Closed arpan57 closed 2 years ago
Hi @arpan57.
Sorry for waiting for this too long.
Since I am the only maintainer right now it can take time to spend time.
I checked out your findings.
I created a user acl with the following command:
kfk users --alter --user my-user --authorization-type simple --add-acl --resource-type topic --resource-name my-topic -n mabulgu-kafka-cluster -c my-cluster
When I describe I see the acl created:
(venv) ➜ strimzi-kafka-cli git:(master) kfk users --describe --user my-user -n mabulgu-kafka-cluster -c my-cluster -o yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"kafka.strimzi.io/v1beta2","kind":"KafkaUser","metadata":{"annotations":{},"creationTimestamp":"2021-09-25T22:39:30Z","generation":1,"labels":{"strimzi.io/cluster":"my-cluster"},"name":"my-user","namespace":"mabulgu-kafka-cluster","resourceVersion":"124701059","selfLink":"/apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user","uid":"34b1310f-7c48-4742-bcb0-7a9c2925a747"},"spec":{"authentication":{"type":"tls"},"authorization":{"acls":[{"host":"*","operation":"All","resource":{"name":"my-topic","patternType":"literal","type":"topic"},"type":"allow"}],"type":"simple"}},"status":{"conditions":[{"lastTransitionTime":"2021-09-25T22:39:30.509157Z","status":"True","type":"Ready"}],"observedGeneration":1,"secret":"my-user","username":"CN=my-user"}}
creationTimestamp: "2021-09-25T22:39:30Z"
generation: 2
labels:
strimzi.io/cluster: my-cluster
name: my-user
namespace: mabulgu-kafka-cluster
resourceVersion: "124706655"
selfLink: /apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user
uid: 34b1310f-7c48-4742-bcb0-7a9c2925a747
spec:
authentication:
type: tls
authorization:
acls:
- host: '*'
operation: All
resource:
name: my-topic
patternType: literal
type: topic
type: allow
type: simple
status:
conditions:
- lastTransitionTime: "2021-09-25T22:50:39.969503Z"
status: "True"
type: Ready
observedGeneration: 2
secret: my-user
username: CN=my-user
When I run a similar delete command with yours:
kfk users --alter --delete-acl --user my-user --resource-type topic --resource-name my-topic -c my-cluster -n mabulgu-kafka-cluster
I can see the acls removed:
(venv) ➜ strimzi-kafka-cli git:(master) kfk users --describe --user my-user -n mabulgu-kafka-cluster -c my-cluster -o yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"kafka.strimzi.io/v1beta2","kind":"KafkaUser","metadata":{"annotations":{},"creationTimestamp":"2021-09-25T22:39:30Z","generation":2,"labels":{"strimzi.io/cluster":"my-cluster"},"name":"my-user","namespace":"mabulgu-kafka-cluster","resourceVersion":"124706655","selfLink":"/apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user","uid":"34b1310f-7c48-4742-bcb0-7a9c2925a747"},"spec":{"authentication":{"type":"tls"},"authorization":{"acls":[],"type":"simple"}},"status":{"conditions":[{"lastTransitionTime":"2021-09-25T22:50:39.969503Z","status":"True","type":"Ready"}],"observedGeneration":2,"secret":"my-user","username":"CN=my-user"}}
creationTimestamp: "2021-09-25T22:39:30Z"
generation: 3
labels:
strimzi.io/cluster: my-cluster
name: my-user
namespace: mabulgu-kafka-cluster
resourceVersion: "124708526"
selfLink: /apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user
uid: 34b1310f-7c48-4742-bcb0-7a9c2925a747
spec:
authentication:
type: tls
authorization:
acls: []
type: simple
status:
conditions:
- lastTransitionTime: "2021-09-25T22:54:35.144991Z"
status: "True"
type: Ready
observedGeneration: 3
secret: my-user
username: CN=my-user
I am using the same command with yours.
One thing cames to my mind that while setting the ACL if you specifically set some default values like host, operation, pattern-type, type, you have to also specify them while deleting because the code looks for an exact match of the acl dictionary to be deleted. Otherwise that would be a problem for different acls deleted because they share the same topic. You have to explicitly define all the other details of you customized them (not using the defaults like operation=All, host='*' etc.)
Pls check out and let me know if it works.
@arpan57 I am closing this since I did not hear you for some time. Feel free to open another issue for this if you still feel it is not resolved. Thanks
Hi,
I have added the user. I have assigned ACLs to the user for read and write. I can see the my-user has proper ACLs using
kfk users --describe --user my-user -n secure-ns -c my-cluster.
Now, I want to remove the ACLs for that user so I run alter command like following
kfk users --alter --delete-acl --user my-user --resource-type topic --resource-name topic-name -c my-cluster -n secure-ns
Pressing enter I see the message : kafkauser.kafka.strimzi.io/my-user configuredIf I check the ACLs, the ACLs are still present for the my-user for topic-name Similarly if I execute
$kfk users --describe --user my-user -n secure-ns -c my-cluster
I still see the Authorization ACLS for this user.Similarly I tried with
$kfk acls --remove --allow-principal User:my-user -c my-cluster -n secure-ns
Also tried with$kfk acls --remove --allow-principal User:CN=my-user -c my-cluster -n secure-ns
Pressing enter key - This does not give any message/error/Ok kind of.
But when I list the ACLs they are still there. Similarly when I describe the user I still see the ACLs for the my-user.
Versions Strimzi CLI 0.1.0a57 Strimzi 0.20.1 Kubectl v1.16.15
Happy to share more details if required.
Regards, Arpan