ACL host option support
tolikkk opened this issue · 2 comments
In traditional ACL client (embedded kafka-acls.sh) it is possible to define host parameter (ip address) that ACL will affect to.
ACL for resource options:
- principal
- host
- operation
- permissionType
Example for ACL with host option:
kafka-acls.sh --bootstrap-server=broker.example.com:9092 --add --allow-principal User:* --allow-host 192.168.1.2 --operation ALL --topic bar1
list ACL:
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=bar1, patternType=LITERAL)`:
(principal=User:*, host=192.168.1.2, operation=ALL, permissionType=ALLOW)
More than that I see host option in the julie ACL execution log and it has wildcard value "host" : "*".
Example for principal "User:Alice" with consumer access to topic bar1:
{
"Operation" : "com.purbon.kafka.topology.actions.access.CreateBindings",
"Bindings" : [ {
"resourceType" : "GROUP",
"resourceName" : "*",
"host" : "*",
"operation" : "READ",
"principal" : "User:Alice",
"pattern" : "LITERAL",
"scope" : null
}, {
"resourceType" : "TOPIC",
"resourceName" : "bar1",
"host" : "*",
"operation" : "READ",
"principal" : "User:Alice",
"pattern" : "LITERAL",
"scope" : null
}, {
"resourceType" : "TOPIC",
"resourceName" : "bar1",
"host" : "*",
"operation" : "DESCRIBE",
"principal" : "User:Alice",
"pattern" : "LITERAL",
"scope" : null
} ]
}
Is it possible to use option "host" in topology ACL configuration, like this?
context: "example"
projects:
- name: "kafka"
topics:
- name: "bar1"
config:
retention.ms: "604800000"
consumers:
- principal: "User:Alice"
host: "1.2.3.4"
Or maybe there is any other way to do it?
I found the solution. It can be done via Custom JulieRoles - https://julieops.readthedocs.io/en/latest/futures/define-custom-roles.html
Steps:
- describe custom ACL in roles.yml
roles:
- name: "custom_acl"
acls:
- resourceType: "Topic"
resourceName: "bar1"
patternType: "LITERAL"
host: "1.2.3.4"
operation: "READ"
permissionType: "ALLOW"
- resourceType: "Topic"
resourceName: "bar1"
patternType: "LITERAL"
host: "1.2.3.4"
operation: "DESCRIBE"
- resourceType: "Group"
resourceName: "*"
patternType: "LITERAL"
host: "1.2.3.4"
operation: "READ"
- set custom role to topology config
context: "example"
projects:
- name: "kafka"
custom_acl:
- principal: "User:Alice"
topics:
- name: "bar1"
config:
retention.ms: "604800000"
- set custom acl path in config
julie.roles=/roles.yml
yes, this is "the way" for now. but somehow I agree with you that introducing this to the other abstractions is a good idea. However, in my own bubble, the host is not usually one config often used as IP can and will certainly change.