RBAC with LDAP fails to start with "this.permissions" is null

[eroji]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

Per my last ticket, I have put together what I think is the correct config for deploying kafbat-ui in Kubernetes with LDAP and RBAC. However, it's still unable to complete bootstrap. I can't identify what I'm missing. The error seems to indicate some sort of issue with the permissions, but I copied it directly from the docs.

Expected behavior

The app should complete bootstrap successfully.

Your installation details

1. 3074abc
2. NA
3. See below

apiVersion: v1
kind: ConfigMap
data:
  config.yaml: |-
    kafka:
      clusters:
      - bootstrapServers: kafka-service-kafka-bootstrap:9092
        name: kafka-service
        properties:
          security.protocol: SASL_PLAINTEXT
          sasl.mechanism: SCRAM-SHA-512
          sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required
            username="admin" password="somepassword";
        readOnly: false  
    auth:
      type: LDAP
    spring:
      ldap:
        urls: ldap://dc.example.com:389
        base: "ou=Employees,dc=example,dc=com"
        admin-user: "cn=LDAP User,ou=Misc Users,dc=example,dc=com"
        admin-password: "somepassword"
        user-filter-search-base: "dc=example.com,dc=com"
        user-filter-search-filter: "(objectClass=person)"
        group-filter-search-base: "ou=KafkaUI Access Groups,ou=Custom Groups,dc=example,dc=com"
    rbac:
      roles:
        - name: "Admins"
          clusters:
            - kafka-service
          subjects:
            - provider: ldap
              type: group
              value: "KafkaUI Admins"
      permissions:
        - resource: applicationconfig
          actions: all
        - resource: clusterconfig
          actions: all
        - resource: topic
          value: ".*"
          actions: all
        - resource: consumer
          value: ".*"
          actions: all
        - resource: schema
          value: ".*"
          actions: all
        - resource: connect
          value: ".*"
          actions: all
        - resource: ksql
          actions: all
        - resource: acl
          actions: [ view ]
    webclient: {}

4. NA

Steps to reproduce

Use the above config

Screenshots

No response

Logs

 _   _ ___    __             _                _          _  __      __ _
| | | |_ _|  / _|___ _ _    /_\  _ __ __ _ __| |_  ___  | |/ /__ _ / _| |_____
| |_| || |  |  _/ _ | '_|  / _ \| '_ / _` / _| ' \/ -_) | ' </ _` |  _| / / _`|
 \___/|___| |_| \___|_|   /_/ \_| .__\__,_\__|_||_\___| |_|\_\__,_|_| |_\_\__,|
                                 |_|                                             
2025-09-03 23:31:42,563 INFO  [main] i.k.u.KafkaUiApplication: Starting KafkaUiApplication vv1.2.0 using Java 21.0.6 with PID 1 (/api.jar started by kafkaui in /)
2025-09-03 23:31:42,565 DEBUG [main] i.k.u.KafkaUiApplication: Running with Spring Boot v3.4.3, Spring v6.2.3
2025-09-03 23:31:42,566 INFO  [main] i.k.u.KafkaUiApplication: No active profile set, falling back to 1 default profile: "default"
2025-09-03 23:31:56,869 WARN  [main] o.s.b.w.r.c.AnnotationConfigReactiveWebServerApplicationContext: Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'aclsController': Unsatisfied dependency expressed through method 'setAccessControlService' parameter 0: Error creating bean with name 'accessControlService' defined in URL [jar:nested:/api.jar/!BOOT-INF/classes/!/io/kafbat/ui/service/rbac/AccessControlService.class]: Unsatisfied dependency expressed through constructor parameter 1: Error creating bean with name 'rbac-io.kafbat.ui.config.auth.RoleBasedAccessControlProperties': Invocation of init method failed
2025-09-03 23:31:56,966 INFO  [main] o.s.b.a.l.ConditionEvaluationReportLogger: 
Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
2025-09-03 23:31:57,151 ERROR [main] o.s.b.SpringApplication: Application run failed
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'aclsController': Unsatisfied dependency expressed through method 'setAccessControlService' parameter 0: Error creating bean with name 'accessControlService' defined in URL [jar:nested:/api.jar/!BOOT-INF/classes/!/io/kafbat/ui/service/rbac/AccessControlService.class]: Unsatisfied dependency expressed through constructor parameter 1: Error creating bean with name 'rbac-io.kafbat.ui.config.auth.RoleBasedAccessControlProperties': Invocation of init method failed
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.resolveMethodArguments(AutowiredAnnotationBeanPostProcessor.java:896)
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.inject(AutowiredAnnotationBeanPostProcessor.java:849)
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:146)
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:509)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1445)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:600)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:523)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:346)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1155)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1121)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1056)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:987)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
	at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.refresh(ReactiveWebServerApplicationContext.java:66)
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752)
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:318)
	at io.kafbat.ui.KafkaUiApplication.startApplication(KafkaUiApplication.java:24)
	at io.kafbat.ui.KafkaUiApplication.main(KafkaUiApplication.java:17)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:102)
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64)
	at org.springframework.boot.loader.launch.JarLauncher.main(JarLauncher.java:40)
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'accessControlService' defined in URL [jar:nested:/api.jar/!BOOT-INF/classes/!/io/kafbat/ui/service/rbac/AccessControlService.class]: Unsatisfied dependency expressed through constructor parameter 1: Error creating bean with name 'rbac-io.kafbat.ui.config.auth.RoleBasedAccessControlProperties': Invocation of init method failed
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:804)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:240)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1381)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1218)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:563)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:523)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:346)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1606)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1552)
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredMethodElement.resolveMethodArguments(AutowiredAnnotationBeanPostProcessor.java:888)
	... 26 common frames omitted
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'rbac-io.kafbat.ui.config.auth.RoleBasedAccessControlProperties': Invocation of init method failed
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:423)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1804)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:601)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:523)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:346)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1664)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1552)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:913)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	... 38 common frames omitted
Caused by: java.lang.NullPointerException: Cannot invoke "java.util.List.forEach(java.util.function.Consumer)" because "this.permissions" is null
	at io.kafbat.ui.model.rbac.Role.validate(Role.java:19)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at io.kafbat.ui.config.auth.RoleBasedAccessControlProperties.init(RoleBasedAccessControlProperties.java:16)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMethod.invoke(InitDestroyAnnotationBeanPostProcessor.java:457)
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:401)
	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:219)
	... 51 common frames omitted

