kafbat
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 9 additions & 9 deletions b/‎.github/dependabot.yml‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎api/build.gradle‎
Lines changed: 11 additions & 6 deletions b/‎api/build.gradle‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎api/src/main/java/io/kafbat/ui/config/auth/RoleBasedAccessControlProperties.java‎
Lines changed: 15 additions & 0 deletions b/‎api/src/main/java/io/kafbat/ui/config/auth/RoleBasedAccessControlProperties.java‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎api/src/main/java/io/kafbat/ui/controller/AclsController.java‎
Lines changed: 2 additions & 1 deletion b/‎api/src/main/java/io/kafbat/ui/controller/AclsController.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/src/main/java/io/kafbat/ui/controller/AuthorizationController.java‎
Lines changed: 11 additions & 0 deletions b/‎api/src/main/java/io/kafbat/ui/controller/AuthorizationController.java‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎api/src/main/java/io/kafbat/ui/model/rbac/DefaultRole.java‎
Lines changed: 18 additions & 0 deletions b/‎api/src/main/java/io/kafbat/ui/model/rbac/DefaultRole.java‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎api/src/main/java/io/kafbat/ui/model/rbac/Role.java‎
Lines changed: 0 additions & 1 deletion b/‎api/src/main/java/io/kafbat/ui/model/rbac/Role.java‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎api/src/main/java/io/kafbat/ui/serdes/ProducerRecordCreator.java‎
Lines changed: 11 additions & 6 deletions b/‎api/src/main/java/io/kafbat/ui/serdes/ProducerRecordCreator.java‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎api/src/main/java/io/kafbat/ui/serdes/SerdeInstance.java‎
Lines changed: 12 additions & 1 deletion b/‎api/src/main/java/io/kafbat/ui/serdes/SerdeInstance.java‎
Lines changed: 12 additions & 1 deletion
@@ -2,6 +2,7 @@
 
 
 # BACKEND
+gradle/libs.versions.toml   @kafbat/backend
 /build.gradle               @kafbat/backend
 /gradle.properties          @kafbat/backend
 /settings.gradle            @kafbat/backend
 
@@ -7,14 +7,20 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"
     - "scope/backend"
   groups:
-    gradle-dependencies:
+    spring-boot-dependencies:
+      patterns:
+        - "org.springframework.boot:*"
+        - "io.spring.dependency-management"
+      # We will handle major upgrades manually
+      update-types:
+        - "patch"
+        - "minor"
+    other-dependencies:
       patterns:
         - "*"
       update-types:
@@ -27,8 +33,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   ignore:
   - dependency-name: "azul/zulu-openjdk-alpine"
@@ -43,8 +47,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/frontend"
   open-pull-requests-limit: 10
   versioning-strategy: increase-if-necessary
   labels:
@@ -64,8 +66,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/devops"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"
 
@@ -14,7 +14,12 @@ dependencies {
     implementation project(":contract")
     implementation project(":serde-api")
     implementation libs.spring.starter.webflux
-    implementation libs.spring.starter.security
+    implementation(libs.spring.starter.security){
+        exclude group: 'com.nimbusds', module: 'nimbus-jose-jwt' because("Temporary overwrite to fix CVE-2025-53864. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
+    implementation(libs.nimbus.jose.jwt){
+        because("Fixes CVE-2025-5386. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
     implementation libs.spring.starter.actuator
     implementation libs.spring.starter.logging
     implementation libs.spring.starter.oauth2.client
@@ -53,15 +58,15 @@ dependencies {
         exclude group: 'io.projectreactor.ipc', module: 'reactor-netty'
     }
 
-    runtimeOnly libs.micrometer.registry.prometheus
+    runtimeOnly(libs.micrometer.registry.prometheus) {
+        exclude group: 'com.google.protobuf', module: 'protobuf-java' because("Micrometer uses protobuf-java 4.x, which is incompatible with protobuf-java 3.x used by various dependencies of this project. See https://github.com/prometheus/client_java/issues/1431")
+    }
 
