Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: create acls #165

Merged
merged 106 commits into from
Dec 13, 2023
Merged

feat: create acls #165

merged 106 commits into from
Dec 13, 2023

Conversation

petedannemann
Copy link
Contributor

@petedannemann petedannemann commented Nov 15, 2023
edited
Loading

Add create acls command

Implements: #135

Demo:
This assumes you have this branch checked out and have ran make install to install topicctl from this branch

# start kafka with authentication enabled
$ docker-compose -f docker-compose-auth.yaml up -d

$ topicctl create acls --help
creates ACLs from configuration files

Usage:
  topicctl create acls [acl configs] [flags]

Flags:
  -h, --help   help for acls

Global Flags:
  -b, --broker-addr string       Broker address
      --cluster-config string    Cluster config
      --debug                    enable debug logging
      --dry-run                  Do a dry-run
      --expand-env               Expand environment in cluster config
      --no-spinner               disable all UI spinners
      --path-prefix string       Prefix for ACL config paths
      --sasl-mechanism string    SASL mechanism if using SASL (choices: AWS-MSK-IAM, PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512)
      --sasl-password string     SASL password if using SASL; will override value set in cluster config
      --sasl-username string     SASL username if using SASL; will override value set in cluster config
      --skip-confirm             Skip confirmation prompts during creation process
      --tls-ca-cert string       Path to client CA cert PEM file if using TLS
      --tls-cert string          Path to client cert PEM file if using TLS
      --tls-enabled              Use TLS for communication with brokers
      --tls-key string           Path to client private key PEM file if using TLS
      --tls-server-name string   Server name to use for TLS cert verification
      --tls-skip-verify          Skip hostname verification when using TLS
  -z, --zk-addr string           ZooKeeper address
      --zk-prefix string         Prefix for cluster-related nodes in zk

$ topicctl create acls examples/auth/acls/acl-default.yaml --cluster-config examples/auth/cluster.yaml
[2023-11-16 14:35:53]  INFO Processing ACL acl-default in config examples/auth/acls/acl-default.yaml with cluster config examples/auth/cluster.yaml
[2023-11-16 14:35:53]  INFO Starting creation for ACLs acl-default in environment local-env, cluster local-cluster-auth
[2023-11-16 14:35:53]  INFO Validating configs...
[2023-11-16 14:35:53]  INFO Checking if ACLs already exists...
[2023-11-16 14:35:53]  INFO It looks like these ACLs doesn't already exists. Will create them with this config:
[
  {
    "ResourceType": "Topic",
    "ResourceName": "my-topic",
    "ResourcePatternType": "Literal",
    "Principal": "User:default",
    "Host": "*",
    "Operation": "Read",
    "PermissionType": "Allow"
  },
  {
    "ResourceType": "Topic",
    "ResourceName": "my-topic",
        "ResourcePatternType": "Literal",
    "Principal": "User:default",
    "Host": "*",
    "Operation": "Describe",
    "PermissionType": "Allow"
  },
  {
    "ResourceType": "Group",
    "ResourceName": "my-group",
    "ResourcePatternType": "Prefixed",
    "Principal": "User:default",
    "Host": "*",
    "Operation": "Read",
    "PermissionType": "Allow"
  }
]
OK to continue? (yes/no) yes
[2023-11-16 14:35:57]  INFO Creating new ACLs for user with config [
  {
    "ResourceType": "Topic",
    "ResourceName": "my-topic",
    "ResourcePatternType": "Literal",
    "Principal": "User:default",
    "Host": "*",
    "Operation": "Read",
    "PermissionType": "Allow"
  },
  {
    "ResourceType": "Topic",
    "ResourceName": "my-topic",
    "ResourcePatternType": "Literal",
    "Principal": "User:default",
    "Host": "*",
    "Operation": "Describe",
    "PermissionType": "Allow"
  },
  {
    "ResourceType": "Group",
    "ResourceName": "my-group",
    "ResourcePatternType": "Prefixed",
    "Principal": "User:default",
    "Host": "*",
    "Operation": "Read",
    "PermissionType": "Allow"
  }
]
[2023-11-16 14:35:57]  INFO Create completed successfully!

