kafka-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jun...@apache.org
Subject kafka git commit: KAFKA-2852; Updating the Authorizer CLI to use a consistent way to specify a list of values for a config options.
Date Wed, 18 Nov 2015 01:47:09 GMT
Repository: kafka
Updated Branches:
  refs/heads/0.9.0 723c6f2de -> fda91fcc9


KAFKA-2852; Updating the Authorizer CLI to use a consistent way to specify a list of values
for a config options.

…ecify a list of values for a config options.

Author: Parth Brahmbhatt <brahmbhatt.parth@gmail.com>

Reviewers: Jun Rao <junrao@gmail.com>

Closes #545 from Parth-Brahmbhatt/KAFKA-2852

(cherry picked from commit dacd21ec4e9028593faedeb7d2a4484394367612)
Signed-off-by: Jun Rao <junrao@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/fda91fcc
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/fda91fcc
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/fda91fcc

Branch: refs/heads/0.9.0
Commit: fda91fcc97c2c10ae090d1c82fe36c02c9e35e9a
Parents: 723c6f2
Author: Parth Brahmbhatt <brahmbhatt.parth@gmail.com>
Authored: Tue Nov 17 17:46:59 2015 -0800
Committer: Jun Rao <junrao@gmail.com>
Committed: Tue Nov 17 17:47:06 2015 -0800

----------------------------------------------------------------------
 .../src/main/scala/kafka/admin/AclCommand.scala | 26 ++++++++------------
 .../scala/unit/kafka/admin/AclCommandTest.scala | 16 ++++++------
 docs/security.html                              | 20 +++++++--------
 3 files changed, 28 insertions(+), 34 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kafka/blob/fda91fcc/core/src/main/scala/kafka/admin/AclCommand.scala
----------------------------------------------------------------------
diff --git a/core/src/main/scala/kafka/admin/AclCommand.scala b/core/src/main/scala/kafka/admin/AclCommand.scala
index 377315d..1eb9a40 100644
--- a/core/src/main/scala/kafka/admin/AclCommand.scala
+++ b/core/src/main/scala/kafka/admin/AclCommand.scala
@@ -27,7 +27,6 @@ import scala.collection.JavaConverters._
 
 object AclCommand {
 
-  val Delimiter = ','
   val Newline = scala.util.Properties.lineSeparator
   val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
     Topic -> Set(Read, Write, Describe, All),
@@ -244,7 +243,7 @@ object AclCommand {
     for ((resource, acls) <- resourceToAcls) {
       val validOps = ResourceTypeToValidOperations(resource.resourceType)
       if ((acls.map(_.operation) -- validOps).nonEmpty)
-        CommandLineUtils.printUsageAndDie(opts.parser, s"ResourceType ${resource.resourceType}
only supports operations ${validOps.mkString(Delimiter.toString)}")
+        CommandLineUtils.printUsageAndDie(opts.parser, s"ResourceType ${resource.resourceType}
only supports operations ${validOps.mkString(",")}")
     }
   }
 
@@ -262,31 +261,28 @@ object AclCommand {
       .describedAs("authorizer-properties")
       .ofType(classOf[String])
 
-    val topicOpt = parser.accepts("topic", "Comma separated list of topic to which acls should
be added or removed. " +
+    val topicOpt = parser.accepts("topic", "topic to which acls should be added or removed.
" +
       "A value of * indicates acl should apply to all topics.")
       .withRequiredArg
       .describedAs("topic")
       .ofType(classOf[String])
-      .withValuesSeparatedBy(Delimiter)
 
     val clusterOpt = parser.accepts("cluster", "Add/Remove cluster acls.")
-    val groupOpt = parser.accepts("group", "Comma separated list of groups to which the acls
should be added or removed. " +
+    val groupOpt = parser.accepts("group", "Consumer Group to which the acls should be added
or removed. " +
       "A value of * indicates the acls should apply to all groups.")
       .withRequiredArg
       .describedAs("group")
       .ofType(classOf[String])
-      .withValuesSeparatedBy(Delimiter)
 
     val addOpt = parser.accepts("add", "Indicates you are trying to add acls.")
     val removeOpt = parser.accepts("remove", "Indicates you are trying to remove acls.")
     val listOpt = parser.accepts("list", "List acls for the specified resource, use --topic
<topic> or --group <group> or --cluster to specify a resource.")
 
