Closed arpan57 closed 2 years ago
Closing this one since I will fix this by fixing #33
Fix is released with the new version: https://github.com/systemcraftsman/strimzi-kafka-cli/releases/tag/0.1.0-alpha58
Run the following to upgrade your Strimzi CLI version:
sudo pip install strimzi-kafka-cli --upgrade
Hi,
This is a bit elaborated issue and it took some time for me to understand the behaviour. This is a related to https://github.com/systemcraftsman/strimzi-kafka-cli/issues/88
When I trying to add the ACLs using following:
$kfk acls --add --allow-principal User:my-user --operation Read --topic test -c my-cluster -n kafka
Or
$kfk acls --add --allow-principal User:my-user --operation Read --topic test --group my-group -c my-cluster -n kafka
We get a message : kafkauser.kafka.strimzi.io/my-user configured But when I look at the spec of the user by describe command I do not see any ACLs updated. I still see like following under the spec.
Now to make the things work I have two options. 1) Manually update the user resource by
$kubectl edit KafkaUser/my-user
and make it look like followingAnd now run the above commands
$kfk acls --add --allow-principal User:my-user --operation Read --topic test -c my-cluster -n kafka
Or
$kfk acls --add --allow-principal User:my-user --operation Read --topic test --group my-group -c my-cluster -n kafka
This works and it updates the required ACLs and when I use describe command I can see that user's ACLs are updated as well as kfk users --list shows the my-user has Read permission on the topic and my-group has read access etc.
2) Second option is update the user with alter and add an ACL and that add the acls : in spec.
kfk users --alter --user my-user --authorization-type simple --add-acl --resource-type topic --resource-name my-topic --operation Read -n kafka -c my-cluster
Now if I run describe command on it or kfk acls, I can see that ACLs are updated.And now I can add group principal
kfk acls --add --allow-principal user:my-user --operation Read --group readers --topic my-topic -c my-cluster -n kafka
Ideally I would have expected to add principals for both the users and group by kfk acls --add.Hope I am making sense. I think if we fix https://github.com/systemcraftsman/strimzi-kafka-cli/issues/88. This should get fix automatically, if we can add empty list of acls in spec (like I did manually by kubectl edit )
Please let me know if something is unclear.
Regards, Arpan