search

kafka-ops / julie

A solution to help you build automation and gitops in your Apache Kafka deployments. The Kafka gitops!
MIT License
421 stars 115 forks source link

ACL host option support #519

Open tolikkk opened 2 years ago

tolikkk commented 2 years ago

In traditional ACL client (embedded kafka-acls.sh) it is possible to define host parameter (ip address) that ACL will affect to.

ACL for resource options:

Example for ACL with host option: kafka-acls.sh --bootstrap-server=broker.example.com:9092 --add --allow-principal User:* --allow-host 192.168.1.2 --operation ALL --topic bar1

list ACL:

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=bar1, patternType=LITERAL)`:
    (principal=User:*, host=192.168.1.2, operation=ALL, permissionType=ALLOW)

More than that I see host option in the julie ACL execution log and it has wildcard value "host" : "*". Example for principal "User:Alice" with consumer access to topic bar1:

{
  "Operation" : "com.purbon.kafka.topology.actions.access.CreateBindings",
  "Bindings" : [ {
    "resourceType" : "GROUP",
    "resourceName" : "*",
    "host" : "*",
    "operation" : "READ",
    "principal" : "User:Alice",
    "pattern" : "LITERAL",
    "scope" : null
  }, {
    "resourceType" : "TOPIC",
    "resourceName" : "bar1",
    "host" : "*",
    "operation" : "READ",
    "principal" : "User:Alice",
    "pattern" : "LITERAL",
    "scope" : null
  }, {
    "resourceType" : "TOPIC",
    "resourceName" : "bar1",
    "host" : "*",
    "operation" : "DESCRIBE",
    "principal" : "User:Alice",
    "pattern" : "LITERAL",
    "scope" : null
  } ]
}

Is it possible to use option "host" in topology ACL configuration, like this?

context: "example"
projects:
  - name: "kafka"
    topics:
      - name: "bar1"
        config:
          retention.ms: "604800000"
        consumers:
          - principal: "User:Alice"
            host: "1.2.3.4"

Or maybe there is any other way to do it?

tolikkk commented 2 years ago

I found the solution. It can be done via Custom JulieRoles - https://julieops.readthedocs.io/en/latest/futures/define-custom-roles.html

Steps: 1) describe custom ACL in roles.yml

roles:
  - name: "custom_acl"
    acls:
      - resourceType: "Topic"
        resourceName: "bar1"
        patternType: "LITERAL"
        host: "1.2.3.4"
        operation: "READ"
        permissionType: "ALLOW"
      - resourceType: "Topic"
        resourceName: "bar1"
        patternType: "LITERAL"
        host: "1.2.3.4"
        operation: "DESCRIBE"
    - resourceType: "Group"
        resourceName: "*"
        patternType: "LITERAL"
        host: "1.2.3.4"
        operation: "READ"

2) set custom role to topology config

context: "example"
projects:
  - name: "kafka"
    custom_acl:
      - principal: "User:Alice"
    topics:
      - name: "bar1"
        config:
          retention.ms: "604800000"

3) set custom acl path in config julie.roles=/roles.yml

purbon commented 2 years ago

yes, this is "the way" for now. but somehow I agree with you that introducing this to the other abstractions is a good idea. However, in my own bubble, the host is not usually one config often used as IP can and will certainly change.