Prefixed * ACL Pattern Causes Metadata Fetch Failures and UI Loading Issues β Validation or Documentation NeededΒ #1617
Description
π§ Problem Statement:
Using Kafka ACLs with --resource-pattern-type prefixed and resource name"*"does not act as a wildcard.
Kafka accepts this ACL silently, but it matches no actual topic because no topic name begins with *.
When other topic-specific ACLs are added, the UI or client loses visibility β showing that the prefixed * ACL is ineffective and misleading.
π Reproducible Scenario:
Kafka cluster: AWS MSK with mTLS
Client cert: CN=.kafka.mtls.sbcp.io, O=o-m61xxxx
Client: Kafka UI deployed in Kubernetes via Istio using mTLS cert
Steps:
- Baseline (No ACLs):
Kafka UI shows all topics β MSK default (allow.everyone.if.no.acl.found=true)
-
Apply Literal
*ACL with wrong principal (missing O=):kafka-acls.sh --add --allow-principal "User:CN=*.kafka.msk.sbcp.io" --operation All --topic "*" --resource-pattern-type literal
π΄ Kafka UI shows no topics
β Root cause: Principal mismatch (full DN not matched) -
Apply Prefixed
*ACL with same principal:kafka-acls.sh --add --allow-principal "User:CN=*.kafka.msk.sbcp.io" --operation All --topic "*" --resource-pattern-type prefixed
β οΈ False sense of success β MSK fallback still letting UI fetch open topics
π‘ Kafka UI temporarily shows topics -
Add topic-specific ACL for different principal:
kafka-acls.sh --add --allow-principal "User:User:CN=*.dotk-4.msk.sbcp.io" --operation All --topic "dotk-4_" --resource-pattern-type prefixed
π΄ Kafka UI no longer sees any
dotk-4_topics
π₯ At this point, MSK enforces ACLs strictly β only matching ACLs apply
π₯ The prefixed*from earlier fails to apply (no topic starts with*) -
Add Literal ACL for single topic to different principal
kafka-acls.sh --add --allow-principal "User:User:CN=*.dotk-3.msk.sbcp.io" --operation All --topic "dotk-3_sample-topic"
π΄ Kafka UI cannot see dotk-4_sample-topic either
π Confirms thatCN=*.kafka.mtls.sbcp.io, O=o-m61xxxxprincipal has no effective access, and prefixed*ACL does not apply. -
Apply proper ACL with full DN and Literal
*:kafka-acls.sh --add --allow-principal "User:CN=*.kafka.mtls.sbcp.io, O=o-m61xxxx" --operation All --topic "*" --resource-pattern-type literal
π’ Kafka UI shows all topics again
β Works as expected β Literal*correctly applies wildcard access to all topics -
Apply proper ACL with full DN and Prefixed
*:
bash kafka-acls.sh --add --allow-principal "User:CN=*.kafka.mtls.sbcp.io, O=o-m61xxxx" --operation All --topic "*" --resource-pattern-type prefixed
π΄ Kafka UI became unresponsive β stuck in infinite loading state.
π₯ Prefixed*pattern does not match any real topic (because no topic name starts with*).
π₯ Kafka UI keeps retrying metadata fetching (due to 0 authorized topics), resulting in an infinite loading spinner.
Based on the behavior observed, it appears that using --resource-pattern-type prefixed with a resource name "*" does not function as a wildcard and results in no actual resource match (since no Kafka topic can start with *).
Could you please confirm:
- Is
--resource-pattern-type prefixed--topic "*"is a valid wildcard pattern in Kafka ACL configuration ? - If not invalid, under what specific scenario would Prefixed
*be expected to match resources? - Can documentation be updated clearly to warn about the ineffectiveness of Prefixed
*to prevent production misconfiguration risks?