     // CVE Fixes
     implementation libs.apache.commons.compress
     implementation libs.okhttp3.logging.intercepter
-    implementation libs.json.smart
-    implementation libs.netty.common
-    implementation libs.netty.handler
-    implementation libs.spring.context
+    implementation libs.reactor.netty.http
+    // CVE Fixes End
 
     implementation libs.modelcontextprotocol.spring.webflux
     implementation libs.victools.jsonschema.generator
 
@@ -1,6 +1,8 @@
 package io.kafbat.ui.config.auth;
 
+import io.kafbat.ui.model.rbac.DefaultRole;
 import io.kafbat.ui.model.rbac.Role;
+import jakarta.annotation.Nullable;
 import jakarta.annotation.PostConstruct;
 import java.util.ArrayList;
 import java.util.List;
@@ -11,13 +13,26 @@ public class RoleBasedAccessControlProperties {
 
   private final List<Role> roles = new ArrayList<>();
 
+  private DefaultRole defaultRole;
+
   @PostConstruct
   public void init() {
     roles.forEach(Role::validate);
+    if (defaultRole != null) {
+      defaultRole.validate();
+    }
   }
 
   public List<Role> getRoles() {
     return roles;
   }
 
+  public void setDefaultRole(DefaultRole defaultRole) {
+    this.defaultRole = defaultRole;
+  }
+
+  @Nullable
+  public DefaultRole getDefaultRole() {
+    return defaultRole;
+  }
 }
@@ -68,6 +68,7 @@ public Mono<ResponseEntity<Flux<KafkaAclDTO>>> listAcls(String clusterName,
                                                           KafkaAclResourceTypeDTO resourceTypeDto,
                                                           String resourceName,
                                                           KafkaAclNamePatternTypeDTO namePatternTypeDto,
+                                                          String search,
                                                           ServerWebExchange exchange) {
     AccessContext context = AccessContext.builder()
         .cluster(clusterName)
@@ -88,7 +89,7 @@ public Mono<ResponseEntity<Flux<KafkaAclDTO>>> listAcls(String clusterName,
     return validateAccess(context).then(
         Mono.just(
             ResponseEntity.ok(
-                aclsService.listAcls(getCluster(clusterName), filter)
+                aclsService.listAcls(getCluster(clusterName), filter, search)
                     .map(ClusterMapper::toKafkaAclDto)))
     ).doOnEach(sig -> audit(context, sig));
   }
 
@@ -3,10 +3,12 @@
 import io.kafbat.ui.api.AuthorizationApi;
 import io.kafbat.ui.model.ActionDTO;
 import io.kafbat.ui.model.AuthenticationInfoDTO;
+import io.kafbat.ui.model.KafkaCluster;
 import io.kafbat.ui.model.ResourceTypeDTO;
 import io.kafbat.ui.model.UserInfoDTO;
 import io.kafbat.ui.model.UserPermissionDTO;
 import io.kafbat.ui.model.rbac.Permission;
+import io.kafbat.ui.service.ClustersStorage;
 import io.kafbat.ui.service.rbac.AccessControlService;
 import java.security.Principal;
 import java.util.Collection;
@@ -29,8 +31,15 @@
 public class AuthorizationController implements AuthorizationApi {
 
   private final AccessControlService accessControlService;
+  private final ClustersStorage clustersStorage;
 
   public Mono<ResponseEntity<AuthenticationInfoDTO>> getUserAuthInfo(ServerWebExchange exchange) {
+    List<UserPermissionDTO> defaultRolePermissions = accessControlService.getDefaultRole() != null
+        ? mapPermissions(
+          accessControlService.getDefaultRole().getPermissions(),
+          clustersStorage.getKafkaClusters().stream().map(KafkaCluster::getName).toList())
+        : Collections.emptyList();
+
     Mono<List<UserPermissionDTO>> permissions = AccessControlService.getUser()
         .map(user -> accessControlService.getRoles()
             .stream()
@@ -39,6 +48,8 @@ public Mono<ResponseEntity<AuthenticationInfoDTO>> getUserAuthInfo(ServerWebExch
             .flatMap(Collection::stream)
             .toList()
         )
+        // if no roles are found, return default role permissions
+        .map(userPermissions ->  userPermissions.isEmpty() ? defaultRolePermissions : userPermissions)
         .switchIfEmpty(Mono.just(Collections.emptyList()));
 
