[jira] [Commented] (KAFKA-3790) Default options when removing ACLs do not comply with documentation

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KAFKA-3790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314474#comment-15314474
 ] 

ASF GitHub Bot commented on KAFKA-3790:
---------------------------------------

GitHub user slaunay opened a pull request:

    https://github.com/apache/kafka/pull/1468

    KAFKA-3790: Allow for removal of non specific ACLs

    - remove ACLs with `aclMatch()` rather than `Object#equals(Object)`
    - remove unused session argument from `aclMatch()` to reuse it in 
`removeAcls()`
    - update test case for ACL removal management
    - change test method `changeAclAndVerify(...)` to use an expected `Set` of 
ACLs rather than relying on `Object#equals(Object)`

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/slaunay/kafka 
bugfix/KAFKA-3790-remove-acls-matching-wildcard

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/1468.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1468
    
----
commit cd2934579ae49afad92eda5f6e36069e2f1d63d4
Author: Sebastien Launay <sebast...@opendns.com>
Date:   2016-06-02T20:29:11Z

    KAFKA-3790: Allow for removal of non specific ACLs
    
    - remove ACLs with aclMatch() rather than Object#equals(Object)
    - remove unused session argument from aclMatch() to reuse it in
      removeAcls()
    - update test case for ACL removal management
    - change test method changeAclAndVerify(...) to use an expected Set of
      ACLs rather than relying on Object#equals(Object)

----


> Default options when removing ACLs do not comply with documentation
> -------------------------------------------------------------------
>
>                 Key: KAFKA-3790
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3790
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 0.9.0.1, 0.10.0.0
>            Reporter: Sébastien Launay
>            Priority: Minor
>
> When removing ACLs without providing options like principal, host or 
> operation, we got a prompt for removing all the matching ACLs but when 
> executing the command none get removed.
> The following commands can be used to reproduce the inconsistency:
> {noformat}
> $ ./bin/kafka-acls.sh --authorizer-properties 
> zookeeper.connect=localhost:2181 -list -topic test
> Current ACLs for resource `Topic:test`: 
> $ ./bin/kafka-acls.sh --authorizer-properties 
> zookeeper.connect=localhost:2181 --add --allow-principal User:Alice 
> --operation Write --topic test --allow-host 1.2.3.4
> Adding ACLs for resource `Topic:test`: 
>       User:Alice has Allow permission for operations: Write from hosts: 
> 1.2.3.4 
> Current ACLs for resource `Topic:test`: 
>       User:Alice has Allow permission for operations: Write from hosts: 
> 1.2.3.4 
> $ ./bin/kafka-acls.sh --authorizer-properties 
> zookeeper.connect=localhost:2181 --remove --allow-principal User:Alice 
> --topic test 
> Are you sure you want to remove ACLs: 
>       User:Alice has Allow permission for operations: All from hosts: * 
>  from resource `Topic:test`? (y/n)
> y
> Current ACLs for resource `Topic:test`: 
>       User:Alice has Allow permission for operations: Write from hosts: 
> 1.2.3.4 
> {noformat}
> *The Current ACLs for resource {{Topic:test}} is expected to be empty after 
> the last command.*
> Only a specific ACL (when all options mentioned above are provided) or else 
> all the ACLs for a given resource (none of the options mentioned above are 
> provided) can get removed as shown by the following code snippets:
> {noformat}
>   // AclCommand.scala
>   ...
>   private def removeAcl(opts: AclCommandOptions) {
>     withAuthorizer(opts) { authorizer =>
>       val resourceToAcl = getResourceToAcls(opts)
>       for ((resource, acls) <- resourceToAcl) {
>         if (acls.isEmpty) {
>           if (confirmAction(opts, s"Are you sure you want to delete all ACLs 
> for resource `${resource}`? (y/n)"))
>             authorizer.removeAcls(resource)
>         } else {
>           if (confirmAction(opts, s"Are you sure you want to remove ACLs: 
> $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline from resource 
> `${resource}`? (y/n)"))
>             authorizer.removeAcls(acls, resource)
>         }
>       }
>       listAcl(opts)
>     }
>   }
> ...
>   // SimpleAclAuthorizer.scala
> ...
>   override def removeAcls(aclsTobeRemoved: Set[Acl], resource: Resource): 
> Boolean = {
>      inWriteLock(lock) {
>        updateResourceAcls(resource) { currentAcls =>
>         currentAcls -- aclsTobeRemoved
>        }
>      }
>    }
> {noformat}
> A workaround consists of listing the ACL in order to know which exact one to 
> remove which make the automation of ACL management trickier.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)