[
https://issues.apache.org/jira/browse/KAFKA-3790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489798#comment-17489798
]
Sébastien Launay commented on KAFKA-3790:
-----------------------------------------
It's an oldie and since then we have access to the Admin API so I don't think
it makes sense anymore to modify such long running behaviour of {{kafka-acls}}.
> Default options when removing ACLs do not comply with documentation
> -------------------------------------------------------------------
>
> Key: KAFKA-3790
> URL: https://issues.apache.org/jira/browse/KAFKA-3790
> Project: Kafka
> Issue Type: Bug
> Components: documentation, security
> Affects Versions: 0.9.0.1, 0.10.0.0
> Reporter: Sébastien Launay
> Priority: Minor
>
> When removing ACLs without providing options like principal, host or
> operation, we got a prompt for removing all the matching ACLs but when
> executing the command none get removed.
> The following commands can be used to reproduce the inconsistency:
> {noformat}
> $ ./bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 -list -topic test
> Current ACLs for resource `Topic:test`:
> $ ./bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --add --allow-principal User:Alice
> --operation Write --topic test --allow-host 1.2.3.4
> Adding ACLs for resource `Topic:test`:
> User:Alice has Allow permission for operations: Write from hosts:
> 1.2.3.4
> Current ACLs for resource `Topic:test`:
> User:Alice has Allow permission for operations: Write from hosts:
> 1.2.3.4
> $ ./bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --remove --allow-principal User:Alice
> --topic test
> Are you sure you want to remove ACLs:
> User:Alice has Allow permission for operations: All from hosts: *
> from resource `Topic:test`? (y/n)
> y
> Current ACLs for resource `Topic:test`:
> User:Alice has Allow permission for operations: Write from hosts:
> 1.2.3.4
> {noformat}
> *The Current ACLs for resource {{Topic:test}} is expected to be empty after
> the last command.*
> Only a specific ACL (when all options mentioned above are provided) or else
> all the ACLs for a given resource (none of the options mentioned above are
> provided) can get removed as shown by the following code snippets:
> {noformat}
> // AclCommand.scala
> ...
> private def removeAcl(opts: AclCommandOptions) {
> withAuthorizer(opts) { authorizer =>
> val resourceToAcl = getResourceToAcls(opts)
> for ((resource, acls) <- resourceToAcl) {
> if (acls.isEmpty) {
> if (confirmAction(opts, s"Are you sure you want to delete all ACLs
> for resource `${resource}`? (y/n)"))
> authorizer.removeAcls(resource)
> } else {
> if (confirmAction(opts, s"Are you sure you want to remove ACLs:
> $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline from resource
> `${resource}`? (y/n)"))
> authorizer.removeAcls(acls, resource)
> }
> }
> listAcl(opts)
> }
> }
> ...
> // SimpleAclAuthorizer.scala
> ...
> override def removeAcls(aclsTobeRemoved: Set[Acl], resource: Resource):
> Boolean = {
> inWriteLock(lock) {
> updateResourceAcls(resource) { currentAcls =>
> currentAcls -- aclsTobeRemoved
> }
> }
> }
> {noformat}
> A workaround consists of listing the ACL in order to know which exact one to
> remove which make the automation of ACL management trickier.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
