0.25.1 Permissions to limited topics - Unauthorized: missing permission on resource TOPIC_DATA and action READ

[thartyhp]

I've since determined this configuration worked okay in 0.25.0, but gets an error in 0.25.1

Behavior in 0.25.0 - User will see all topics as specified in the ACLs, however, if they try to see topic data on a topic they don't have permissions to, the table view will never populate (it may seem like it's loading forever). If it's a topic they have ACL rights to it will display as normal.

Behavior in 0.25.1 - When the user attempts to see the list of topics the table will start to populate, then the "Unauthorized: missing permission on resource TOPIC_DATA and action READ" error is thrown, and the user is sent back to the login page.

Discussed in #1910

^{Originally posted by thartyhp August 14, 2024}
I'm trying to setup a model where we restrict who can see TOPIC_DATA in prod based on group. I can get it so a user can read all TOPIC_DATA or no topic data. But I get an error "Unauthorized: missing permission on resource TOPIC_DATA and action READ" when I try to make it so users can only read select topics based on pattern settings.

Me endpoint returns the following. My read of the endpoint payload is that should be what I want.

{
    "logged": true,
    "username": “Test User",
    "roles": [
        {
            "resources": [
                "TOPIC"
            ],
            "actions": [
                "READ",
                "READ_CONFIG"
            ],
            "patterns": [
                ".*"
            ],
            "clusters": [
                ".*"
            ]
        },
        {
            "resources": [
                "TOPIC",
                "TOPIC_DATA"
            ],
            "actions": [
                "READ"
            ],
            "patterns": [
                “test-.*”
            ],
            "clusters": [
                ".*"
            ]
        },
        {
            "resources": [
                "TOPIC"
            ],
            "actions": [
                "READ_CONFIG"
            ],
            "patterns": [
                “test-.*”
            ],
            "clusters": [
                ".*"
            ]
        },
        {
            "resources": [
                "NODE"
            ],
            "actions": [
                "READ",
                "READ_CONFIG"
            ],
            "patterns": [
                “test-.*”
            ],
            "clusters": [
                ".*"
            ]
        },
        {
            "resources": [
                "NODE"
            ],
            "actions": [
                "READ",
                "READ_CONFIG"
            ],
            "patterns": [
                ".*"
            ],
            "clusters": [
                ".*"
            ]
        },
        {
            "resources": [
                "TOPIC"
            ],
            "actions": [
                "READ",
                "READ_CONFIG"
            ],
            "patterns": [
                ".*"
            ],
            "clusters": [
                ".*"
            ]
        },
        {
            "resources": [
                "CONSUMER_GROUP"
            ],
            "actions": [
                "READ"
            ],
            "patterns": [
                ".*"
            ],
            "clusters": [
                ".*"
            ]
        }
    ]
}

The application config:

security:
    default-group: non-auth
    roles:
      node-read:
        - resources: [ "NODE" ]
          actions: [ "READ", "READ_CONFIG" ]
      node-admin:
        - resources: [ "NODE" ]
          actions: [ "READ", "READ_CONFIG", "ALTER_CONFIG" ]
      topic-read:
        - resources: [ "TOPIC", "TOPIC_DATA" ]
          actions: [ "READ" ]
        - resources: [ "TOPIC" ]
          actions: [ "READ_CONFIG" ]
      topic-restricted:
        - resources: [ "TOPIC" ]
          actions: [ "READ", "READ_CONFIG" ]
      topic-admin:
        - resources: [ "TOPIC", "TOPIC_DATA" ]
          actions: [ "READ", "CREATE", "DELETE" ]
        - resources: [ "TOPIC" ]
          actions: [ "UPDATE", "READ_CONFIG", "ALTER_CONFIG" ]
      connect-rw:
        - resources: [ "CONNECTOR" ]
          actions: [ "READ", "CREATE", "UPDATE_STATE" ]
      connect-admin:
        - resources: [ "CONNECTOR" ]
          actions: [ "READ", "CREATE", "UPDATE_STATE", "DELETE" ]
      registry-read:
        - resources: [ "SCHEMA" ]
          actions: [ "READ" ]
      registry-admin:
        - resources: [ "SCHEMA" ]
          actions: [ "READ", "CREATE", "UPDATE", "DELETE", "DELETE_VERSION" ]
      group-read:
        - resources: [ "CONSUMER_GROUP" ]
          actions: [ "READ" ]
      connect-cluster-read:
        - resources: [ "CONNECT_CLUSTER" ]
          actions: [ "READ" ]
      ksqldb-admin:
        - resources: [ "KSQLDB" ]
          actions: [ "READ", "EXECUTE" ]
      no-roles:
        - resources: [ "NODE", "TOPIC", "CONNECTOR", "SCHEMA", "CONSUMER_GROUP", "CONNECT_CLUSTER", "KSQLDB" ]
          actions: [ ]
    # Default AKHQ roles are reader, admin and no-roles
    groups:
      systems-readonly:
        - role: node-read
        - role: topic-restricted
        - role: group-read
          patterns: [ ".*" ]
      systems-admin:
        - role: node-admin
        - role: topic-admin
        - role: connect-admin
        - role: registry-admin
        - role: group-read
        - role: connect-cluster-read
        - role: ksqldb-admin
      test-group:
        - role: topic-restricted
        - role: topic-read
          patterns: [ “test-.*” ]
        - role: node-read
          patterns: [ “test-.*” ]

And finally the ODIC default group is systems-readonly