feat(kafka acl): add `acl delete` command by craicoverflow · Pull Request #1218 · redhat-developer/app-services-cli

craicoverflow · 2021-10-12T16:45:16Z

This PR adds a command to delete ACLs which match criteria passed via filters.

Example interaction:

$ ./rhoas kafka acl delete --permission allow --operation all --topic rhoas --prefix --service-account srvc-acct-11924479-43fe-42b4-9676-cf0c9aca8136
⚠ The following ACLs will be deleted from Kafka instance "enda":

  PRINCIPAL                                        PERMISSION   OPERATION   DESCRIPTION                
 ------------------------------------------------ ------------ ----------- --------------------------- 
  srvc-acct-11924479-43fe-42b4-9676-cf0c9aca8136   ALLOW        ALL         TOPIC starts with "rhoas"  

? Are you sure you want to delete these ACLs? Yes

⣽ Deleting ACLs from Kafka instance "enda" 
✔️ Deleted 1 ACL from Kafka instance "enda"

I also refactored some of the ACL util files into one package.

Verification

This allows numerous operation combinations so will require extensive verification and testing. Run rhoas kafka acl delete and try a number of combinations.

craicoverflow · 2021-10-13T15:57:30Z

This ended up quite large, lots of boilerplate involved.

I will continue testing it tomorrow. But ready for review.

rkpattnaik780 · 2021-10-14T07:53:17Z

./rhoas kafka acl delete --transactional-id "*" --operation all --permission allow --service-account srvc-acct-8c95ca5e1225-94a-41f1-ab97-aacf3df1

preview: All accounts ALLOW ALL TOPIC is "*"

craicoverflow · 2021-10-14T16:07:23Z

./rhoas kafka acl delete --transactional-id "*" --operation all --permission allow --service-account srvc-acct-8c95ca5e1225-94a-41f1-ab97-aacf3df1

preview: All accounts ALLOW ALL TOPIC is "*"

Is this a question?

rkpattnaik780 · 2021-10-18T07:37:30Z

./rhoas kafka acl delete --transactional-id "*" --operation all --permission allow --service-account srvc-acct-8c95ca5e1225-94a-41f1-ab97-aacf3df1

preview: All accounts ALLOW ALL TOPIC is "*"

Is this a question?

Message got lost. On trying to delete a ACL for transactional id, topic is being accessed.

Command: ./rhoas kafka acl delete --user rkpattnaik780 --permission allow --operation describe --transactional-id all
Request URL: /rest/acls?operation=DESCRIBE&patternType=LITERAL&permission=ALLOW&principal=User%3Arkpattnaik780&resourceName=%2A&resourceType=TOPIC

craicoverflow · 2021-10-18T08:24:04Z

Thanks for catching that, it is fixed now.

rkpattnaik780 · 2021-10-18T09:52:38Z

Command: ./rhoas kafka acl delete --user rkpattnaik780 --topic all --prefix --permission allow --operation create
Request URL: /rest/acls?operation=DELETE&patternType=PREFIXED&permission=ALLOW&principal=User%3Arkpattnaik780&resourceName=%2A&resourceType=TOPIC

rkpattnaik780 · 2021-10-18T10:11:48Z

Command: ./rhoas kafka acl delete --user ephelan_kafka_devexp --permission allow --operation describe-config --topic dddddd --prefix
Error: Invalid operation "describe-config" for resource type "topic".
Describe config and alter configs should be a valid operation type for topic. Able to create using UI.

rkpattnaik780 · 2021-10-18T10:27:29Z

Command: ./rhoas kafka acl delete --user ephelan_kafka_devexp --permission allow --operation delete --group my-group.
Request URL: /rest/acls?operation=&patternType=LITERAL&permission=ALLOW&principal=User%3Aephelan_kafka_devexp&resourceName=my-group&resourceType=GROUP
Error message: [Bad Request] Validation error for parameter operation in location QUERY: Input doesn't match one of allowed values of enum: [READ, ALL, ALTER, DELETE, CREATE, ALTER_CONFIGS, ANY, DESCRIBE, DESCRIBE_CONFIGS, WRITE]

pkg/localize/goi18n/go_i18n.go

rkpattnaik780 · 2021-10-18T11:33:24Z

pkg/kafka/aclutil/constants.go

+	OperationFilterDELETE           = "delete"
+	OperationFilterALTER            = "alter"
+	OperationFilterDESCRIBE         = "describe"
+	OperationFilterDESCRIBE_CONFIGS = "describe-config"


Should we use plural like alter-configs?

