topicctl get acls returns an error

[tagirb]

Hi segment.io team,

Thanks for this handy tool! I am trying it out in a Kafka single node test environment now and having the following issue while using the get acls command:

>>> get acls
[2024-04-15 09:13:09] ERROR Error: kafka.(*Client).DescribeACLs: unexpected EOF

Other commands are working well:

>>> get topics
> Topics:
----------------------+------------+-------------+-----------+------------
         NAME         | PARTITIONS | REPLICATION | RETENTION |   RACKS    
                      |            |             |   MINS    | (MIN,MAX)  
----------------------+------------+-------------+-----------+------------
  __consumer_offsets  | 50         | 1           |           | (1,1)      
  _schemas            | 1          | 1           |           | (1,1)      
  topic1              | 2          | 1           |           | (1,1)      
----------------------+------------+-------------+-----------+------------
>>> get brokers
> Brokers:
-------+-----------------------------------------------+------+------+-----------------------
   ID  |                     HOST                      | PORT | RACK |      TIMESTAMP        
-------+-----------------------------------------------+------+------+-----------------------
  1001 | test                                          | 9092 |      | 0001-01-01T00:00:00Z  
-------+-----------------------------------------------+------+------+-----------------------
> Brokers per rack:
-------+--------------
  RACK | NUM BROKERS  
-------+--------------
       | 1            
-------+--------------

I am using the current version of topicctl:

$ topicctl -v
topicctl version v1.16.0 (ref:dev)

As per #135, the ACL management is not supported by topicctl. Does this explain why get acls is not working or is there another reason for that? Would it be possible to fix the get acls command?

Kind regards, Tagir

[petedannemann]

Hi @tagirb, can you try running get acls --debug?

https://github.com/segmentio/topicctl/issues/135 was marked as completed and get acls should be working correctly

I suspect your cluster isn't configured to use ACLs correctly and we may need to make this error more user friendly. Another way to verify if the test cluster configuration is the issue here is to see if you can list ACLs with Kafka's built in kafka-acls.sh script

[tagirb]

Hi @petedannemann, thanks for the quick reply!

The cluster's ACL support seems to be ok as confirmed by the output of kafka-acls:

root@server# kafka-acls --command-config /etc/kafka/admin.conf --bootstrap-server localhost:9092 --list
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=topic, patternType=LITERAL)`: 
    (principal=User:user1, host=*, operation=WRITE, permissionType=ALLOW)
    (principal=User:user2, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:user1, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:user2, host=*, operation=READ, permissionType=ALLOW)
    (principal=User:user1, host=*, operation=CREATE, permissionType=ALLOW)
...

As requested, here's the output of get acls --debug:

>>> get acls
[2024-04-15 14:00:33] DEBUG DescribeACLs request: {Addr:<nil> Filter:{ResourceTypeFilter:Unknown ResourceNameFilter: ResourcePatternTypeFilter:Unknown PrincipalFilter: HostFilter: Operation:Unknown PermissionType:Unknown}}
Loading: [                    ][2024-04-15 14:00:33] DEBUG DescribeACLs response: <nil> (kafka.(*Client).DescribeACLs: unexpected EOF)
[2024-04-15 14:00:33] ERROR Error: kafka.(*Client).DescribeACLs: unexpected EOF

[petedannemann]

Thanks for the response. Looks like the REPL implementation has an issue with providing the wrong defaults for flags (see all the Unknown filters in the debug logs). I'll try to submit a fix soon. You can use the version outside of the REPL without issue in the meantime

[petedannemann]

Fixed in https://github.com/segmentio/topicctl/releases/tag/v1.16.1

[tagirb]

Awesome, thanks a lot for the quick fix!