search

confluentinc / confluent-kafka-python

Confluent's Kafka Python Client
http://docs.confluent.io/current/clients/confluent-kafka-python
Other
135 stars 898 forks source link

Create user for setting ACL rule over topic #1589

Open pchatterjee-cfx opened 1 year ago

pchatterjee-cfx commented 1 year ago

Discussed in https://github.com/confluentinc/confluent-kafka-python/discussions/1583

Originally posted by **pchatterjee-cfx** June 12, 2023 Hi, I am looking for a way to create an owner for a topic and subseqeuently add ACL rules for consuming messages. I do this from CLI as follows: > $ kafka-configs.sh --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=],SCRAM-SHA-512=[password=]' --entity-type users --entity-name > $ kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User: --operation All --resource-pattern-type prefixed --topic I am trying to do the same via code as follows: > # Create topic owner > topic_username = str(attributes.get('topic-username')) > topic_password = str(attributes.get('topic-password')) > #resource = ConfigResource('Users', topic_username) > resource = ConfigResource(ConfigResource.Type.ANY, topic_username) > describe_configs = admin.describe_configs([resource]) > describe_configs['SCRAM-SHA-256'] = f'[iterations=8192,password={topic_password}]' > describe_configs['SCRAM-SHA-512'] = f'[password={topic_password}]' > admin.alter_configs([resource]) > # Create ACL rule > acl = AclBinding(ResourceType.TOPIC, topic_name, > ResourcePatternType.MATCH, f'User:{topic_username}', None, > AclOperation.ALL, AclPermissionType.ALLOW) > admin.create_acls([acl]) Issue is that I dont find `USER` under ResourceType and am unable to add a user configuration. Is there any other way to add a user?

Python library version: confluent-kafka==2.1.1

pranavrth commented 1 year ago

Resource type USER was added as part of KIP-373 which unfortunately is not implemented in the librdkafka/python client.

pchatterjee-cfx commented 1 year ago

Resource type USER was added as part of KIP-373 which unfortunately is not implemented in the librdkafka/python client.

Thanks @pranavrth and appreciate you adding this issue as a planned enhancement. For now, I plan to create ACL rule on a tenant-name prefixed topic and a pre-created tenant user.

Endemoniada commented 1 week ago

Resource type USER was added as part of KIP-373 which unfortunately is not implemented in the librdkafka/python client.

@pranavrth I was just about to open a similar issue, but am I understanding it correctly if I assume that means it's currently not possible to create, for example, producer bandwidth quota configs on a user entity-type/ResourceType either? I was confused at there not being a USER ResourceType, but I guess that would explain it.