Additional context

No response

[Haarolean]

https://ui.docs.kafbat.io/configuration/rbac-role-based-access-control
permissions belongs to a role (rbac.roles.[0].permissions), in your config structure permissions are placed on the wrong level.

[eroji]

@Haarolean thank you for the clarification. I was able to modify the config and get it to bootstrap successfully. However, I'm unable to log in. Per https://ui.docs.kafbat.io/faq/authentication I can add this env var to enable trace level logging for auth issues, but I do not seem to be getting any pertaining logs when set. The app is running within a container via a deployment in Kubernetes. Can you advise on how to get the logging enabled?

/ $ ps -ef
PID   USER     TIME  COMMAND
    1 kafkaui   0:20 java --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED -jar api.jar
   39 kafkaui   0:00 /bin/sh
   45 kafkaui   0:00 ps -ef
/ $ env | grep LDAP
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_LDAP_USERDETAILS=TRACE
/ $ 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kafka-ui
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/instance: kafka-ui
      app.kubernetes.io/name: kafka-ui
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: kafka-ui
        app.kubernetes.io/name: kafka-ui
    spec:
      containers:
        - env:
            - name: SPRING_CONFIG_ADDITIONAL-LOCATION
              value: /etc/kafkaui/config.yaml
            - name: LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_LDAP_USERDETAILS
              value: TRACE
          image: kafka-ui:v1.2.0
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /actuator/health
              port: http
              scheme: HTTP
            initialDelaySeconds: 45
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 10
          name: kafka-ui-pod
          ports:
            - containerPort: 8080
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /actuator/health
              port: http
              scheme: HTTP
            initialDelaySeconds: 45
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 10
          resources:
            limits:
              cpu: 500m
              memory: 500Mi
            requests:
              cpu: 250m
              memory: 200Mi
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /etc/kafkaui/config.yaml
              name: config
              subPath: config.yaml
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: kafka-ui
      serviceAccountName: kafka-ui
      terminationGracePeriodSeconds: 30
      volumes:
        - configMap:
            defaultMode: 420
            name: kafka-ui-configmap
          name: config