THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: "Under Discussion" Adopted
Discussion thread: here
JIRA: here
...
We propose new optional argument "–principal" to list the ACLs for the specified principalprincipals.
Public Interfaces
kafka-acls.sh script with "--list" option supports optional argument "--principal" with the following specification
| Code Block |
|---|
val listPrincipalsOpt = parser.accepts("principal", "List ACLs for the specified principal. principal is in principalType:name format." +
" Note that principalType must be supported by the Authorizer being used. Multiple principal options can be passed.")
.withOptionalArg()
.describedAs("principal")
.ofType(classOf[String]) |
...
| Code Block |
|---|
>> sh kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --principal User:User1 --principal User:User2 ACLs for principal `User:User1` Current ACLs for resource `Group:PREFIXED:TEST_GROUP`: User:User1 has Allow permission for operations: Read from hosts: * Current ACLs for resource `Topic:PREFIXED:TEST_TOPIC`: User:User1 has Allow permission for operations: Read from hosts: * User:User1 has Allow permission for operations: Create from hosts: * User:User1 has Allow permission for operations: Write from hosts: * User:User1 has Allow permission for operations: Describe from hosts: * ACLs for principal `User:User2` Current ACLs for resource `Group:PREFIXED:TEST_GROUP`: User:User2 has Allow permission for operations: Read from hosts: * Current ACLs for resource `Topic:PREFIXED:TEST_TOPIC`: User:User2 has Allow permission for operations: Read from hosts: * User:User2 has Allow permission for operations: Create from hosts: * User:User2 has Allow permission for operations: Write from hosts: * User:User2 has Allow permission for operations: Describe from hosts: * |
Proposed Changes
AclCommand with Authorizer Interface:
We have a method in Authorizer interface to get acls for a given principal.
We will use this method to fetch acls and filter the results for the requested Resources.
Authorizer {
def getAcls(principal: KafkaPrincipal): Map[Resource, Set[Acl]]
}
AclCommand with AdminClient API:
Currently AdminClient API doesn't have a API to fetch acls for a given principal.
So while using AclCommand with AdminClient API (KIP-332: Update AclCommand to use AdminClient API),
we just filter the results returned from the describeAcls API.
We can add new AdminClient API/new DescribeAclsRequest if required in future.
Compatibility, Deprecation, and Migration Plan
...