Confluent_Schema_Registry - User is denied operation WriteCompatibility on Subject: xxxx

[enzo-cappa]

Hello,

We recently started to use Roles in Confluent Cloud Schema Registry. We discovered that when we use a role (DeveloperWrite for all subjects) that can write schemas, but not change compatibility level, kafkajs will fail to register or produce with the error given above: Confluent_Schema_Registry - User is denied operation WriteCompatibility on Subject: xxxx. However, we don't set the compatibility level as a parameter. What we do is:

register(
      {
        type: SchemaType.AVRO,
        schema: data,
      },
      {
        subject, // string
      },
);

This should not be the case, as the the library should not set the compatiblity level unless is passed as a param. From what I see in

confluent-schema-registry/src/SchemaRegistry.ts

Line 157 in a3921d3

if (compatibility && isFirstTimeRegistration) {

, the compat level is always sent on registration, as it would either come as a param or from the defaults. Again, my understanding is that this shouldn't happen, as the default schema from the global Schema Registry configuration would be used, and that is what we want to enforce for our clients.

Full error:

ResponseError: Confluent_Schema_Registry - User is denied operation WriteCompatibility on Subject: raw.data.batched-issue-operation-value
    at /srv/app/node_modules/@kafkajs/confluent-schema-registry/dist/api/middleware/errorMiddleware.js:17:37

[rogen-code]

Workaround is set compatibility to null ...

But yes, agree

[silverwind]

Workaround is set compatibility to null ...

Yes, that works, but it does present a typescript error:

Type 'null' is not assignable to type 'COMPATIBILITY | undefined'

Setting compatibility: undefined fixed it for me.

The lib tries to set COMPATIBILITY.BACKWARD when the property is not present, while imho it has no business to do that unless the property is provided by the user.