read permissions to kafkahq
        roles:
          - topic/read
          - node/read
          - group/read
          - acls/read
          - registry/read
          - connect/read
        attributes:
          - topics-filter-regexp: ".*"
      ops-reader: # an example of an ops user that has options to read from kconnect topic data
        name: ops-reader
        roles:
          - topic/data/read
        attributes:
          - topics-filter-regexp: "^kconnect.*$"
    ldap:
      default-group: no-roles
      groups:
        - name: ops
          groups:
            - ops-reader
        - name: dev
          groups:
            - dev-reader

The current behavior of the above is if a user posses both ldap groups, they are granted topic/data/read on every topic. My expectation of the above configuration is to grant the user read access to browse all topic configurations, but to only provide data read access to topics starting with kconnect. Maybe im configuring it wrong.

Thanks!

[tchiotludo]

For now, the ACLS systems of akhq lack if this kind of features and need a refactoring of the whole ACLS #523.

In your case, I think the first match win and return the first ACLS.

[eddyv]

Thanks for the reply! I left a comment in that discussion. I'd be willing to contribute if you have a good path in mind for how you'd like to represent the security block in application.yaml. Mentioned my preference in the discussion ;)

[tchiotludo]

done in #1472