RBAC User Unbale to create Topic/New Cluster from Kafka UI

[stalinbritto]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Hi Team,
I am encountering the same error on my side.

I have created a docker-compose.yml file with two images: frontend and backend.

Frontend: Using Nginx to re-route traffic with SSL.

Backend: Kafka application enabled with OAuth configuration, using a .jks certificate along with key and URLs.

SSL is enabled, and I am able to see the cluster, configure a new cluster option, and view the option to create new topics.

Issue: When I try to add a new cluster or create a new topic, I receive a 403 error.

Did I miss any configuration, or is there something additional that needs to be added?

Please suggest.

Config File:

docker-compose.yml

roles.yml

nginx-conf.yml

Expected behavior

No response

Your installation details

I have done the installation and using by docker compose.

Steps to reproduce

The docker compose file which i attached will give more info.

Screenshots

Provided error snap and log file here.

Logs

Logs:
`kafka-ui-proxy | - - [01/Dec/2025:13:44:38 +0000] "PUT /api/clusters/CLuster/brokers/0/configs/log.flush.interval.messages HTTP/1.1" 403 13 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36"

kafka-ui-proxy | - - [01/Dec/2025:13:45:02 +0000] "POST /api/clusters/CLuster/topics HTTP/1.1" 403 13 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"

kafka-ui-proxy | - - [01/Dec/2025:13:45:03 +0000] "GET /api/clusters/CLuster/topics?page=1&perPage=25&showInternal=true HTTP/1.1" 200 25056 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"

kafka-ui-proxy | - - [01/Dec/2025:13:45:09 +0000] "DELETE /api/clusters/CLuster/topics/--test1 HTTP/1.1" 403 13 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"`

Additional context

No response

[github-actions[bot]]

Hi stalinbritto! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[germanosin]

Please try to add role.yaml into your SPRING_CONFIG_ADDITIONAL_LOCATION path
Like /etc/kafkaui/roles.yml

[stalinbritto]

Here am facing different issues.

Once I added the roles.yml as you recommended, the UI no longer shows cluster details (it appears empty). Still, I’m unable to create topics or other configurations — the same error occurs as before.

"https://kafkaui-domain.in/ui/clusters/CLUSTER/all-topics/create-new-topic"
However, if I provide the complete URL, I can see the broker details

 _   _ ___    __             _                _          _  __      __ _
| | | |_ _|  / _|___ _ _    /_\  _ __ __ _ __| |_  ___  | |/ /__ _ / _| |_____
| |_| || |  |  _/ _ | '_|  / _ \| '_ / _` / _| ' \/ -_) | ' </ _` |  _| / / _`|
 \___/|___| |_| \___|_|   /_/ \_| .__\__,_\__|_||_\___| |_|\_\__,_|_| |_\_\__,|
                                 |_|

