Schema Registry principals management (Service Accounts) when using Confluent Cloud not implemented

[cijujoseph]

Describe the bug I am trying to configure the schema registry topics & the corresponding ACL against confluent cloud. It creates the topics correctly. However the I don't see the service account, topic acl and group acl created

To Reproduce The config I am using is

---
context: schema-registry
env: dev
projects:
  - name: schema-registry
    topics:
      - name: _schemas_dev
        config:
          replication.factor: 3
          num.partitions: 1
          cleanup.policy: compact
platform:
  schema_registry:
    instances:
      - principal: "User:sa-schema-registry-dev"
        topic: _schemas_dev
        group: schema-registry

Expected behavior Expect the service account to be created as well as READ, WRITE, DESCRIBE_CONFIGS ACLS on the topics and the groups ACL created.

Screenshots n/a

Runtime (please complete the following information): Confluent Cloud

Additional context None

[purbon]

Hi @cijujoseph, thanks for your ticket. The service account management is currently an experimental feature, as you can see from https://julieops.readthedocs.io/en/latest/futures/what-principal-management.html

To continue helping with the investigation, I would kindly ask you for a few things:

• Can you please share the configuration used for the tool? Please anonymise anything relevant to you, but this is important in order to know if the SA management was properly activated.
• I understand you're using a self-managed Schema Registry, right?

As you can see from https://github.com/kafka-ops/julie/blob/c46058f17ea82703586c1ecbc914fe4f244865c5/src/main/java/com/purbon/kafka/topology/PrincipalManager.java#L110, currently the platform level principals are not managed, only the project level ones.

Note: For confluent cloud the principals has a form User:[Number], when not using the SA translation mechanism.

[cijujoseph]

Thanks @purbon. I understand it is experimental and guessed this may not be fully functional. Yes, I'm using a self managed schema registry where the topic is also on the confluent cloud. Here is my configuration

topology.translation.principal.enabled=true
topology.features.experimental=true
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
  username="apikey" \
  password="secret";
topology.topic.prefix.format={{topic}}
topology.project.prefix.format={{topic}}
ccloud.environment=dev
allow.delete.principals=false

[purbon]

Hi, i noticed something strange from your configuration. Why are you using?

topology.topic.prefix.format={{topic}}
topology.project.prefix.format={{topic}}

i would suggest not doing this and allow the full topic name to build, this is one of the core benefits of the tool.

[cijujoseph]

Hi @purbon I just noticed your comment on my config

topology.topic.prefix.format={{topic}}
topology.project.prefix.format={{topic}}

I added this to get the topics created as I define in my yamls without any prefix. Is this not how I do it?