search

segmentio / topicctl

Tool for declarative management of Kafka topics
MIT License
590 stars 55 forks source link

Get acls subcommand #150

Closed petedannemann closed 12 months ago

petedannemann commented 1 year ago

This PR adds the get acls subcommand. It's behavior was based heavily on Kafka's built in kafka-acls.sh --list script. It supports filtering on various fields so that users can answer questions related to which services have access to which resources.

This PR also fixes flaky test failures like this one by adding some sleep time in a test

Examples:

$ topicctl get acls --cluster-config examples/local-cluster/cluster.yaml --help
Displays information for ACLs in the cluster. Supports filtering with flags.

Usage:
  topicctl get acls [flags]

Examples:
List all acls
$ topicctl get acls

List read acls for topic my-topic
$ topicctl get acls --resource-type topic --resource-name my-topic --operations read

List acls for user Alice with permission allow
$ topicctl get acls --principal User:alice --permission-type allow

List acls for host 198.51.100.0
$ topicctl get acls --host 198.51.100.0

Flags:
  -h, --help                                help for acls
      --host string                         The host to filter on. (e.g. 198.51.100.0)
      --operation ACLOperationType          The operation that is being allowed or denied to filter on. allowed: "any", "all", "read", "write", "create", "delete", "alter", "describe", "clusteraction", "describeconfigs", "alterconfigs" or "idempotentwrite" (default any)
      --permission-type ACLPermissionType   The permission type to filter on. allowed: "any", "allow", or "deny" (default any)
      --principal string                    The principal to filter on in principalType:name format (e.g. User:alice).
      --resource-name string                The resource name to filter on. (e.g. my-topic)
      --resource-pattern-type PatternType   The type of the resource pattern or filter. allowed: "any", "match", "literal", "prefixed". "any" will match any pattern type (literal or prefixed), but will match the resource name exactly, where as "match" will perform pattern matching to list all acls that affect the supplied resource(s). (default any)
      --resource-type ResourceType          The type of resource to filter on. allowed: "any", "topic", "group", "cluster", "transactionalid", "delegationtoken" (default any)
$ topicctl get acls --cluster-config examples/local-cluster/cluster.yaml
[2023-09-15 18:28:46]  INFO ACLs:
----------------+--------------+---------------+------------+---------+-----------+------------------
  RESOURCE TYPE | PATTERN TYPE | RESOURCE NAME | PRINCIPAL  |  HOST   | OPERATION | PERMISSION TYPE
----------------+--------------+---------------+------------+---------+-----------+------------------
  group         | literal      | junk3         | User:foo5  | 1.2.3.4 | all       | deny
  group         | literal      | junk3         | User:foo5  | 1.2.3.7 | all       | deny
  group         | literal      | junk3         | User:foo2  | 1.2.3.4 | read      | allow
  topic         | prefixed     | team1_        | User:team2 | *       | all       | deny
  topic         | literal      | junk          | User:foo5  | 1.2.3.4 | all       | deny
  topic         | literal      | junk          | User:foo2  | 1.2.3.4 | read      | allow
  topic         | literal      | junk          | User:foo2  | 1.2.3.4 | describe  | allow
  topic         | literal      | junk          | User:foo5  | 1.2.3.7 | all       | deny
  topic         | literal      | foo           | User:alice | *       | describe  | allow
  topic         | literal      | foo           | User:alice | *       | create    | allow
  topic         | literal      | foo           | User:alice | *       | write     | allow
----------------+--------------+---------------+------------+---------+-----------+------------------
$ topicctl get acls --cluster-config examples/local-cluster/cluster.yaml --resource-type topic --resource-pattern-type literal --resource-name junk --permission-type allow --operation describe
[2023-09-15 18:28:30]  INFO ACLs:
----------------+--------------+---------------+-----------+---------+-----------+------------------
  RESOURCE TYPE | PATTERN TYPE | RESOURCE NAME | PRINCIPAL |  HOST   | OPERATION | PERMISSION TYPE
----------------+--------------+---------------+-----------+---------+-----------+------------------
  topic         | literal      | junk          | User:foo2 | 1.2.3.4 | describe  | allow
----------------+--------------+---------------+-----------+---------+-----------+------------------
petedannemann commented 1 year ago

Need to add this to the repl

petedannemann commented 12 months ago

@hhahn-tw since your last review I added repl support, bumped to the released version of kafka-go and changed CreateACL to CreateACLs as that will be more useful in later PRs