[
https://issues.apache.org/jira/browse/KAFKA-8536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867346#comment-16867346
]
Evelyn Bayes commented on KAFKA-8536:
-------------------------------------
Notes:
[https://github.com/apache/kafka/pull/6263]
Looks like it was fixed in trunk and intended for 2.2 but I'm not sure if it
ever made it in there
Reproduce
kafka-acls --bootstrap-server <> --add --allow-principal <> --topic <>
--operation "Alter"
h2. Error
ResourceType TOPIC only supports operations
Read,All,AlterConfigs,DescribeConfigs,Delete,Write,Create,Describe
h2. Code 2.2 (and other versions) showing it broken
*./core/src/main/scala/kafka/admin/AclCommand.scala*
_private def validateOperation(opts: AclCommandOptions, resourceToAcls:
Map[ResourcePatternFilter, Set[Acl]]): Unit = {_
_for ((resource, acls) <- resourceToAcls) {_
_val validOps = ResourceTypeToValidOperations(resource.resourceType)_
_if ((acls.map(_.operation) -- validOps).nonEmpty)_
_CommandLineUtils.printUsageAndDie(opts.parser, s"ResourceType
${resource.resourceType} only supports operations ${validOps.mkString(",")}")_
_}_
_}_
_val ResourceTypeToValidOperations: Map[JResourceType, Set[Operation]] =
Map[JResourceType, Set[Operation]](_
_JResourceType.TOPIC -> Set(Read, Write, Create, Describe, Delete,
DescribeConfigs, AlterConfigs, All),_
_JResourceType.GROUP -> Set(Read, Describe, Delete, All),_
_JResourceType.CLUSTER -> Set(Create, ClusterAction, DescribeConfigs,
AlterConfigs, IdempotentWrite, Alter, Describe, All),_
_JResourceType.TRANSACTIONAL_ID -> Set(Describe, Write, All),_
_JResourceType.DELEGATION_TOKEN -> Set(Describe, All)_
_)_
h2. Code 2.3 where it was fixed coincidentally
*./core/src/main/scala/kafka/admin/AclCommand.scala*
_private def validateOperation(opts: AclCommandOptions, resourceToAcls:
Map[ResourcePatternFilter, Set[Acl]]): Unit = {_
_for ((resource, acls) <- resourceToAcls) {_
_val validOps =
ResourceType.fromJava(resource.resourceType).supportedOperations + All_
_if ((acls.map(_.operation) -- validOps).nonEmpty)_
_CommandLineUtils.printUsageAndDie(opts.parser, s"ResourceType
${resource.resourceType} only supports operations ${validOps.mkString(",")}")_
_}_
_}_
*./core/src/main/scala/kafka/security/auth/ResourceType.scala*
_case object Topic extends ResourceType {_
_val name = "Topic"_
_val error = Errors.TOPIC_AUTHORIZATION_FAILED_
_val toJava = JResourceType.TOPIC_
_val supportedOperations = Set(Read, Write, Create, Describe, Delete, Alter,
DescribeConfigs, AlterConfigs)_
_}_
h2. Suggested Patch
*./core/src/main/scala/kafka/admin/AclCommand.scala*
_val ResourceTypeToValidOperations: Map[JResourceType, Set[Operation]] =
Map[JResourceType, Set[Operation]](_
_JResourceType.TOPIC -> Set(Read, Write, Create, Describe, Delete, Alter,
DescribeConfigs, AlterConfigs, All),_
_JResourceType.GROUP -> Set(Read, Describe, Delete, All),_
_JResourceType.CLUSTER -> Set(Create, ClusterAction, DescribeConfigs,
AlterConfigs, IdempotentWrite, Alter, Describe, All),_
_JResourceType.TRANSACTIONAL_ID -> Set(Describe, Write, All),_
_JResourceType.DELEGATION_TOKEN -> Set(Describe, All)_
_)_
> Error creating ACL Alter Topic in 2.2
> -------------------------------------
>
> Key: KAFKA-8536
> URL: https://issues.apache.org/jira/browse/KAFKA-8536
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.1
> Reporter: Alvaro Peris
> Priority: Critical
> Fix For: 2.2.2
>
>
> When we try to execute the statement to create an Alter Topic ACL in version
> 2.2 of
> Kafka through the kafka-acls.
> """
> kafka-acls --authorizer-properties
> zookeeper.connect=fastdata-zk-discovery:2181 \
> --add \
> --allow-principal User:MyUser \
> --operation Alter \
> --topic topic \
> """
> We get the following error:
>
> ResourceType TOPIC only supports operations
>
> """
> Read,All,AlterConfigs,DescribeConfigs,Delete,Write,Create,Describe
> """
> It should be possible to create an Alter Topic ACL, according to the
> documentation.
> Thanks
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
