search

SystemCraftsman / strimzi-kafka-cli

Command Line Interface for the Strimzi Kafka Operator
Apache License 2.0
78 stars 13 forks source link

While creating user --authorization-type has no effect #88

Closed arpan57 closed 2 years ago

arpan57 commented 3 years ago

I am creating the user with following command

$kfk users --create --user my-user --authentication-type tls --authorization-type simple -n kafka -c my-cluster I get a message that kafkauser.kafka.strimzi.io/my-user created. However, I would expect this user's spec to have an empty section with acls and Authorization set to Type: Simple This is what I am expecting to see

Spec : 
    Authentication: 
         Type: tls 
   Authorization: 
         Acls: [] or black
         Type: simple

But it creates the user with following spec:

Spec : 
    Authentication: 
         Type: tls

Basically, that --authorization-type has no effect.

Infact this is important that it creates the user with authorization it is forcing us to use alter user and add ACL with it and then again I have to use kfk acls to add group acls. Manually when I am adding this section showed in the expected, I am able to update the topic and group permission in a single go, without any error. I would raise another issue for the same explaining in more details.

Versions Strimzi CLI 0.1.0a57 Strimzi 0.20.1 Kubectl v1.16.15

Regards, Arpan

arpan57 commented 3 years ago

My feeling is that the issues https://github.com/systemcraftsman/strimzi-kafka-cli/issues/86, https://github.com/systemcraftsman/strimzi-kafka-cli/issues/87, https://github.com/systemcraftsman/strimzi-kafka-cli/issues/89 should be fixed if we fix this issue.

Cheers, Arpan

mabulgu commented 2 years ago

Hi @arpan57 ,

This is actually by design that you should alter the user to be able to add an --authorization-type since the auth types need some extra config like ACLs (in this case for simple auth). Without any ACLs Strimzi doesn't allow you to create authorization with simple.

I thought about this a lot and decided to only implement it by altering because for a single alter, you can add one acl and if you need to add more than one ACL you would either way run it while creating or altering. So to prevent confusion, I decided to implement it on alter only.

It doesn't just make sense to use an --add-acl command while creating a user like it is an --alter.

But if you find this valuable (regarding your explanation above) to be able to create acls on user creation, I can also implement it. But pls keep in mind that you will either way have to add more acls via --alter

mabulgu commented 2 years ago

@arpan57 I am closing this since I did not hear you for some time. Feel free to open another issue for this if you still feel it is not resolved. Thanks