Closed hinchliff closed 2 years ago
Hi,
Thanks for this issue.
It looks like the --producer option will add Create, Read, Write, and Describe, while --consumer will add Read and Describe?
Yes, and some ACLs related to transactions (https://github.com/apache/kafka/blob/2.5/core/src/main/scala/kafka/admin/AclCommand.scala#L350)
I think the current behavior of kafka_lib is that only a single acl_operation can be added at a time, meaning that multiple tasks would be required to add sufficient permissions for many use-cases (?)
Yes, this is the current behavior, you would need multiple tasks (a with_items
loop is generally used).
Allowing a single task to specify multiple acl_operation would also be an improvement?
This is something that can be added. It seems like the Kafka protocol has enough things to keep this kind of task idempotent.
Hi, having something like this could satisfy @hinchliff needs and would be very flexibile:
- name: "Create ACL for a producer client"
kafka_acls:
acls:
- name: 'my-topic'
acl_resource_type: 'topic'
acl_principal: 'User:producer-user'
acl_operations:
- 'write'
- 'describe'
acl_permission: 'allow'
acl_pattern_type: 'literal'
- name: 'my-topic'
acl_resource_type: 'topic'
acl_principal: 'User:consumer-user'
acl_operations:
- 'read'
- 'describe'
acl_permission: 'allow'
acl_pattern_type: 'literal'
bootstrap_servers: "localhost:9092"
Expected Behavior
I'm not an expert on Kafka ACLs, but it seems that the Kafka commands have shortcuts for adding Principals as either a Producer or Consumer.
It looks like the
--producer
option will add Create, Read, Write, and Describe, while--consumer
will add Read and Describe?Actual Behavior
I think the current behavior of
kafka_lib
is that only a singleacl_operation
can be added at a time, meaning that multiple tasks would be required to add sufficient permissions for many use-cases (?)Allowing a single task to specify multiple
acl_operation
would also be an improvement?Specifications
pip list
command: