Consumer group ACL creation issue on 0.19.0

[michael-todorovic]

Expected Behavior

We upgraded to 0.19.0. We have a topic where ACLs are OK. We want to grant some perms for a consumer group on this topic

Actual Behavior

When applying the permission for the consumer group, Ansible is happy but no consumer group is created. We rollbacked to 0.18.2 and the ACL is created so this looks related to 0.19.0 :)

Play to Reproduce the Problem

Logs from the play with Ansible in debug mode

ANSIBLE_DEBUG=true ansible-playbook my-awesome-playbook.yml

COPY/PASTE the result of the play here

Specifications

• Library version: 0.19.0

• Result of pip list command:

  Click pip list

  ``` ╰ pip list Package Version Editable project location ------------------------- --------- ----------------------------------------------- ansible 7.4.0 ansible-compat 3.0.2 ansible-core 2.14.4 appdirs 1.4.4 arrow 1.2.3 attrs 23.1.0 bcrypt 4.0.1 binaryornot 0.4.4 boto3 1.26.115 botocore 1.29.115 bracex 2.3.post1 certifi 2020.12.5 cffi 1.15.1 chardet 3.0.4 charset-normalizer 2.0.12 click 8.1.6 click-help-colors 0.9.1 colorlog 6.7.0 ConfigArgParse 1.5.3 cookiecutter 2.5.0 cruft 2.15.0 cryptography 41.0.1 decorator 4.4.2 deprecation 2.1.0 distro 1.8.0 dnspython 2.4.2 docker 6.1.3 dynmen 0.1.5 ecdsa 0.18.0 enrich 1.2.7 gitdb 4.0.10 GitPython 3.1.29 hvac 0.11.2 idna 2.9 ipython-genutils 0.2.0 Jinja2 3.1.2 jmespath 1.0.1 jsonschema 4.19.0 jsonschema-specifications 2023.7.1 kerberos 1.3.1 keycloak-client 0.15.4 markdown-it-py 3.0.0 MarkupSafe 2.1.3 mdurl 0.1.2 molecule 5.0.1 molecule-docker 2.1.0 molecule-plugins 23.5.0 netaddr 0.8.0 packaging 21.3 paramiko 3.1.0 pip 23.2.1 pluggy 1.2.0 prometheus-client 0.16.0 psutil 5.9.5 psycopg2 2.9.6 pyasn1 0.4.8 pycparser 2.20 Pygments 2.16.1 pykerberos 1.2.4 PyNaCl 1.5.0 pyparsing 3.0.9 pysftp 0.2.9 pysmb 1.2.9.1 pyspnego 0.9.1 python-consul 1.1.0 python-dateutil 2.8.2 python-dotenv 0.15.0 python-gitlab 3.12.0 python-jose 3.3.0 python-json-logger 2.0.7 python-keycloak 3.3.0 python-keycloak-client 0.2.3 python-slugify 8.0.1 pywinrm 0.4.3 PyYAML 6.0 referencing 0.30.2 requests 2.27.1 requests-ntlm 1.2.0 requests-toolbelt 1.0.0 resolvelib 0.8.1 rich 13.5.2 rpds-py 0.9.2 rsa 4.9 s3transfer 0.6.0 selinux 0.3.0 semantic-version 2.10.0 setproctitle 1.3.2 setuptools 67.6.1 six 1.14.0 smmap 5.0.0 subprocess-tee 0.4.1 text-unidecode 1.3 tqdm 4.65.0 traitlets 4.3.3 typer 0.9.0 typing_extensions 4.8.0 urllib3 1.26.16 vplog 1.0.1 vpmetrics 1.1.1 vpn-slice 0.16.1 vputils 1.12.0 wcmatch 8.5 websocket-client 1.6.1 wheel 0.40.0 xmltodict 0.13.0 ```

• Kafka version: 3.1.0

• Python version: 3.11.2

• OS: Debian 12

[StephenSorriaux]

Hello,

Thank you for the issue.

I tried to reproduce it locally with the Python & Kafka versions you provided but was not able to trigger the issue.

My playbook was (tested with kafka_acl and kafka_acls modules):

---
- name: Example | ACL creation
  hosts: 127.0.0.1
  roles:
    - name: kafka_lib
  post_tasks:
    - name: "Create a single ACL with multiple operations"
      kafka_acl:
        api_version: "3.1.0"
        name: 'my-consumer-group'
        acl_resource_type: 'group'
        acl_principal: 'User:consumer-client'
        acl_operations:
          - 'read'
        acl_permission: 'allow'
        acl_pattern_type: 'literal'
        bootstrap_servers: "localhost:9092"

    - name: "Get ACLs information"
      kafka_info:
        resource: "acl"
        api_version: "3.1.0"
        bootstrap_servers: "localhost:9092"
      register: acls

    - name: "Display results"
      debug:
        var: acls

The ACL for the consumer group my-consumer-group ends up being displayed in the results:

TASK [Display results] ***********************************************************************
ok: [127.0.0.1] => {
    "acls": {
        "ansible_module_results": {
            "group": {
                "my-consumer-group": [
                    {
                        "host": "*",
                        "operation": "read",
                        "pattern_type": "literal",
                        "permission_type": "allow",
                        "principal": "User:consumer-client",
                        "resource_name": "my-consumer-group",
                        "resource_type": "group"
                    }
                ]
            }
        },
        "changed": true,
        "failed": false
    }
}

I also made sure I got the same results with the kafka-acls.sh script:

# kafka-acls.sh --list --group my-consumer-group --authorizer-properties zookeeper.connect=localhost:2181
Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=my-consumer-group, patternType=LITERAL)`: 
    (principal=User:consumer-client, host=*, operation=READ, permissionType=ALLOW)

Would it be possible for you to share a minimalist reproducible example?