fix: allow to delete all ACLs for principal

[wtrocki]

Creating for early feedback for #1430

Validation for delete command were redundant preventing users from deleting multiple acls.
For example it would not be possible to remove all ACLs for Service account.

After this change it is possible:

✔️  Deleted 5 ACLs from Kafka instance "wtrocki"
The following ACL rules were deleted:

  PRINCIPAL (5)    PERMISSION   OPERATION   DESCRIPTION               
 ---------------- ------------ ----------- -------------------------- 
  test             allow        write       transactional-id is "*"   
  test             allow        describe    topic starts with "test"  
  test             allow        write       topic starts with "test"  
  test             allow        create      topic starts with "test"  
  test             allow        describe    transactional-id is "*"   

However we need to still spend some time cleaning up messages/validation and arguments to API.
Posted for early feedback

Verification

[wtrocki@graphapi app-services-cli (delete-acl)]$ rhoas kafka acl delete --pattern-type=any --service-account=test
? All ACLs matching the criteria provided will be deleted from the Kafka instance "wtrocki". Are you sure you want to proceed? Yes


✔️  Deleted 5 ACLs from Kafka instance "wtrocki"
The following ACL rules were deleted:

  PRINCIPAL (5)    PERMISSION   OPERATION   DESCRIPTION               
 ---------------- ------------ ----------- -------------------------- 
  test             allow        describe    topic starts with "test"  
  test             allow        write       transactional-id is "*"   
  test             allow        describe    transactional-id is "*"   
  test             allow        write       topic starts with "test"  
  test             allow        create      topic starts with "test" 

Delete all write operations for sa

rhoas kafka acl delete --service-account=test1 --operation=write -v --pattern-type=any

other variations

[rkpattnaik780]

Deleting all acls for a principal.
Passing other arguments needs to be handled for deleting specific ACL. Ignore if it is on todo.

[wtrocki]

Not sure if we should allow all accounts as well?

[wtrocki@graphapi app-services-cli (delete-acl ✗)]$ rhoas kafka acl delete --all-accounts         
? All ACLs matching the criteria provided will be deleted from the Kafka instance "wtrocki". Are you sure you want to proceed? Yes


✔️  Deleted 4 ACLs from Kafka instance "wtrocki"
The following ACL rules were deleted:

  PRINCIPAL (4)    PERMISSION   OPERATION          DESCRIPTION     
 ---------------- ------------ ------------------ ---------------- 
  All Accounts     allow        describe-configs   topic is "*"    
  All Accounts     allow        describe           group is "*"    
  All Accounts     allow        describe           cluster is "*"  
  All Accounts     allow        describe           topic is "*"  
  

[wtrocki]

Seeing some strange issue/inconsitencies:

[wtrocki@graphapi app-services-cli (delete-acl)]$ rhoas kafka acl list                    

  PRINCIPAL (5)    PERMISSION   OPERATION   DESCRIPTION               
 ---------------- ------------ ----------- -------------------------- 
  wtrocki          allow        create      topic starts with "test"  
  wtrocki          allow        describe    topic starts with "test"  
  wtrocki          allow        write       topic starts with "test"  
  wtrocki          allow        describe    transactional-id is "*"   
  wtrocki          allow        write       transactional-id is "*"   
[wtrocki@graphapi app-services-cli (delete-acl)]$ rhoas kafka acl delete --service-account=wtrocki
? All ACLs matching the criteria provided will be deleted from the Kafka instance "wtrocki". Are you sure you want to proceed? Yes


✔️  Deleted 2 ACLs from Kafka instance "wtrocki"
The following ACL rules were deleted:

  PRINCIPAL   PERMISSION   OPERATION   DESCRIPTION              
 ----------- ------------ ----------- ------------------------- 
  wtrocki     allow        describe    transactional-id is "*"  
  wtrocki     allow        write       transactional-id is "*"  
  

[wtrocki]

Ok. So problem is with Pattern Type. because we assume Literal pattern type is provided by default there is no easy way for us to fix that without breaking CLI. I will need to add explicit pattern-type=none and deprecated --prefix to get around this

[wtrocki]

@craicoverflow @rkpattnaik780 I have managed to workaround problem by introducing new flag called pattern type and deprecated prefix.

Not sure if we should be deprecating prefix or still keep it?
I'm testing all gazillion test use cases that this change introduced

[craicoverflow]

Pattern type is fine to use. I used "prefix" because this is what confluent CLI does.

[wtrocki]

I still removed depreciation from prefix as it is much simpler/neater flag.

We have pattern-type=all only because there is no other way to reflect it now. When none is specified it should be literal and prefix stays as it is. Obviously pattern type supports all other flags but that is too verbose IMHO for regular use

[rkpattnaik780]

Not sure if we should allow all accounts as well?

UI allows deleting permissions for all accounts. We should keep it too.

[rkpattnaik780]

This should be moved after the switch in 264.
Current behavior keeps pattern type as literal if we pass --prefix flag.

./rhoas kafka acl delete --user enda --topic "rhoas-" --prefix -v

/rest/acls?patternType=LITERAL&permission=ANY&principal=User%3Aenda&resourceName=rhoas-&resourceType=TOPIC

[wtrocki]

Oh.. I did refactor if into switch and introduced that bug. Really hate that golanglint forces us to use switch statements even when they do not make sense

[craicoverflow]

You could always look to remove that rule from the lint config file? It is not a rule coming from the Go stdlib or anything.

[rkpattnaik780]

The flag description looks odd

Determine if the resource should be exact match, prefix or any [any literal prefix] (default "literal")

Should we keep options in description only?

[wtrocki]

It is good to give list of values in canonical form. Will remove them from description

[craicoverflow]

Yes you are right @wtrocki it is good to, but currently they are not. The output that @rkpattnaik780 shows is the exact output from the command.

[craicoverflow]

What is this submodule for?

[wtrocki]

What is this submodule for?

That was different POC. Removing it

[craicoverflow]

Verified. I left one suggestion regarding printing deprecation message from within the command output aswell as in the description.

[craicoverflow]

It'd be nice to add this into the flag package we have created? I know it is not used in other commands but it does abstract it away and make the command setup much easier to read.

[wtrocki]

I think flag package is overkill

[craicoverflow]

The package already exists though, so don't see how (there is no extra code involved).

[craicoverflow]

You could always look to remove that rule from the lint config file? It is not a rule coming from the Go stdlib or anything.

[craicoverflow]

I also think that when a deprecated flag is used, the command should print a message like:

$ rhoas kafka acl delete --prefix

The "--prefix" flag has been deprecated, in the future please use "--pattern-type"

... delete output

The reason being that existing users of the CLI will not be checking the flag descriptions any more as they already understand the purpose of the prefix flag, so will likely never see that it is deprecated.

[wtrocki]

Fully agree. I will remove that method as it is not used right now and it is not properly implemented.

[craicoverflow]

Yes you are right @wtrocki it is good to, but currently they are not. The output that @rkpattnaik780 shows is the exact output from the command.

[craicoverflow]

Is pattern type needed in order to do this?

[wtrocki]

Yes. While it is counter intuitive we need backwards compatibility.

So:

• nothing provided - exact match
• all - take all
• prefix (use prefix)

etc.

[wtrocki]

You could always look to remove that rule from the lint config file? It is not a rule coming from the Go stdlib or anything.

Rule itself is good, but it does have lots of false positives - where doing switch is not possible.
I will need to start disabling linting for this instead.