Suggested change

OperationFilterDESCRIBE_CONFIGS = "describe-config"

OperationFilterDESCRIBE_CONFIGS = "describe-configs"

pkg/cmd/kafka/acl/delete/delete.go

pkg/cmd/kafka/acl/flags/flags.go

rkpattnaik780 · 2021-10-18T11:52:02Z

pkg/cmd/kafka/acl/flags/flags.go

+	return withMarkRequiredFunc(fs.cmd, flagName)
+}
+
+// AddUser adds a flag to pass a user ID principal


Suggested change

// AddUser adds a flag to pass a user ID principal

// AddServiceAccount adds a flag to pass a service account ID principal

rkpattnaik780 · 2021-10-18T12:21:13Z

A rare scenario: If user creates a ACL rule using CLI with pricipal="all", <Allow | Read> and topic starts with "all". It would be impossible to delete using CLI, is that an edge case we should handle?

craicoverflow · 2021-10-19T08:47:08Z

A rare scenario: If user creates a ACL rule using CLI with pricipal="all", <Allow | Read> and topic starts with "all". It would be impossible to delete using CLI, is that an edge case we should handle?

As agreed, I have now removed wildcard aliases. Could you review again?

rkpattnaik780 · 2021-10-19T11:19:36Z

Seems like an issue with api maybe
cpmmand: ./rhoas kafka acl delete --user kakashi --permission any --cluster --operation alter -v
preview:

PRINCIPAL      PERMISSION   OPERATION   DESCRIPTION                 
 -------------- ------------ ----------- ---------------------------- 
  kakashi        ALLOW        ALTER       CLUSTER is "kafka-cluster"  
  All accounts   ALLOW        ALTER       CLUSTER is "kafka-cluster"

rkpattnaik780

LGTM!

rkpattnaik780 · 2021-10-21T07:52:32Z

./rhoas kafka acl delete --user kakashi --permission any --cluster --operation alter -v

Seems like an issue with api maybe cpmmand: ./rhoas kafka acl delete --user kakashi --permission any --cluster --operation alter -v preview:
PRINCIPAL      PERMISSION   OPERATION   DESCRIPTION                 
 -------------- ------------ ----------- ---------------------------- 
  kakashi        ALLOW        ALTER       CLUSTER is "kafka-cluster"  
  All accounts   ALLOW        ALTER       CLUSTER is "kafka-cluster"

Playing around the api a little, I found out that list operation lists out all the permissions with those specifics for the given user, including the ones it gets from All accounts. The above command makes a get request with cluster=kafka-cluster, allow:alter for user kakashi, which also checks if the user gets the access through rules defined for "All accounts".

Similarly, searching for a rule that isn't defined for the user but defined for "All accounts" is returned.

./rhoas kafka acl delete --user wtrocki --permission allow --operation read --group sasuke --prefix
⚠ The following ACLs will be deleted from Kafka instance "rama-test-2":

  PRINCIPAL      PERMISSION   OPERATION   DESCRIPTION                 
 -------------- ------------ ----------- ---------------------------- 
  All accounts   ALLOW        READ        GROUP starts with "sasuke"

I think list operation is working as it should be, some changes should be made to delete to prevent deleting the all account rules. Wdyt?

craicoverflow · 2021-10-21T08:24:21Z

Can you move this to a new issue where can we can discuss this? It will be lost/hidden here.