-    val operationsOpt = parser.accepts("operations", "Comma separated list of operations,
default is All. Valid operation names are: " + Newline +
+    val operationsOpt = parser.accepts("operation", "Operation that is being allowed or denied.
Valid operation names are: " + Newline +
       Operation.values.map("\t" + _).mkString(Newline) + Newline)
       .withRequiredArg
       .ofType(classOf[String])
       .defaultsTo(All.name)
-      .withValuesSeparatedBy(Delimiter)
 
     val allowPrincipalsOpt = parser.accepts("allow-principal", "principal is in principalType:name
format." +
       " User:* is the wild card indicating all users.")
@@ -304,19 +300,17 @@ object AclCommand {
       .describedAs("deny-principal")
       .ofType(classOf[String])
 
-    val allowHostsOpt = parser.accepts("allow-hosts", "Comma separated list of hosts from
which principals listed in --allow-principals will have access. " +
-      "If you have specified --allow-principals then the default for this option will be
set to * which allows access from all hosts.")
+    val allowHostsOpt = parser.accepts("allow-host", "Host from which principals listed in
--allow-principal will have access. " +
+      "If you have specified --allow-principal then the default for this option will be set
to * which allows access from all hosts.")
       .withRequiredArg
-      .describedAs("allow-hosts")
+      .describedAs("allow-host")
       .ofType(classOf[String])
-      .withValuesSeparatedBy(Delimiter)
 
-    val denyHostssOpt = parser.accepts("deny-hosts", "Comma separated list of hosts from
which principals listed in --deny-principals will be denied access. " +
-      "If you have specified --deny-principals then the default for this option will be set
to * which denies access from all hosts.")
+    val denyHostssOpt = parser.accepts("deny-host", "Host from which principals listed in
--deny-principal will be denied access. " +
+      "If you have specified --deny-principal then the default for this option will be set
to * which denies access from all hosts.")
       .withRequiredArg
-      .describedAs("deny-hosts")
+      .describedAs("deny-host")
       .ofType(classOf[String])
-      .withValuesSeparatedBy(Delimiter)
 
     val producerOpt = parser.accepts("producer", "Convenience option to add/remove acls for
producer role. " +
       "This will generate acls that allows WRITE,DESCRIBE on topic and CREATE on cluster.
")

http://git-wip-us.apache.org/repos/asf/kafka/blob/fda91fcc/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
----------------------------------------------------------------------
diff --git a/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala b/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
index 1e9cdae..0bb950d 100644
--- a/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
+++ b/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
@@ -31,21 +31,22 @@ class AclCommandTest extends ZooKeeperTestHarness with Logging {
 
   private val Users = Set(KafkaPrincipal.fromString("User:CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown"),
KafkaPrincipal.fromString("User:test2"))
   private val Hosts = Set("host1", "host2")
-  private val HostsString = Hosts.mkString(AclCommand.Delimiter.toString)
+  private val AllowHostCommand = Array("--allow-host", "host1", "--allow-host", "host2")
+  private val DenyHostCommand = Array("--deny-host", "host1", "--deny-host", "host2")
 
   private val TopicResources = Set(new Resource(Topic, "test-1"), new Resource(Topic, "test-2"))
   private val GroupResources = Set(new Resource(Group, "testGroup-1"), new Resource(Group,
"testGroup-2"))
 
   private val ResourceToCommand = Map[Set[Resource], Array[String]](
-    TopicResources -> Array("--topic", "test-1,test-2"),
+    TopicResources -> Array("--topic", "test-1", "--topic", "test-2"),
     Set(Resource.ClusterResource) -> Array("--cluster"),
-    GroupResources -> Array("--group", "testGroup-1,testGroup-2")
+    GroupResources -> Array("--group", "testGroup-1", "--group", "testGroup-2")
   )
 
   private val ResourceToOperations = Map[Set[Resource], (Set[Operation], Array[String])](
-    TopicResources -> (Set(Read, Write, Describe), Array("--operations", "Read,Write,Describe")),
-    Set(Resource.ClusterResource) -> (Set(Create, ClusterAction), Array("--operations",
"Create,ClusterAction")),
-    GroupResources -> (Set(Read).toSet[Operation], Array("--operations", "Read"))
+    TopicResources -> (Set(Read, Write, Describe), Array("--operation", "Read" , "--operation",
"Write", "--operation", "Describe")),
+    Set(Resource.ClusterResource) -> (Set(Create, ClusterAction), Array("--operation",
"Create", "--operation", "ClusterAction")),
+    GroupResources -> (Set(Read).toSet[Operation], Array("--operation", "Read"))
   )
 
   private val ProducerResourceToAcls = Map[Set[Resource], Set[Acl]](
@@ -118,9 +119,8 @@ class AclCommandTest extends ZooKeeperTestHarness with Logging {
 
   private def getCmd(permissionType: PermissionType): Array[String] = {
     val principalCmd = if (permissionType == Allow) "--allow-principal" else "--deny-principal"
-    val hostCmd = if (permissionType == Allow) "--allow-hosts" else "--deny-hosts"
+    val cmd = if (permissionType == Allow) AllowHostCommand else DenyHostCommand
 
