From 72f73be1ae05ce901f82c865b3036eb59f0ddd37 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Thu, 31 Jul 2025 11:34:55 -0700 Subject: [PATCH 1/3] Update validateTopic logic to allow auth being handled --- internal/kafka/command_topic.go | 11 ++++++----- internal/kafka/command_topic_onprem.go | 12 ++++++------ pkg/errors/error_message.go | 8 +++----- 3 files changed, 15 insertions(+), 16 deletions(-) diff --git a/internal/kafka/command_topic.go b/internal/kafka/command_topic.go index cc676b7d9f..e80f7b05a7 100644 --- a/internal/kafka/command_topic.go +++ b/internal/kafka/command_topic.go @@ -118,11 +118,12 @@ func (c *command) validateTopic(client *ckgo.AdminClient, topic string, cluster } } if !foundTopic { - log.CliLogger.Trace("validateTopic failed due to topic not being found in the client's topic list") - return errors.NewErrorWithSuggestions( - fmt.Sprintf(errors.TopicDoesNotExistOrMissingPermissionsErrorMsg, topic), - fmt.Sprintf(errors.TopicDoesNotExistOrMissingPermissionsSuggestions, cluster.ID), - ) + log.CliLogger.Tracef("validateTopic: Topic '%s' not visible in metadata, this could be due to ACL restrictions. Proceeding with operation to allow Kafka to handle authorization.", topic) + // Instead of failing here, we log the situation and proceed. This allows: + // 1. ALLOW topics to work properly and generate audit events + // 2. DENY topics to fail at the consumer level and generate denial audit events + // 3. Non-existent topics to fail with appropriate Kafka errors + return nil } log.CliLogger.Tracef("validateTopic succeeded") diff --git a/internal/kafka/command_topic_onprem.go b/internal/kafka/command_topic_onprem.go index c0eb41fe08..0cde6cb028 100644 --- a/internal/kafka/command_topic_onprem.go +++ b/internal/kafka/command_topic_onprem.go @@ -6,7 +6,6 @@ import ( ckgo "github.com/confluentinc/confluent-kafka-go/v2/kafka" - "github.com/confluentinc/cli/v4/pkg/errors" "github.com/confluentinc/cli/v4/pkg/log" ) @@ -26,11 +25,12 @@ func ValidateTopic(adminClient *ckgo.AdminClient, topic string) error { } } if !foundTopic { - log.CliLogger.Tracef("validateTopic failed due to topic not being found in the client's topic list") - return errors.NewErrorWithSuggestions( - fmt.Sprintf(errors.TopicDoesNotExistOrMissingPermissionsErrorMsg, topic), - fmt.Sprintf(errors.TopicDoesNotExistOrMissingPermissionsSuggestions, ""), - ) + log.CliLogger.Tracef("validateTopic: Topic '%s' not visible in metadata, this could be due to ACL restrictions. Proceeding with operation to allow Kafka to handle authorization.", topic) + // Instead of failing here, we log the situation and proceed. This allows: + // 1. ALLOW topics to work properly and generate audit events + // 2. DENY topics to fail at the consumer level and generate denial audit events + // 3. Non-existent topics to fail with appropriate Kafka errors + return nil } log.CliLogger.Tracef("validateTopic succeeded") diff --git a/pkg/errors/error_message.go b/pkg/errors/error_message.go index 5ec1198112..670704e509 100644 --- a/pkg/errors/error_message.go +++ b/pkg/errors/error_message.go @@ -26,11 +26,9 @@ const ( RequiredFlagNotSetErrorMsg = "required flag `--%s` not set" // kafka cluster commands - CkuMoreThanZeroErrorMsg = "`--cku` value must be greater than 0" - TopicDoesNotExistOrMissingPermissionsErrorMsg = `topic "%s" does not exist or user does not have the ACLs or role bindings required to describe it` - TopicDoesNotExistOrMissingPermissionsSuggestions = "To list topics for Kafka cluster \"%[1]s\", use `confluent kafka topic list --cluster %[1]s`.