2025-12-16 11:25:45,802 WARN  [main] i.k.u.u.DynamicConfigOperations: Dynamic config file /etc/kafkaui/dynamic_config.yaml doesnt exist or not readable
2025-12-16 11:25:45,811 INFO  [main] i.k.u.KafkaUiApplication: Starting KafkaUiApplication vv1.3.0 using Java 21.0.6 with PID 1 (/api.jar started by kafkaui in /)
2025-12-16 11:25:45,812 DEBUG [main] i.k.u.KafkaUiApplication: Running with Spring Boot v3.5.3, Spring v6.2.8
2025-12-16 11:25:45,813 INFO  [main] i.k.u.KafkaUiApplication: No active profile set, falling back to 1 default profile: "default"
2025-12-16 11:25:50,256 DEBUG [main] i.k.u.s.SerdesInitializer: Configuring serdes for cluster CLUSTER
2025-12-16 11:25:50,893 INFO  [main] o.s.b.a.e.w.EndpointLinksResolver: Exposing 3 endpoints beneath base path '/actuator'
2025-12-16 11:25:51,905 INFO  [main] o.s.b.w.e.n.NettyWebServer: Netty started on port 8080 (http)
2025-12-16 11:25:51,956 INFO  [main] i.k.u.KafkaUiApplication: Started KafkaUiApplication in 7.194 seconds (process running for 8.215)
2025-12-16 11:25:52,210 DEBUG [parallel-2] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: CLUSTER
2025-12-16 11:25:52,228 INFO  [boundedElastic-1] o.a.k.c.a.AdminClientConfig: AdminClientConfig values:
        auto.include.jmx.reporter = true
        bootstrap.controllers = []
        bootstrap.servers = [IP_ADD:9092, IP_ADD:9092, IP_ADD:9092]
        client.dns.lookup = use_all_dns_ips
        client.id = kafbat-ui-admin-1765884352-1
        connections.max.idle.ms = 300000
        default.api.timeout.ms = 60000
        enable.metrics.push = true
        metadata.max.age.ms = 300000
        metadata.recovery.strategy = none
        metric.reporters = []
        metrics.num.samples = 2
        metrics.recording.level = INFO
        metrics.sample.window.ms = 30000
        receive.buffer.bytes = 65536
        reconnect.backoff.max.ms = 1000
        reconnect.backoff.ms = 50
        request.timeout.ms = 30000
        retries = 2147483647
        retry.backoff.max.ms = 1000
        retry.backoff.ms = 100
        sasl.client.callback.handler.class = null
        sasl.jaas.config = null
        sasl.kerberos.kinit.cmd = /usr/bin/kinit
        sasl.kerberos.min.time.before.relogin = 60000
        sasl.kerberos.service.name = null
        sasl.kerberos.ticket.renew.jitter = 0.05
        sasl.kerberos.ticket.renew.window.factor = 0.8
        sasl.login.callback.handler.class = null
        sasl.login.class = null
        sasl.login.connect.timeout.ms = null
        sasl.login.read.timeout.ms = null
        sasl.login.refresh.buffer.seconds = 300
        sasl.login.refresh.min.period.seconds = 60
        sasl.login.refresh.window.factor = 0.8
        sasl.login.refresh.window.jitter = 0.05
        sasl.login.retry.backoff.max.ms = 10000
        sasl.login.retry.backoff.ms = 100
        sasl.mechanism = GSSAPI
        sasl.oauthbearer.clock.skew.seconds = 30
        sasl.oauthbearer.expected.audience = null
        sasl.oauthbearer.expected.issuer = null
        sasl.oauthbearer.header.urlencode = false
        sasl.oauthbearer.jwks.endpoint.refresh.ms = 3600000
        sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms = 10000
        sasl.oauthbearer.jwks.endpoint.retry.backoff.ms = 100
        sasl.oauthbearer.jwks.endpoint.url = null
        sasl.oauthbearer.scope.claim.name = scope
        sasl.oauthbearer.sub.claim.name = sub
        sasl.oauthbearer.token.endpoint.url = null
        security.protocol = PLAINTEXT
        security.providers = null
        send.buffer.bytes = 131072
        socket.connection.setup.timeout.max.ms = 30000
        socket.connection.setup.timeout.ms = 10000
        ssl.cipher.suites = null
        ssl.enabled.protocols = [TLSv1.2, TLSv1.3]
        ssl.endpoint.identification.algorithm = https
        ssl.engine.factory.class = null
        ssl.key.password = null
        ssl.keymanager.algorithm = SunX509
        ssl.keystore.certificate.chain = null
        ssl.keystore.key = null
        ssl.keystore.location = null
        ssl.keystore.password = null
        ssl.keystore.type = JKS
        ssl.protocol = TLSv1.3
        ssl.provider = null
        ssl.secure.random.implementation = null
        ssl.trustmanager.algorithm = PKIX
        ssl.truststore.certificates = null
        ssl.truststore.location = null
        ssl.truststore.password = null
        ssl.truststore.type = JKS

2025-12-16 11:25:52,316 INFO  [boundedElastic-1] o.a.k.c.u.AppInfoParser: Kafka version: 7.9.0-ccs
2025-12-16 11:25:52,316 INFO  [boundedElastic-1] o.a.k.c.u.AppInfoParser: Kafka commitId: ebe6df624d6bc758
2025-12-16 11:25:52,316 INFO  [boundedElastic-1] o.a.k.c.u.AppInfoParser: Kafka startTimeMs: 1765884352314
2025-12-16 11:25:52,865 DEBUG [parallel-4] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: CLUSTER
2025-12-16 11:26:21,956 DEBUG [parallel-1] i.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: CLUSTER
2025-12-16 11:26:21,977 DEBUG [parallel-2] i.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: CLUSTER

Still, I’m unable to create topics or other configurations — the same error occurs as before.

[stalinbritto]

@Team
Instead, when I try using the following command as an environment variable:
SPRING_CONFIG_ADDITIONAL_LOCATION=/etc/kafkaui/

I am able to see the nodes and topics. However, RBAC is not enabled based on users.

[Haarolean]

From your roles.yml:
- provider: role

From your compose:

      KAFKA_UI_OAUTH2_CUSTOM_PARAM_TYPE: oauth
      KAFKA_UI_OAUTH2_CUSTOM_PARAM_ROLES_FIELD: roles

where did you get these from?

these are all not valid properties. they’re not in the repo and not in the docs, so kafka-ui will ignore them.

the supported oauth2 config is here: https://ui.docs.kafbat.io/configuration/authentication/for-the-ui/oauth2

also, you define SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET twice in your compose. Run a linter or at least docker compose config before sending issues.

[Haarolean]

a guide to debug RBAC issues, once you get there: https://ui.docs.kafbat.io/faq/rbac-issues