ACL host option support #519

tolikkk · 2022-08-02T12:48:26Z

In traditional ACL client (embedded kafka-acls.sh) it is possible to define host parameter (ip address) that ACL will affect to.

ACL for resource options:

principal
host
operation
permissionType

Example for ACL with host option:
kafka-acls.sh --bootstrap-server=broker.example.com:9092 --add --allow-principal User:* --allow-host 192.168.1.2 --operation ALL --topic bar1

list ACL:

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=bar1, patternType=LITERAL)`:
 	(principal=User:*, host=192.168.1.2, operation=ALL, permissionType=ALLOW)

More than that I see host option in the julie ACL execution log and it has wildcard value "host" : "*".
Example for principal "User:Alice" with consumer access to topic bar1:

{
  "Operation" : "com.purbon.kafka.topology.actions.access.CreateBindings",
  "Bindings" : [ {
    "resourceType" : "GROUP",
    "resourceName" : "*",
    "host" : "*",
    "operation" : "READ",
    "principal" : "User:Alice",
    "pattern" : "LITERAL",
    "scope" : null
  }, {
    "resourceType" : "TOPIC",
    "resourceName" : "bar1",
    "host" : "*",
    "operation" : "READ",
    "principal" : "User:Alice",
    "pattern" : "LITERAL",
    "scope" : null
  }, {
    "resourceType" : "TOPIC",
    "resourceName" : "bar1",
    "host" : "*",
    "operation" : "DESCRIBE",
    "principal" : "User:Alice",
    "pattern" : "LITERAL",
    "scope" : null
  } ]
}

Is it possible to use option "host" in topology ACL configuration, like this?

context: "example"
projects:
  - name: "kafka"
    topics:
      - name: "bar1"
        config:
          retention.ms: "604800000"
        consumers:
          - principal: "User:Alice"
            host: "1.2.3.4"

Or maybe there is any other way to do it?

The text was updated successfully, but these errors were encountered:

tolikkk · 2022-08-04T13:59:48Z

I found the solution. It can be done via Custom JulieRoles - https://julieops.readthedocs.io/en/latest/futures/define-custom-roles.html

Steps:

describe custom ACL in roles.yml

roles:
  - name: "custom_acl"
    acls:
      - resourceType: "Topic"
        resourceName: "bar1"
        patternType: "LITERAL"
        host: "1.2.3.4"
        operation: "READ"
        permissionType: "ALLOW"
      - resourceType: "Topic"
        resourceName: "bar1"
        patternType: "LITERAL"
        host: "1.2.3.4"
        operation: "DESCRIBE"
    - resourceType: "Group"
        resourceName: "*"
        patternType: "LITERAL"
        host: "1.2.3.4"
        operation: "READ"

set custom role to topology config

context: "example"
projects:
  - name: "kafka"
    custom_acl:
      - principal: "User:Alice"
    topics:
      - name: "bar1"
        config:
          retention.ms: "604800000"

set custom acl path in config
julie.roles=/roles.yml

purbon · 2022-08-05T10:11:53Z

yes, this is "the way" for now. but somehow I agree with you that introducing this to the other abstractions is a good idea. However, in my own bubble, the host is not usually one config often used as IP can and will certainly change.

tolikkk added the enhancement New feature or request label Aug 2, 2022

qzhang1995 mentioned this issue Jun 15, 2023

Support for ACL host #570

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ACL host option support #519

ACL host option support #519

tolikkk commented Aug 2, 2022 •

edited

Loading

tolikkk commented Aug 4, 2022

purbon commented Aug 5, 2022 •

edited

Loading

ACL host option support #519

ACL host option support #519

Comments

tolikkk commented Aug 2, 2022 • edited Loading

tolikkk commented Aug 4, 2022

purbon commented Aug 5, 2022 • edited Loading

tolikkk commented Aug 2, 2022 •

edited

Loading

purbon commented Aug 5, 2022 •

edited

Loading