0.25.1 Permissions to limited topics - Unauthorized: missing permission on resource TOPIC_DATA and action READ

[thartyhp]

I've since determined this configuration worked okay in 0.25.0, but gets an error in 0.25.1

Behavior in 0.25.0 - User will see all topics as specified in the ACLs, however, if they try to see topic data on a topic they don't have permissions to, the table view will never populate (it may seem like it's loading forever). If it's a topic they have ACL rights to it will display as normal.

Behavior in 0.25.1 - When the user attempts to see the list of topics the table will start to populate, then the "Unauthorized: missing permission on resource TOPIC_DATA and action READ" error is thrown, and the user is sent back to the login page.

Discussed in https://github.com/tchiotludo/akhq/discussions/1910

^{Originally posted by **thartyhp** August 14, 2024} I'm trying to setup a model where we restrict who can see TOPIC_DATA in prod based on group. I can get it so a user can read all TOPIC_DATA or no topic data. But I get an error "Unauthorized: missing permission on resource TOPIC_DATA and action READ" when I try to make it so users can only read select topics based on pattern settings. Me endpoint returns the following. My read of the endpoint payload is that should be what I want. ``` { "logged": true, "username": “Test User", "roles": [ { "resources": [ "TOPIC" ], "actions": [ "READ", "READ_CONFIG" ], "patterns": [ ".*" ], "clusters": [ ".*" ] }, { "resources": [ "TOPIC", "TOPIC_DATA" ], "actions": [ "READ" ], "patterns": [ “test-.*” ], "clusters": [ ".*" ] }, { "resources": [ "TOPIC" ], "actions": [ "READ_CONFIG" ], "patterns": [ “test-.*” ], "clusters": [ ".*" ] }, { "resources": [ "NODE" ], "actions": [ "READ", "READ_CONFIG" ], "patterns": [ “test-.*” ], "clusters": [ ".*" ] }, { "resources": [ "NODE" ], "actions": [ "READ", "READ_CONFIG" ], "patterns": [ ".*" ], "clusters": [ ".*" ] }, { "resources": [ "TOPIC" ], "actions": [ "READ", "READ_CONFIG" ], "patterns": [ ".*" ], "clusters": [ ".*" ] }, { "resources": [ "CONSUMER_GROUP" ], "actions": [ "READ" ], "patterns": [ ".*" ], "clusters": [ ".*" ] } ] } ``` The application config: ``` security: default-group: non-auth roles: node-read: - resources: [ "NODE" ] actions: [ "READ", "READ_CONFIG" ] node-admin: - resources: [ "NODE" ] actions: [ "READ", "READ_CONFIG", "ALTER_CONFIG" ] topic-read: - resources: [ "TOPIC", "TOPIC_DATA" ] actions: [ "READ" ] - resources: [ "TOPIC" ] actions: [ "READ_CONFIG" ] topic-restricted: - resources: [ "TOPIC" ] actions: [ "READ", "READ_CONFIG" ] topic-admin: - resources: [ "TOPIC", "TOPIC_DATA" ] actions: [ "READ", "CREATE", "DELETE" ] - resources: [ "TOPIC" ] actions: [ "UPDATE", "READ_CONFIG", "ALTER_CONFIG" ] connect-rw: - resources: [ "CONNECTOR" ] actions: [ "READ", "CREATE", "UPDATE_STATE" ] connect-admin: - resources: [ "CONNECTOR" ] actions: [ "READ", "CREATE", "UPDATE_STATE", "DELETE" ] registry-read: - resources: [ "SCHEMA" ] actions: [ "READ" ] registry-admin: - resources: [ "SCHEMA" ] actions: [ "READ", "CREATE", "UPDATE", "DELETE", "DELETE_VERSION" ] group-read: - resources: [ "CONSUMER_GROUP" ] actions: [ "READ" ] connect-cluster-read: - resources: [ "CONNECT_CLUSTER" ] actions: [ "READ" ] ksqldb-admin: - resources: [ "KSQLDB" ] actions: [ "READ", "EXECUTE" ] no-roles: - resources: [ "NODE", "TOPIC", "CONNECTOR", "SCHEMA", "CONSUMER_GROUP", "CONNECT_CLUSTER", "KSQLDB" ] actions: [ ] # Default AKHQ roles are reader, admin and no-roles groups: systems-readonly: - role: node-read - role: topic-restricted - role: group-read patterns: [ ".*" ] systems-admin: - role: node-admin - role: topic-admin - role: connect-admin - role: registry-admin - role: group-read - role: connect-cluster-read - role: ksqldb-admin test-group: - role: topic-restricted - role: topic-read patterns: [ “test-.*” ] - role: node-read patterns: [ “test-.*” ] ``` And finally the ODIC default group is `systems-readonly`