Skip to content

feat(groups): clear 403 + allowed-prefix hint for create-group ACL denials#14

Merged
github-actions[bot] merged 1 commit into
mainfrom
feat/create-group-authz-hint
Jul 9, 2026
Merged

feat(groups): clear 403 + allowed-prefix hint for create-group ACL denials#14
github-actions[bot] merged 1 commit into
mainfrom
feat/create-group-authz-hint

Conversation

@FinkeFlo

@FinkeFlo FinkeFlo commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

Makes a failed create consumer group understandable when the cluster's
ACLs don't permit the group name (previously a generic 502, so it looked like
a credentials problem).

Backend

  • CreateGroup detects Kafka authorization failures
    (GROUP_/TOPIC_/CLUSTER_AUTHORIZATION_FAILED) on both the top-level path
    (topic offset lookup) and the per-partition path (a denied offset commit,
    where GROUP_AUTHORIZATION_FAILED actually surfaces). It returns a new
    ErrNotAuthorized, mapped to 403 with a clear message instead of a
    generic 502. A denied commit no longer reports success.

Frontend (create-group modal)

  • Shows the allowed group-name patterns for the current principal, read from
    the cluster ACLs (ALLOW on the GROUP resource; PREFIXED shown with *).
    Reading ACLs needs cluster DESCRIBE; when the key can't, the hint is simply
    omitted (graceful) and the clear 403 still explains the failure.
  • The modal stays open and surfaces the error instead of closing as "success"
    on a denied or partially-errored commit.

Gates

Backend: go buildgo vetgo test ./internal/server/... ./pkg/kafka/... ✓ (new isAuthorizationFailure test).
Frontend: npm run lintnpm run buildnpm run check:palette ✓ · Vitest 269 passed.

…ed group prefixes

Detect Kafka authorization failures in CreateGroup (top-level topic lookup and per-partition offset commit) and return ErrNotAuthorized -> 403 with a clear message instead of a generic 502. The modal surfaces the error instead of closing as success, and shows the allowed GROUP name patterns from the cluster ACLs when the key can read them.

Signed-off-by: FinkeFlo <florian.kube@gmail.com>
@github-actions
github-actions Bot enabled auto-merge (rebase) July 9, 2026 21:29
@github-actions
github-actions Bot merged commit 6318681 into main Jul 9, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant