Merge remote-tracking branch 'origin/main' into feature/reset-connector-offsets

Author: Dugong42

.dev/dev_arm64.yaml

@@ -32,7 +32,8 @@ services:
       KAFKA_CLUSTERS_0_AUDIT_CONSOLEAUDITENABLED: 'true'
 
   kafka0:
-    image: confluentinc/cp-kafka:7.2.1.arm64
+    image: confluentinc/cp-kafka:7.6.0.arm64
+    user: "0:0"
     hostname: kafka0
     container_name: kafka0
     ports:
@@ -56,12 +57,10 @@ services:
       KAFKA_JMX_PORT: 9997
 #      KAFKA_JMX_HOSTNAME: localhost # uncomment this line and comment the next one if running with kafka-ui as a jar
       KAFKA_JMX_OPTS: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.hostname=kafka0 -Dcom.sun.management.jmxremote.rmi.port=9997
-    volumes:
-      - ../documentation/compose/scripts/update_run.sh:/tmp/update_run.sh
-    command: "bash -c 'if [ ! -f /tmp/update_run.sh ]; then echo \"ERROR: Did you forget the update_run.sh file that came with this docker-compose.yml file?\" && exit 1 ; else /tmp/update_run.sh && /etc/confluent/docker/run ; fi'"
+      CLUSTER_ID: 'MkU3OEVBNTcwNTJENDM2Qk'
 
   schema-registry0:
-    image: confluentinc/cp-schema-registry:7.2.1.arm64
+    image: confluentinc/cp-schema-registry:7.6.0.arm64
     ports:
       - 8085:8085
     depends_on:
@@ -77,7 +76,7 @@ services:
       SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas
 
   kafka-connect0:
-    image: confluentinc/cp-kafka-connect:7.2.1.arm64
+    image: confluentinc/cp-kafka-connect:7.6.0.arm64
     ports:
       - 8083:8083
     depends_on:
@@ -102,7 +101,7 @@ services:
       CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components,/usr/local/share/kafka/plugins,/usr/share/filestream-connectors"
 
   ksqldb0:
-    image: confluentinc/ksqldb-server:0.18.0
+    image: confluentinc/cp-ksqldb-server:7.6.0.arm64
     depends_on:
       - kafka0
       - kafka-connect0
@@ -120,7 +119,7 @@ services:
       KSQL_CACHE_MAX_BYTES_BUFFERING: 0
 
   kafka-init-topics:
-    image: confluentinc/cp-kafka:7.2.1.arm64
+    image: confluentinc/cp-kafka:7.6.0.arm64
     volumes:
       - ../documentation/compose/data/message.json:/data/message.json
     depends_on:

.github/workflows/build-public-image.yml

@@ -6,7 +6,9 @@ on:
     types: ['labeled']
 
 permissions:
+  id-token: write
   contents: read
+  pull-requests: write
 
 jobs:
   build:
@@ -47,12 +49,11 @@ jobs:
           key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
-      - name: Configure AWS credentials for Kafka-UI account
+      - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
+          role-to-assume: ${{ secrets.AWS_ROLE }}
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
@@ -65,7 +66,7 @@ jobs:
           builder: ${{ steps.buildx.outputs.name }}
           context: api
           push: true
-          tags: public.ecr.aws/kafbat/kafka-ui-custom-build:${{ steps.extract_branch.outputs.tag }}
+          tags: ${{ vars.ECR_REGISTRY }}/${{ github.repository }}:${{ steps.extract_branch.outputs.tag }}
           build-args: |
             JAR_FILE=api-${{ steps.build.outputs.version }}.jar
           cache-from: type=local,src=/tmp/.buildx-cache
@@ -75,6 +76,6 @@ jobs:
         with:
           issue-number: ${{ github.event.pull_request.number }}
           body: |
-            Image published at public.ecr.aws/kafbat/kafka-ui-custom-build:${{ steps.extract_branch.outputs.tag }}
+            Image published at ${{ vars.ECR_REGISTRY }}/${{ github.repository }}:${{ steps.extract_branch.outputs.tag }}
     outputs:
       tag: ${{ steps.extract_branch.outputs.tag }}

.github/workflows/docker_publish.yml

@@ -85,7 +85,7 @@ jobs:
             echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV
             echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
           elif [ ${{ matrix.registry }} == 'ecr' ]; then
-            echo "REGISTRY=${{ steps.login-ecr-public.outputs.registry }}" >> $GITHUB_ENV
+            echo "REGISTRY=${{ vars.ECR_REGISTRY }}" >> $GITHUB_ENV
             echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
           else
             echo "REGISTRY=" >> $GITHUB_ENV

api/pom.xml

@@ -91,7 +91,7 @@
         <dependency>
             <groupId>software.amazon.msk</groupId>
             <artifactId>aws-msk-iam-auth</artifactId>
-            <version>2.1.0</version>
+            <version>2.2.0</version>
         </dependency>
 
         <dependency>
@@ -266,18 +266,6 @@
             <artifactId>cel</artifactId>
         </dependency>
         <!--        CVE fixes -->
-        <dependency>
-            <groupId>ch.qos.logback</groupId>
-            <artifactId>logback-classic</artifactId>
-            <version>1.4.12</version>
-        </dependency>
-        <!--        CVE fixes -->
-        <dependency>
-            <groupId>ch.qos.logback</groupId>
-            <artifactId>logback-core</artifactId>
-            <version>1.4.12</version>
-        </dependency>
-        <!--        CVE fixes -->
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
             <artifactId>logging-interceptor</artifactId>
@@ -289,7 +277,6 @@
             <artifactId>commons-compress</artifactId>
             <version>1.26.0</version>
         </dependency>
-
     </dependencies>
 
     <build>

api/src/main/java/io/kafbat/ui/config/ReadOnlyModeFilter.java

@@ -25,7 +25,7 @@ public class ReadOnlyModeFilter implements WebFilter {
       Pattern.compile("/api/clusters/(?<clusterName>[^/]++)");
 
   private static final Set<Pattern> SAFE_ENDPOINTS = Set.of(
-      Pattern.compile("/api/clusters/[^/]+/topics/[^/]+/(smartfilters)$")
+      Pattern.compile("/api/clusters/[^/]+/topics/[^/]+/(smartfilters|analysis)$")
   );
 
   private final ClustersStorage clustersStorage;

api/src/main/java/io/kafbat/ui/controller/ConsumerGroupsController.java

@@ -59,6 +59,24 @@ public Mono<ResponseEntity<Void>> deleteConsumerGroup(String clusterName,
         .thenReturn(ResponseEntity.ok().build());
   }
 
+  @Override
+  public Mono<ResponseEntity<Void>> deleteConsumerGroupOffsets(String clusterName,
+                                                               String groupId,
+                                                               String topicName,
+                                                               ServerWebExchange exchange) {
+    var context = AccessContext.builder()
+        .cluster(clusterName)
+        .consumerGroupActions(groupId, RESET_OFFSETS)
+        .topicActions(topicName, TopicAction.VIEW)
+        .operationName("deleteConsumerGroupOffsets")
+        .build();
+
+    return validateAccess(context)
+        .then(consumerGroupService.deleteConsumerGroupOffset(getCluster(clusterName), groupId, topicName))
+        .doOnEach(sig -> audit(context, sig))
+        .thenReturn(ResponseEntity.ok().build());
+  }
+
   @Override
   public Mono<ResponseEntity<ConsumerGroupDetailsDTO>> getConsumerGroup(String clusterName,
                                                                         String consumerGroupId,

api/src/main/java/io/kafbat/ui/model/InternalBrokerConfig.java

@@ -16,12 +16,12 @@ public class InternalBrokerConfig {
   private final boolean isReadOnly;
   private final List<ConfigEntry.ConfigSynonym> synonyms;
 
-  public static InternalBrokerConfig from(ConfigEntry configEntry) {
+  public static InternalBrokerConfig from(ConfigEntry configEntry, boolean readOnlyCluster) {
     InternalBrokerConfig.InternalBrokerConfigBuilder builder = InternalBrokerConfig.builder()
         .name(configEntry.name())
         .value(configEntry.value())
         .source(configEntry.source())
-        .isReadOnly(configEntry.isReadOnly())
+        .isReadOnly(readOnlyCluster || configEntry.isReadOnly())
         .isSensitive(configEntry.isSensitive())
         .synonyms(configEntry.synonyms());
     return builder.build();

api/src/main/java/io/kafbat/ui/service/BrokerService.java

@@ -59,7 +59,7 @@ private Flux<InternalBrokerConfig> getBrokersConfig(KafkaCluster cluster, Intege
     }
     return loadBrokersConfig(cluster, brokerId)
         .map(list -> list.stream()
-            .map(InternalBrokerConfig::from)
+            .map(configEntry -> InternalBrokerConfig.from(configEntry, cluster.isReadOnly()))
             .collect(Collectors.toList()))
         .flatMapMany(Flux::fromIterable);
   }

api/src/main/java/io/kafbat/ui/service/ConsumerGroupService.java

@@ -209,12 +209,13 @@ private Mono<List<ConsumerGroupDescription>> describeConsumerGroups(ReactiveAdmi
   }
 
 
-  private Mono<List<ConsumerGroupDescription>> loadDescriptionsByInternalConsumerGroups(ReactiveAdminClient ac,
-                                                                                  List<ConsumerGroupListing> groups,
-                                                                                  Comparator<GroupWithDescr> comparator,
-                                                                                  int pageNum,
-                                                                                  int perPage,
-                                                                                  SortOrderDTO sortOrderDto) {
+  private Mono<List<ConsumerGroupDescription>> loadDescriptionsByInternalConsumerGroups(
+      ReactiveAdminClient ac,
+      List<ConsumerGroupListing> groups,
+      Comparator<GroupWithDescr> comparator,
+      int pageNum,
+      int perPage,
+      SortOrderDTO sortOrderDto) {
     var groupNames = groups.stream().map(ConsumerGroupListing::groupId).toList();
 
     return ac.describeConsumerGroups(groupNames)
@@ -247,6 +248,13 @@ public Mono<Void> deleteConsumerGroupById(KafkaCluster cluster,
         .flatMap(adminClient -> adminClient.deleteConsumerGroups(List.of(groupId)));
   }
 
+  public Mono<Void> deleteConsumerGroupOffset(KafkaCluster cluster,
+                                              String groupId,
+                                              String topicName) {
+    return adminClientService.get(cluster)
+        .flatMap(adminClient -> adminClient.deleteConsumerGroupOffsets(groupId, topicName));
+  }
+
   public EnhancedConsumer createConsumer(KafkaCluster cluster) {
     return createConsumer(cluster, Map.of());
   }

api/src/main/java/io/kafbat/ui/service/ReactiveAdminClient.java

@@ -74,6 +74,7 @@
 import org.apache.kafka.common.errors.ClusterAuthorizationException;
 import org.apache.kafka.common.errors.GroupIdNotFoundException;
 import org.apache.kafka.common.errors.GroupNotEmptyException;
+import org.apache.kafka.common.errors.GroupSubscribedToTopicException;
 import org.apache.kafka.common.errors.InvalidRequestException;
 import org.apache.kafka.common.errors.SecurityDisabledException;
 import org.apache.kafka.common.errors.TopicAuthorizationException;
@@ -436,6 +437,27 @@ public Mono<Void> deleteConsumerGroups(Collection<String> groupIds) {
             th -> Mono.error(new IllegalEntityStateException("The group is not empty")));
   }
 
+  public Mono<Void> deleteConsumerGroupOffsets(String groupId, String topicName) {
+    return listConsumerGroupOffsets(List.of(groupId), null)
+        .flatMap(table -> {
+          // filter TopicPartitions by topicName
+          Set<TopicPartition> partitions = table.row(groupId).keySet().stream()
+              .filter(tp -> tp.topic().equals(topicName))
+              .collect(Collectors.toSet());
+          // check if partitions have no committed offsets
+          return partitions.isEmpty()
+              ? Mono.error(new NotFoundException("The topic or partition is unknown"))
+              // call deleteConsumerGroupOffsets
+              : toMono(client.deleteConsumerGroupOffsets(groupId, partitions).all());
+        })
+        .onErrorResume(GroupIdNotFoundException.class,
+            th -> Mono.error(new NotFoundException("The group id does not exist")))
+        .onErrorResume(UnknownTopicOrPartitionException.class,
+            th -> Mono.error(new NotFoundException("The topic or partition is unknown")))
+        .onErrorResume(GroupSubscribedToTopicException.class,
+            th -> Mono.error(new IllegalEntityStateException("The group is not empty")));
+  }
+
   public Mono<Void> createTopic(String name,
                                 int numPartitions,
                                 @Nullable Integer replicationFactor,