openshift-ci bot added the do-not-merge/work-in-progress label Oct 12, 2021

craicoverflow force-pushed the delete-acls branch 2 times, most recently from 8840632 to ef9274d Compare October 12, 2021 16:49

wtrocki changed the title ~~feat(kafka acl): add base and list command (#1173)~~ feat(kafka acl): delete acl (#1173) Oct 12, 2021

craicoverflow force-pushed the delete-acls branch 4 times, most recently from 82343aa to e5ec951 Compare October 13, 2021 15:52

craicoverflow changed the title ~~feat(kafka acl): delete acl (#1173)~~ feat(kafka acl): add acl delete command Oct 13, 2021

craicoverflow marked this pull request as ready for review October 13, 2021 15:56

openshift-ci bot removed the do-not-merge/work-in-progress label Oct 13, 2021

craicoverflow force-pushed the delete-acls branch from e5ec951 to f727cb8 Compare October 13, 2021 15:56

craicoverflow requested review from rkpattnaik780 and wtrocki October 13, 2021 15:56

craicoverflow force-pushed the delete-acls branch 6 times, most recently from 2a8df77 to ab05437 Compare October 14, 2021 11:10

feat(acl): add ACL delete command

1bce892

craicoverflow force-pushed the delete-acls branch from ab05437 to 1bce892 Compare October 14, 2021 16:06

fix: sort flag options

efe2c49

fix: wrong value mapping

8c5335d

fix: wrong value mapping

8b68234

rkpattnaik780 requested changes Oct 18, 2021

View reviewed changes

craicoverflow force-pushed the delete-acls branch from 3411054 to 09758ac Compare October 18, 2021 13:35

fix: invalid delete cases

3e66214

craicoverflow force-pushed the delete-acls branch from 09758ac to 3e66214 Compare October 18, 2021 13:52

fix: remove resource wildcard

270b53f

craicoverflow force-pushed the delete-acls branch from ff3d1ba to 270b53f Compare October 19, 2021 08:47

craicoverflow requested a review from rkpattnaik780 October 19, 2021 08:47

rkpattnaik780 approved these changes Oct 19, 2021

View reviewed changes

craicoverflow merged commit 8edfc44 into redhat-developer:main Oct 19, 2021

craicoverflow deleted the delete-acls branch October 19, 2021 12:46

craicoverflow linked an issue Oct 20, 2021 that may be closed by this pull request

Implement rhoas kafka acl delete command #1185

Closed

rkpattnaik780 mentioned this pull request Oct 21, 2021

Remove acl list operation to preview ACLs to be deleted #1250

Closed

	OperationFilterDESCRIBE_CONFIGS = "describe-config"
	OperationFilterDESCRIBE_CONFIGS = "describe-configs"

	// AddUser adds a flag to pass a user ID principal
	// AddServiceAccount adds a flag to pass a service account ID principal

Conversation

craicoverflow commented Oct 12, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Verification

Uh oh!

craicoverflow commented Oct 13, 2021

Uh oh!

rkpattnaik780 commented Oct 14, 2021

Uh oh!

craicoverflow commented Oct 14, 2021

Uh oh!

rkpattnaik780 commented Oct 18, 2021

Uh oh!

craicoverflow commented Oct 18, 2021

Uh oh!

rkpattnaik780 commented Oct 18, 2021

Uh oh!

rkpattnaik780 commented Oct 18, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rkpattnaik780 commented Oct 18, 2021

Uh oh!

Uh oh!

rkpattnaik780 Oct 18, 2021

Choose a reason for hiding this comment

Uh oh!

craicoverflow Oct 18, 2021

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

rkpattnaik780 Oct 18, 2021

Choose a reason for hiding this comment

Uh oh!

rkpattnaik780 commented Oct 18, 2021

Uh oh!

craicoverflow commented Oct 19, 2021

Uh oh!

rkpattnaik780 commented Oct 19, 2021

Uh oh!

rkpattnaik780 left a comment

Choose a reason for hiding this comment

Uh oh!

rkpattnaik780 commented Oct 21, 2021

Uh oh!

craicoverflow commented Oct 21, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

craicoverflow commented Oct 12, 2021 •

edited

Loading

rkpattnaik780 commented Oct 18, 2021 •

edited

Loading