Unable to delete the ACLs for the user using kfk users --alter or kfk acls --remove

[arpan57]

Hi,

I have added the user. I have assigned ACLs to the user for read and write. I can see the my-user has proper ACLs using kfk users --describe --user my-user -n secure-ns -c my-cluster.

Now, I want to remove the ACLs for that user so I run alter command like following

kfk users --alter --delete-acl --user my-user --resource-type topic --resource-name topic-name -c my-cluster -n secure-ns Pressing enter I see the message : kafkauser.kafka.strimzi.io/my-user configured

If I check the ACLs, the ACLs are still present for the my-user for topic-name Similarly if I execute $kfk users --describe --user my-user -n secure-ns -c my-cluster I still see the Authorization ACLS for this user.

Similarly I tried with

$kfk acls --remove --allow-principal User:my-user -c my-cluster -n secure-ns Also tried with $kfk acls --remove --allow-principal User:CN=my-user -c my-cluster -n secure-ns

Pressing enter key - This does not give any message/error/Ok kind of.

But when I list the ACLs they are still there. Similarly when I describe the user I still see the ACLs for the my-user.

Versions Strimzi CLI 0.1.0a57 Strimzi 0.20.1 Kubectl v1.16.15

Happy to share more details if required.

Regards, Arpan

[mabulgu]

Hi @arpan57.

Sorry for waiting for this too long.

Since I am the only maintainer right now it can take time to spend time.

I checked out your findings.

I created a user acl with the following command:

kfk users --alter --user my-user --authorization-type simple --add-acl --resource-type topic --resource-name my-topic -n mabulgu-kafka-cluster -c my-cluster

When I describe I see the acl created:

(venv) ➜  strimzi-kafka-cli git:(master) kfk users --describe --user my-user -n mabulgu-kafka-cluster -c my-cluster -o yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kafka.strimzi.io/v1beta2","kind":"KafkaUser","metadata":{"annotations":{},"creationTimestamp":"2021-09-25T22:39:30Z","generation":1,"labels":{"strimzi.io/cluster":"my-cluster"},"name":"my-user","namespace":"mabulgu-kafka-cluster","resourceVersion":"124701059","selfLink":"/apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user","uid":"34b1310f-7c48-4742-bcb0-7a9c2925a747"},"spec":{"authentication":{"type":"tls"},"authorization":{"acls":[{"host":"*","operation":"All","resource":{"name":"my-topic","patternType":"literal","type":"topic"},"type":"allow"}],"type":"simple"}},"status":{"conditions":[{"lastTransitionTime":"2021-09-25T22:39:30.509157Z","status":"True","type":"Ready"}],"observedGeneration":1,"secret":"my-user","username":"CN=my-user"}}
  creationTimestamp: "2021-09-25T22:39:30Z"
  generation: 2
  labels:
    strimzi.io/cluster: my-cluster
  name: my-user
  namespace: mabulgu-kafka-cluster
  resourceVersion: "124706655"
  selfLink: /apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user
  uid: 34b1310f-7c48-4742-bcb0-7a9c2925a747
spec:
  authentication:
    type: tls
  authorization:
    acls:
    - host: '*'
      operation: All
      resource:
        name: my-topic
        patternType: literal
        type: topic
      type: allow
    type: simple
status:
  conditions:
  - lastTransitionTime: "2021-09-25T22:50:39.969503Z"
    status: "True"
    type: Ready
  observedGeneration: 2
  secret: my-user
  username: CN=my-user

When I run a similar delete command with yours:

kfk users --alter --delete-acl --user my-user --resource-type topic --resource-name my-topic -c my-cluster -n mabulgu-kafka-cluster

I can see the acls removed:

(venv) ➜  strimzi-kafka-cli git:(master) kfk users --describe --user my-user -n mabulgu-kafka-cluster -c my-cluster -o yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kafka.strimzi.io/v1beta2","kind":"KafkaUser","metadata":{"annotations":{},"creationTimestamp":"2021-09-25T22:39:30Z","generation":2,"labels":{"strimzi.io/cluster":"my-cluster"},"name":"my-user","namespace":"mabulgu-kafka-cluster","resourceVersion":"124706655","selfLink":"/apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user","uid":"34b1310f-7c48-4742-bcb0-7a9c2925a747"},"spec":{"authentication":{"type":"tls"},"authorization":{"acls":[],"type":"simple"}},"status":{"conditions":[{"lastTransitionTime":"2021-09-25T22:50:39.969503Z","status":"True","type":"Ready"}],"observedGeneration":2,"secret":"my-user","username":"CN=my-user"}}
  creationTimestamp: "2021-09-25T22:39:30Z"
  generation: 3
  labels:
    strimzi.io/cluster: my-cluster
  name: my-user
  namespace: mabulgu-kafka-cluster
  resourceVersion: "124708526"
  selfLink: /apis/kafka.strimzi.io/v1beta2/namespaces/mabulgu-kafka-cluster/kafkausers/my-user
  uid: 34b1310f-7c48-4742-bcb0-7a9c2925a747
spec:
  authentication:
    type: tls
  authorization:
    acls: []
    type: simple
status:
  conditions:
  - lastTransitionTime: "2021-09-25T22:54:35.144991Z"
    status: "True"
    type: Ready
  observedGeneration: 3
  secret: my-user
  username: CN=my-user

I am using the same command with yours.

One thing cames to my mind that while setting the ACL if you specifically set some default values like host, operation, pattern-type, type, you have to also specify them while deleting because the code looks for an exact match of the acl dictionary to be deleted. Otherwise that would be a problem for different acls deleted because they share the same topic. You have to explicitly define all the other details of you customized them (not using the defaults like operation=All, host='*' etc.)

Pls check out and let me know if it works.

[mabulgu]

@arpan57 I am closing this since I did not hear you for some time. Feel free to open another issue for this if you still feel it is not resolved. Thanks