     Mono<String> userName = ReactiveSecurityContextHolder.getContext()
 
@@ -0,0 +1,18 @@
+package io.kafbat.ui.model.rbac;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import java.util.ArrayList;
+import java.util.List;
+import lombok.Data;
+
+@Data
+public class DefaultRole {
+
+  private List<Permission> permissions = new ArrayList<>();
+
+  public void validate() {
+    permissions.forEach(Permission::validate);
+    permissions.forEach(Permission::transform);
+  }
+}
@@ -21,5 +21,4 @@ public void validate() {
     permissions.forEach(Permission::transform);
     subjects.forEach(Subject::validate);
   }
-
 }
@@ -5,7 +5,7 @@
 import javax.annotation.Nullable;
 import lombok.RequiredArgsConstructor;
 import org.apache.kafka.clients.producer.ProducerRecord;
-import org.apache.kafka.common.header.Header;
+import org.apache.kafka.common.header.Headers;
 import org.apache.kafka.common.header.internals.RecordHeader;
 import org.apache.kafka.common.header.internals.RecordHeaders;
 
@@ -20,18 +20,23 @@ public ProducerRecord<byte[], byte[]> create(String topic,
                                                @Nullable String key,
                                                @Nullable String value,
                                                @Nullable Map<String, String> headers) {
+
+    Headers kafkaHeaders = createHeaders(headers);
+
     return new ProducerRecord<>(
         topic,
         partition,
-        key == null ? null : keySerializer.serialize(key),
-        value == null ? null : valuesSerializer.serialize(value),
-        headers == null ? null : createHeaders(headers)
+        key == null ? null : keySerializer.serialize(key, kafkaHeaders),
+        value == null ? null : valuesSerializer.serialize(value, kafkaHeaders),
+        kafkaHeaders
     );
   }
 
-  private Iterable<Header> createHeaders(Map<String, String> clientHeaders) {
+  private Headers createHeaders(Map<String, String> clientHeaders) {
     RecordHeaders headers = new RecordHeaders();
-    clientHeaders.forEach((k, v) -> headers.add(new RecordHeader(k, v == null ? null : v.getBytes())));
+    if (clientHeaders != null) {
+      clientHeaders.forEach((k, v) -> headers.add(new RecordHeader(k, v == null ? null : v.getBytes())));
+    }
     return headers;
   }
 
 
@@ -10,6 +10,7 @@
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.kafka.common.header.Headers;
 
 @Slf4j
 @RequiredArgsConstructor
@@ -80,7 +81,17 @@ public boolean canDeserialize(String topic, Serde.Target type) {
   public Serde.Serializer serializer(String topic, Serde.Target type) {
     return wrapWithClassloader(() -> {
       var serializer = serde.serializer(topic, type);
-      return input -> wrapWithClassloader(() -> serializer.serialize(input));
+      return new Serde.Serializer() {
+        @Override
+        public byte[] serialize(String input) {
+          return wrapWithClassloader(() -> serializer.serialize(input));
+        }
+
+        @Override
+        public byte[] serialize(String input, Headers headers) {
+          return wrapWithClassloader(() -> serializer.serialize(input, headers));
+        }
+      };
     });
   }
Original file line number	Diff line number	Diff line change
`@@ -21,5 +21,4 @@ public void validate() {`
`21`	`21`	`permissions.forEach(Permission::transform);`
`22`	`22`	`subjects.forEach(Subject::validate);`
`23`	`23`	`}`
`24`		`-`
`25`	`24`	`}`