-    val cmd = Array(hostCmd, HostsString)
     Users.foldLeft(cmd) ((cmd, user) => cmd ++ Array(principalCmd, user.toString))
   }
 

http://git-wip-us.apache.org/repos/asf/kafka/blob/fda91fcc/docs/security.html
----------------------------------------------------------------------
diff --git a/docs/security.html b/docs/security.html
index c99aa93..da9c3c6 100644
--- a/docs/security.html
+++ b/docs/security.html
@@ -339,20 +339,20 @@ Kafka Authorization management CLI can be found under bin directory
with all the
         <td>Principal</td>
     </tr>
     <tr>
-        <td>--allow-hosts</td>
-        <td>Comma separated list of hosts from which principals listed in --allow-principals
will have access.</td>
+        <td>--allow-host</td>
+        <td>Host from which principals listed in --allow-principals will have access.</td>
         <td> if --allow-principals is specified defaults to * which translates to "all
hosts"</td>
         <td>Host</td>
     </tr>
     <tr>
-        <td>--deny-hosts</td>
-        <td>Comma separated list of hosts from which principals listed in --deny-principals
will be denied access.</td>
+        <td>--deny-host</td>
+        <td>Host from which principals listed in --deny-principals will be denied access.</td>
         <td>if --deny-principals is specified defaults to * which translates to "all
hosts"</td>
         <td>Host</td>
     </tr>
     <tr>
-        <td>--operations</td>
-        <td>Comma separated list of operations.<br>
+        <td>--operation</td>
+        <td>Operation that will be allowed or denied.<br>
             Valid values are : Read, Write, Create, Delete, Alter, Describe, ClusterAction,
All</td>
         <td>All</td>
         <td>Operation</td>
@@ -376,14 +376,14 @@ Kafka Authorization management CLI can be found under bin directory
with all the
 <ul>
     <li><b>Adding Acls</b><br>
 Suppose you want to add an acl "Principals User:Bob and User:Alice are allowed to perform
Operation Read and Write on Topic Test-Topic from Host1 and Host2". You can do that by executing
the CLI with following options:
-        <pre>bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
--authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob
--allow-principal User:Alice --allow-hosts Host1,Host2 --operations Read,Write --topic Test-topic</pre>
-        By default all principals that don't have an explicit acl that allows access for
an operation to a resource are denied. In rare cases where an allow acl is defined that allows
access to all but some principal we will have to use the --deny-principals and --deny-host
option. For example, if we want to allow all users to Read from Test-topic but only deny User:BadBob
from host bad-host we can do so using following commands:
-        <pre>bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
--authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:* --allow-hosts
* --deny-principal User:BadBob --deny-hosts bad-host --operations Read--topic Test-topic</pre>
+        <pre>bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
--authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob
--allow-principal User:Alice --allow-host Host1 --allow-host Host2 --operation Read --operation
Write --topic Test-topic</pre>
+        By default all principals that don't have an explicit acl that allows access for
an operation to a resource are denied. In rare cases where an allow acl is defined that allows
access to all but some principal we will have to use the --deny-principal and --deny-host
option. For example, if we want to allow all users to Read from Test-topic but only deny User:BadBob
from host bad-host we can do so using following commands:
+        <pre>bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
--authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:* --allow-hosts
* --deny-principal User:BadBob --deny-host bad-host --operation Read--topic Test-topic</pre>
         Above examples add acls to a topic by specifying --topic [topic-name] as the resource
option. Similarly user can add acls to cluster by specifying --cluster and to a consumer group
by specifying --consumer-group [group-name].</li>
 
     <li><b>Removing Acls</b><br>
             Removing acls is pretty much the same. The only difference is instead of --add
option users will have to specify --remove option. To remove the acls added by the first example
above we can execute the CLI with following options:
-           <pre> bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
--authorizer-properties zookeeper.connect=localhost:2181 --remove --allow-principal User:Bob
--allow-principal User:Alice --allow-hosts Host1,Host2 --operations Read,Write --topic Test-topic
</pre></li>
+           <pre> bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
--authorizer-properties zookeeper.connect=localhost:2181 --remove --allow-principal User:Bob
--allow-principal User:Alice --allow-host Host1 --allow-host Host2 --operation Read --operation
Write --topic Test-topic </pre></li>
 
     <li><b>List Acls</b><br>
             We can list acls for any resource by specifying the --list option with the resource.
To list all acls for Test-topic we can execute the CLI with following options:


Mime
View raw message