feat(kafka acl grant-access): add --all-accounts flag#1222
feat(kafka acl grant-access): add --all-accounts flag#1222rkpattnaik780 merged 1 commit intomainfrom
Conversation
|
See dicussion in #1197 |
pkg/cmd/kafka/acl/grant/grant.go
Outdated
| userArg = buildPrincipal(acl.Wildcard) | ||
| } | ||
|
|
||
| if opts.svcAccount != "" { |
There was a problem hiding this comment.
We need to throw an error if user or service-account value is all. I have not tested whether it does this but I cannot see this.
There was a problem hiding this comment.
Working on it. I am not sure if we should throw an error.
There was a problem hiding this comment.
I think passing all should be left as it is?
There was a problem hiding this comment.
If no error, what do you think should happen?
There was a problem hiding this comment.
it should be processed as a simple identifier?
user is literal "all"
There was a problem hiding this comment.
The user of the CLI will think running --user=all will limit the wildcard to users, not service accounts, but in fact it will apply it to all. That IMO is dangerous as it will give a false sense of security.
rkpattnaik780
force-pushed
the
acl_convenience_all_principals
branch
from
bbad6e1 to
610ec81
Compare
|
I'm wondering if we should call it |
| [kafka.acl.common.flag.groupPrefix.description] | ||
| one = 'Prefix name for groups to be selected' | ||
|
|
||
| [kafka.acl.common.flag.allPrincipals] |
There was a problem hiding this comment.
| [kafka.acl.common.flag.allPrincipals] | |
| [kafka.acl.common.flag.allPrincipals.description] |
Pattern has been {flagName}.description
Sticking to |
craicoverflow
changed the title
| allAccounts bool | ||
| } | ||
|
|
||
| // NewGrantPermissionsACLCommand creates a series of ACL rules |
There was a problem hiding this comment.
Should be NewGrantAccess now.
pkg/cmd/kafka/acl/grant/grant.go
Outdated
| if opts.user != "" { | ||
| user := getArgumentFromAlias(opts.user) | ||
| userArg = buildPrincipal(user) | ||
| if opts.user == acl.All { | ||
| return opts.localizer.MustLocalizeError("kafka.acl.common.error.allNotAllowed", localize.NewEntry("Flag", "user")) | ||
| } | ||
| userArg = buildPrincipal(opts.user) | ||
| } | ||
|
|
||
| if opts.allAccounts { | ||
| userArg = buildPrincipal(acl.Wildcard) | ||
| } |
There was a problem hiding this comment.
nit: I like the pattern of where opts only has principal value and you do not need to carry out this logic to determine which one to select (as you must then repeat these checks every time you want to reference the principal to use.
A cleaner approach might be to figure out the principal from the flags and assign it to opts in the input validation stage, like this:
app-services-cli/pkg/cmd/kafka/acl/delete/delete.go
Lines 294 to 298 in 3e66214
rkpattnaik780
changed the title
| if userID == "" && serviceAccount == "" && !allAccounts { | ||
| return opts.localizer.MustLocalizeError("kafka.acl.grantPermissions.error.noPrincipalsSelected") | ||
| } | ||
|
|
||
| // user and service account should not be provided together | ||
| if opts.user != "" && opts.svcAccount != "" { | ||
| if userID != "" && serviceAccount != "" { | ||
| return opts.localizer.MustLocalizeError("kafka.acl.grantPermissions.error.bothPrincipalsSelected") | ||
| } |
There was a problem hiding this comment.
nit: these checks could go before the logic of assigning the correct principal to opts.principal
There was a problem hiding this comment.
these checks are executed before assignment, it is the function definition here.
rkpattnaik780
force-pushed
the
acl_convenience_all_principals
branch
from
3f5a596 to
5fa07be
Compare
3 participants
--all-accountsflag to grant permissions to all users and service accounts (substitute for--user "*"and--service-account "*").Closes #1197
Verification Steps
Type of change
Checklist