$ topicctl get acls --cluster-config examples/auth/cluster.yaml
[2023-11-16 14:36:45]  INFO ACLs:
----------------+--------------+---------------+-----------------+------+-----------+------------------
  RESOURCE TYPE | PATTERN TYPE | RESOURCE NAME |    PRINCIPAL    | HOST | OPERATION | PERMISSION TYPE
----------------+--------------+---------------+-----------------+------+-----------+------------------
  group         | prefixed     | my-group      | User:default    | *    | read      | allow
  topic         | literal      | my-topic      | User:default    | *    | read      | allow
  topic         | literal      | my-topic      | User:default    | *    | describe  | allow
----------------+--------------+---------------+-----------------+------+-----------+------------------

@petedannemann
bump kafka-go to include acl apis
b86d182
@petedannemann
add acl interfaces and aclinfo type stub
f1ec537
@petedannemann
pull latest kafka-go and use kafka-go aclresource type
07a63c7
@petedannemann
wip
474c260
@petedannemann
fix test
6e0ec36
@petedannemann
fix typos
7b9454d
@petedannemann
get acls working
49f7e19
@petedannemann
getacls working
8382e98
@petedannemann
upgrade cobra to latest
7b8ee42
@petedannemann
finish separating get into separate subcommands
2a7d2de
@petedannemann
remove unneeded variables
1b84ef3
@petedannemann
Merge branch 'chore/separate-subcmd-for-get' into spike/acls-and-users
ff7d81d
@petedannemann
wip
ea28ea9
@petedannemann
pr feedback
07667dd
@petedannemann
Revert "upgrade cobra to latest"
dcdd0e8 
This reverts commit 7b8ee42.
@petedannemann
Merge branch 'chore/separate-subcmd-for-get' into spike/acls-and-users
d58262c
@petedannemann
use getCliRunnerAndCtx in get acls
9f8f550
@petedannemann
more consistent variable names
4a78af2
@petedannemann
custom cobra type
1dbf200
@petedannemann
bring in new kafka-go
226ae1c
@petedannemann
support resource pattern type
acc011f
@petedannemann
add support for acloperationtype and remove options for unknown
2536e50
@petedannemann
improve descriptions
62671b0
@petedannemann
support permissiontype and host filters
3f050ca
@petedannemann
add resource name filter and fix permission type formatting
925670c
@petedannemann
support principal filtering
5cff332
@petedannemann
improve docs
e6e8c63
@petedannemann
add examples
e28cb01
@petedannemann
remove comment
9735b1b
@petedannemann
remove TODOs that are complete
b19a4e1
petedannemann
petedannemann commented Nov 15, 2023
View reviewed changes
go.mod Show resolved Hide resolved
petedannemann
petedannemann commented Nov 15, 2023
View reviewed changes
pkg/admin/brokerclient.go
@@ -407,13 +408,16 @@ func (c *BrokerAdminClient) GetUsers(
return nil, err
}

if err = util.DescribeUserScramCredentialsResponseResultsError(resp.Results); err != nil {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had added this error handler utility function before and discovered it had incorrect behavior

@petedannemann petedannemann marked this pull request as ready for review November 16, 2023 21:37
@petedannemann petedannemann requested a review from a team as a code owner November 16, 2023 21:37
hhahn-tw
hhahn-tw approved these changes Dec 12, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
pkg/create/acl.go Outdated Show resolved Hide resolved
pkg/create/acl.go Outdated Show resolved Hide resolved
@petedannemann petedannemann merged commit e9241f4 into master Dec 13, 2023
14 checks passed
@petedannemann petedannemann deleted the feat/create-acls branch December 13, 2023 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hhahn-tw hhahn-tw hhahn-tw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@petedannemann @hhahn-tw