feat(kafka acl): add grant-admin command#1230
Conversation
rkpattnaik780
force-pushed
the
acl_convenience_admin
branch
from
b510c2d to
b6a52d9
Compare
rkpattnaik780
changed the title
craicoverflow
left a comment
craicoverflow
left a comment
There was a problem hiding this comment.
Command did not work for me:
❯ ./rhoas kafka acl admin
panic: message "kafka.acl.grantPermissions.error.noPrincipalsSelected" not found in language "en"
goroutine 1 [running]:
github.com/nicksnyder/go-i18n/v2/i18n.(*Localizer).MustLocalize(0xc0001af540, 0xc000133c28, 0x0, 0x0)
/home/ephelan/.gvm/pkgsets/go1.16.4/global/pkg/mod/github.com/nicksnyder/go-i18n/v2@v2.1.2/i18n/localizer.go:211 +0x7c
github.com/redhat-developer/app-services-cli/pkg/localize/goi18n.(*Goi18n).MustLocalize(0xc00070ccd0, 0x1e4d942, 0x35, 0x0, 0x0, 0x0, 0xc0000ea100, 0xc000133cf8)
/home/ephelan/code/github.com/redhat-developer/app-services-cli/pkg/localize/goi18n/go_i18n.go:85 +0x165
github.com/redhat-developer/app-services-cli/pkg/localize/goi18n.(*Goi18n).MustLocalizeError(0xc00070ccd0, 0x1e4d942, 0x35, 0x0, 0x0, 0x0, 0xc000133ce0, 0x0)
/home/ephelan/code/github.com/redhat-developer/app-services-cli/pkg/localize/goi18n/go_i18n.go:111 +0x67
github.com/redhat-developer/app-services-cli/pkg/cmd/kafka/acl/admin.NewAdminACLCommand.func1(0xc0001d3680, 0x2db8c80, 0x0, 0x0, 0x0, 0x0)
/home/ephelan/code/github.com/redhat-developer/app-services-cli/pkg/cmd/kafka/acl/admin/admin.go:71 +0x18a
github.com/spf13/cobra.(*Command).execute(0xc0001d3680, 0x2db8c80, 0x0, 0x0, 0xc0001d3680, 0x2db8c80)
/home/ephelan/.gvm/pkgsets/go1.16.4/global/pkg/mod/github.com/spf13/cobra@v1.2.1/command.go:856 +0x472
github.com/spf13/cobra.(*Command).ExecuteC(0xc00032e780, 0x2057538, 0x3, 0xc00032e780)
/home/ephelan/.gvm/pkgsets/go1.16.4/global/pkg/mod/github.com/spf13/cobra@v1.2.1/command.go:974 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
/home/ephelan/.gvm/pkgsets/go1.16.4/global/pkg/mod/github.com/spf13/cobra@v1.2.1/command.go:902
main.main()
/home/ephelan/code/github.com/redhat-developer/app-services-cli/cmd/rhoas/main.go:43 +0x29d
rkpattnaik780
force-pushed
the
acl_convenience_admin
branch
2 times, most recently
from
3797b73 to
43d2c9c
Compare
craicoverflow
left a comment
craicoverflow
left a comment
There was a problem hiding this comment.
The ACLs granted in this command do now allow me to create topics:
$ kafka-topics.sh --create --topic rhoas_2hello --bootstrap-server
Error while executing topic command : Authorization failed.
[2021-10-20 15:14:35,800] ERROR org.apache.kafka.common.errors.TopicAuthorizationException: Authorization failed.
