...
Currently, kafka-acls.sh adds the ACL rule, and the --allow-host field only supports IP and * options. If a user wants to set up authentication for a batch of IPs, multiple ACL rules need to be added. These IPs are usually in a network segment. I want to allow the network segment to be set in the host field of the ACL to authenticate. Any IP that allows a segment of the network will allow/deny access to the topic.
Public Interfaces
The public interface changes are mainly divided into two parts: command-line tools and server-side interfaces. The KIP interface changes are mainly on the command line. The bin/kafka-acls.sh:
LITERAL type ACL:
- bin/kafka-acls.sh --bootstrap-server 10.0.0.92:9092 --add --allow-principal User:test1 --allow-host 192.0.1.2 --producer --topic topic
- bin/kafka-acls.sh --bootstrap-server 10.0.0.92:9092 --add --allow-principal User:test1 --allow-host 192.0.1.2/21 --producer --topic topic
```PREFIXED type ACL:
- bin/kafka-acls.sh --bootstrap-server 10.0.0.92:9092 --add --allow-principal User:test1 --allow-host 192.0.1.1 --producer --topic topic --resource-pattern-type prefixed
- bin/kafka-acls --bootstrap-server 10.0.0.92:9092 --add --allow-principal User:test1 --allow-host 127.0.0.1/22 --producer --topic topic --resource-pattern-type prefixed
...
Proposed Changes
Option | Description(old) | Description(new) |
---|---|---|
--allow-host <String: allow-host> | Host from which principals listed in -- allow-principal will have access. If you have specified --allow-principal then the default for this option will be set to * which allows access from all hosts. | Host from which principals listed in --allow-principal will have access. Host supports both IP and network segment formats. Eg: 192.0.0.1 or 192.0.0.1/20. If you have specified --allow-principal then the default for this option will be set to * which allows access from all hosts. |
...