search

StephenSorriaux / ansible-kafka-admin

Manage your topic's configuration (partitions, replication factor, parameters), ACLs, quotas, users and get stats, without any effort with this library. It does not use the Kafka scripts and does not require ssh connection to the remote broker.
Apache License 2.0
147 stars 46 forks source link

Add support for `--producer` and `--consumer` ACL actions #70

Closed hinchliff closed 2 years ago

hinchliff commented 3 years ago

Expected Behavior

I'm not an expert on Kafka ACLs, but it seems that the Kafka commands have shortcuts for adding Principals as either a Producer or Consumer.

bin/kafka-acls --bootstrap-server localhost:9092 --command-config adminclient-configs.conf \
 --add --allow-principal User:janedoe@bigdata.com \
 --producer --topic test-topic
bin/kafka-acls --bootstrap-server localhost:9092 --command-config adminclient-configs.conf \
 --add --allow-principal User:janedoe@bigdata.com \
 --consumer --topic test-topic --group Group-1

It looks like the --producer option will add Create, Read, Write, and Describe, while --consumer will add Read and Describe?

Actual Behavior

I think the current behavior of kafka_lib is that only a single acl_operation can be added at a time, meaning that multiple tasks would be required to add sufficient permissions for many use-cases (?)

Allowing a single task to specify multiple acl_operation would also be an improvement?

Specifications

StephenSorriaux commented 3 years ago

Hi,

Thanks for this issue.

It looks like the --producer option will add Create, Read, Write, and Describe, while --consumer will add Read and Describe?

Yes, and some ACLs related to transactions (https://github.com/apache/kafka/blob/2.5/core/src/main/scala/kafka/admin/AclCommand.scala#L350)

I think the current behavior of kafka_lib is that only a single acl_operation can be added at a time, meaning that multiple tasks would be required to add sufficient permissions for many use-cases (?)

Yes, this is the current behavior, you would need multiple tasks (a with_items loop is generally used).

Allowing a single task to specify multiple acl_operation would also be an improvement?

This is something that can be added. It seems like the Kafka protocol has enough things to keep this kind of task idempotent.

saiello commented 2 years ago

Hi, having something like this could satisfy @hinchliff needs and would be very flexibile:

    - name: "Create ACL for a producer client"
      kafka_acls:
        acls:
          - name: 'my-topic'
             acl_resource_type: 'topic' 
             acl_principal: 'User:producer-user'
             acl_operations:
               - 'write'
               - 'describe'
             acl_permission: 'allow'
             acl_pattern_type: 'literal'

          - name: 'my-topic'
            acl_resource_type: 'topic'
            acl_principal: 'User:consumer-user'
            acl_operations: 
              - 'read'
              - 'describe'
            acl_permission: 'allow'
            acl_pattern_type: 'literal'
       bootstrap_servers: "localhost:9092"