search

SystemCraftsman / strimzi-kafka-cli

Command Line Interface for the Strimzi Kafka Operator
Apache License 2.0
78 stars 13 forks source link

kfk acls --add doesn't have effects unless ACLs are first updated by kfk users --alter #89

Closed arpan57 closed 2 years ago

arpan57 commented 3 years ago

Hi,

This is a bit elaborated issue and it took some time for me to understand the behaviour. This is a related to https://github.com/systemcraftsman/strimzi-kafka-cli/issues/88

When I trying to add the ACLs using following:

$kfk acls --add --allow-principal User:my-user --operation Read --topic test -c my-cluster -n kafka

Or

$kfk acls --add --allow-principal User:my-user --operation Read --topic test --group my-group -c my-cluster -n kafka

We get a message : kafkauser.kafka.strimzi.io/my-user configured But when I look at the spec of the user by describe command I do not see any ACLs updated. I still see like following under the spec.

Spec : 
    Authentication: 
         Type: tls

Now to make the things work I have two options. 1) Manually update the user resource by $kubectl edit KafkaUser/my-user and make it look like following

spec:
    authentication:
        type: tls
    authorization:
        acls: []
        type: simple

And now run the above commands $kfk acls --add --allow-principal User:my-user --operation Read --topic test -c my-cluster -n kafka

Or

$kfk acls --add --allow-principal User:my-user --operation Read --topic test --group my-group -c my-cluster -n kafka

This works and it updates the required ACLs and when I use describe command I can see that user's ACLs are updated as well as kfk users --list shows the my-user has Read permission on the topic and my-group has read access etc.

2) Second option is update the user with alter and add an ACL and that add the acls : in spec. kfk users --alter --user my-user --authorization-type simple --add-acl --resource-type topic --resource-name my-topic --operation Read -n kafka -c my-cluster Now if I run describe command on it or kfk acls, I can see that ACLs are updated.

And now I can add group principal kfk acls --add --allow-principal user:my-user --operation Read --group readers --topic my-topic -c my-cluster -n kafka Ideally I would have expected to add principals for both the users and group by kfk acls --add.

Hope I am making sense. I think if we fix https://github.com/systemcraftsman/strimzi-kafka-cli/issues/88. This should get fix automatically, if we can add empty list of acls in spec (like I did manually by kubectl edit )

Please let me know if something is unclear.

Regards, Arpan

mabulgu commented 2 years ago

33 and #87 are relevant to this. Fixing #33 will fix them all.

mabulgu commented 2 years ago

Closing this one since I will fix this by fixing #33

mabulgu commented 2 years ago

Fix is released with the new version: https://github.com/systemcraftsman/strimzi-kafka-cli/releases/tag/0.1.0-alpha58

Run the following to upgrade your Strimzi CLI version:

sudo pip install strimzi-kafka-cli --upgrade