(kafka.admin.TopicCommand$)However once I create an ACL with ALLOW | ALL | TOPIC is "*"I could do it:
$ kafka-topics.sh --create --topic rhoas_2hello --bootstrap-server $(rhoas kafka describe --bootstrap-server) --command-config ./kafka-config.prod.properties
Created topic rhoas_2hello.I recommend investagint the Kafka bin scripts, to see exactly what they would apply, we may need additonal ACLs other than CLUSTER ALTER
bin scripts don't seem to have an explicit option to grant admin access, it is a common use case. The design documents mention an extra ACL rule for cluster describe, the requirements point that admin should grant only ability to add/delete ACLs, user must create an acl before doing operations. |
|
Great work so far! I think we should also be displaying to the user the exact ACL(s) like we do in the a) get a clear understanding of what is being applied |
rkpattnaik780
changed the title
rkpattnaik780
force-pushed
the
acl_convenience_admin
branch
from
90f0e1c to
63cd1f8
Compare
rkpattnaik780
requested review from
craicoverflow
and removed request for
craicoverflow
pkg/cmd/kafka/acl/admin/admin.go
Outdated
| // check if priincipal is provided | ||
| if userID == "" && serviceAccount == "" && !allAccounts { | ||
| return opts.localizer.MustLocalizeError("kafka.acl.common.error.noPrincipalsSelected") | ||
| } | ||
|
|
||
| // user and service account can't be along with "--all-accounts" flag | ||
| if allAccounts && (serviceAccount != "" || userID != "") { | ||
| return opts.localizer.MustLocalizeError("kafka.acl.common.error.allAccountsCannotBeUsedWithUserFlag") | ||
| } |
There was a problem hiding this comment.
From what I can see we are not preventing the user from passing a wilcard to the user or service-account flags. Shouldn't we be?
| one = ''' | ||
| # Grant access to principal for consuming messages from all topics | ||
| $ rhoas kafka acl grant-access --consumer --user user_name --topic all --group all | ||
| $ rhoas kafka acl grant-access --consumer --user user_name --topic "*" --group "*" |
There was a problem hiding this comment.
I believe we are sticking with aliases now?
craicoverflow
left a comment
craicoverflow
left a comment
There was a problem hiding this comment.
A couple of questions left inline.
rkpattnaik780
force-pushed
the
acl_convenience_admin
branch
from
63cd1f8 to
e3da262
Compare
craicoverflow
left a comment
craicoverflow
left a comment
There was a problem hiding this comment.
Looks great! I think we should have a second opinion on the cmd long and short descriptions though.
| [kafka.acl.grantAdmin] | ||
|
|
||
| [kafka.acl.grantAdmin.cmd.shortDescription] | ||
| one = 'Give admin rights to the account' |
There was a problem hiding this comment.
| one = 'Give admin rights to the account' | |
| one = 'Grant an account permissions to create and delete ACLs in the Kafka instance' |
The existing short description seemed a little too short and informal.
| [kafka.acl.grantAdmin.cmd.shortDescription] | ||
| one = 'Give admin rights to the account' | ||
|
|
||
| [kafka.acl.grantAdmin.cmd.longDescription] | ||
| one = 'This command will give specified account permission to create and delete ACLs in a Kafka instance.' |
There was a problem hiding this comment.
cc @jbyrne-redhat could review the CLI command documentation highlighted?
There was a problem hiding this comment.
Suggest just a couple of minor tweaks:
'This command grants a specified account permission to create and delete ACLs in a Kafka instance.'
| kafkainstanceclient.ACLPERMISSIONTYPE_ALLOW, | ||
| ) | ||
|
|
||
| rows := aclutil.MapACLsToTableRows([]kafkainstanceclient.AclBinding{*aclBindClusterAlter}, opts.localizer) |
There was a problem hiding this comment.
We could probably skip that when -y is passed.
There was a problem hiding this comment.
I would prefer to keep -y for the confirmation action only and display the ACLs to be generated in both scenario.
There was a problem hiding this comment.
That's fair. I think it needs an explanation to give context to the table though because right now it prints without info about it.
❯ ./rhoas kafka acl grant-admin --all-accounts -y
PRINCIPAL PERMISSION OPERATION DESCRIPTION
-------------- ------------ ----------- ----------------------------
All accounts ALLOW ALTER CLUSTER is "kafka-cluster"
✔️ Account "*" is now allowed to create and delete ACLs for Kafka instance "enda-dev"
It might be nice to add something like:
The following ACLs will be created:
...
above it.
pkg/cmd/kafka/acl/admin/admin.go
Outdated
|
|
||
| opts.kafkaID = instanceID | ||
|
|
||
| // check if priincipal is provided |
There was a problem hiding this comment.
| // check if priincipal is provided | |
| // check if principal is provided |
wtrocki
left a comment
wtrocki
left a comment
There was a problem hiding this comment.
Reviewed and verified. Great job!
rkpattnaik780
force-pushed
the
acl_convenience_admin
branch
from
a817214 to
9fef977
Compare
4 participants
Add
rhoas kafka acl admincommand.Closes #1199
Verification Steps
--userflag set toabcabcand operationType=ALTERType of change
Checklist