\nTo list ACLs use `confluent kafka acl list --cluster %[1]s`.\nTo list role bindings use `confluent iam rbac role-binding list`." - KafkaClusterNotFoundErrorMsg = `Kafka cluster "%s" not found` - ChooseRightEnvironmentSuggestions = "Ensure the cluster ID you entered is valid.\n" + + CkuMoreThanZeroErrorMsg = "`--cku` value must be greater than 0" + KafkaClusterNotFoundErrorMsg = `Kafka cluster "%s" not found` + ChooseRightEnvironmentSuggestions = "Ensure the cluster ID you entered is valid.\n" + "Ensure the cluster you are specifying belongs to the currently selected environment with `confluent kafka cluster list`, `confluent environment list`, and `confluent environment use`." UnknownTopicErrorMsg = `unknown topic "%s"` KafkaClusterMissingPrefixErrorMsg = `Kafka cluster "%s" is missing required prefix "lkc-"` From 80a2dbb29887d4e75abc0c9f7e692954362c6321 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Thu, 31 Jul 2025 15:48:54 -0700 Subject: [PATCH 2/3] Nit --- internal/kafka/command_topic.go | 6 +----- internal/kafka/command_topic_onprem.go | 4 ---- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/internal/kafka/command_topic.go b/internal/kafka/command_topic.go index e80f7b05a7..617d5e1f9b 100644 --- a/internal/kafka/command_topic.go +++ b/internal/kafka/command_topic.go @@ -119,11 +119,7 @@ func (c *command) validateTopic(client *ckgo.AdminClient, topic string, cluster } if !foundTopic { log.CliLogger.Tracef("validateTopic: Topic '%s' not visible in metadata, this could be due to ACL restrictions. Proceeding with operation to allow Kafka to handle authorization.", topic) - // Instead of failing here, we log the situation and proceed. This allows: - // 1. ALLOW topics to work properly and generate audit events - // 2. DENY topics to fail at the consumer level and generate denial audit events - // 3. Non-existent topics to fail with appropriate Kafka errors - return nil + return nil } log.CliLogger.Tracef("validateTopic succeeded") diff --git a/internal/kafka/command_topic_onprem.go b/internal/kafka/command_topic_onprem.go index 0cde6cb028..d06cfdae8b 100644 --- a/internal/kafka/command_topic_onprem.go +++ b/internal/kafka/command_topic_onprem.go @@ -26,10 +26,6 @@ func ValidateTopic(adminClient *ckgo.AdminClient, topic string) error { } if !foundTopic { log.CliLogger.Tracef("validateTopic: Topic '%s' not visible in metadata, this could be due to ACL restrictions. Proceeding with operation to allow Kafka to handle authorization.", topic) - // Instead of failing here, we log the situation and proceed. This allows: - // 1. ALLOW topics to work properly and generate audit events - // 2. DENY topics to fail at the consumer level and generate denial audit events - // 3. Non-existent topics to fail with appropriate Kafka errors return nil } From 1fe3123bf85d4775b1cdf89747ab8af6a5a4e8a8 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Thu, 7 Aug 2025 10:49:02 -0700 Subject: [PATCH 3/3] Remove indentation --- internal/kafka/command_topic.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/kafka/command_topic.go b/internal/kafka/command_topic.go index 617d5e1f9b..afb45b3a31 100644 --- a/internal/kafka/command_topic.go +++ b/internal/kafka/command_topic.go @@ -119,7 +119,7 @@ func (c *command) validateTopic(client *ckgo.AdminClient, topic string, cluster } if !foundTopic { log.CliLogger.Tracef("validateTopic: Topic '%s' not visible in metadata, this could be due to ACL restrictions. Proceeding with operation to allow Kafka to handle authorization.", topic) - return nil + return nil } log.CliLogger.Tracef("validateTopic succeeded")