kafka-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jun...@apache.org
Subject kafka git commit: KAFKA-2788; Allow specifying principals with comman in ACL CLI.
Date Tue, 10 Nov 2015 22:28:18 GMT
Repository: kafka
Updated Branches:
  refs/heads/0.9.0 7508ec219 -> 501ac0282


KAFKA-2788; Allow specifying principals with comman in ACL CLI.

Author: Parth Brahmbhatt <brahmbhatt.parth@gmail.com>

Reviewers: Jun Rao <junrao@gmail.com>

Closes #489 from Parth-Brahmbhatt/KAFKA-2788

(cherry picked from commit 60c06734b345bbf292773e5b9206282ff3995968)
Signed-off-by: Jun Rao <junrao@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/501ac028
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/501ac028
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/501ac028

Branch: refs/heads/0.9.0
Commit: 501ac028273815f015cf97c8b48b4c34286cc1fb
Parents: 7508ec2
Author: Parth Brahmbhatt <brahmbhatt.parth@gmail.com>
Authored: Tue Nov 10 14:27:55 2015 -0800
Committer: Jun Rao <junrao@gmail.com>
Committed: Tue Nov 10 14:28:07 2015 -0800

----------------------------------------------------------------------
 .../src/main/scala/kafka/admin/AclCommand.scala | 62 +++++++++++---------
 .../scala/unit/kafka/admin/AclCommandTest.scala | 14 ++---
 2 files changed, 40 insertions(+), 36 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kafka/blob/501ac028/core/src/main/scala/kafka/admin/AclCommand.scala
----------------------------------------------------------------------
diff --git a/core/src/main/scala/kafka/admin/AclCommand.scala b/core/src/main/scala/kafka/admin/AclCommand.scala
index fd6d420..3a6986f 100644
--- a/core/src/main/scala/kafka/admin/AclCommand.scala
+++ b/core/src/main/scala/kafka/admin/AclCommand.scala
@@ -30,9 +30,9 @@ object AclCommand {
   val Delimiter = ','
   val Newline = scala.util.Properties.lineSeparator
   val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
-    Topic -> Set(Read, Write, Describe),
-    Group -> Set(Read),
-    Cluster -> Set(Create, ClusterAction)
+    Topic -> Set(Read, Write, Describe, All),
+    Group -> Set(Read, All),
+    Cluster -> Set(Create, ClusterAction, All)
   )
 
   def main(args: Array[String]) {
@@ -44,23 +44,13 @@ object AclCommand {
 
     opts.checkArgs()
 
-    var authorizerProperties = Map.empty[String, Any]
-    if (opts.options.has(opts.authorizerPropertiesOpt)) {
-      val props = opts.options.valuesOf(opts.authorizerPropertiesOpt).asScala.map(_.split("="))
-      props.foreach(pair => authorizerProperties += (pair(0).trim -> pair(1).trim))
-    }
-
-    val authorizerClass = opts.options.valueOf(opts.authorizerOpt)
-    val authZ: Authorizer = CoreUtils.createObject(authorizerClass)
-    authZ.configure(authorizerProperties.asJava)
-
     try {
       if (opts.options.has(opts.addOpt))
-        addAcl(authZ, opts)
+        addAcl(opts)
       else if (opts.options.has(opts.removeOpt))
-        removeAcl(authZ, opts)
+        removeAcl(opts)
       else if (opts.options.has(opts.listOpt))
-        listAcl(authZ, opts)
+        listAcl(opts)
     } catch {
       case e: Throwable =>
         println(s"Error while executing topic Acl command ${e.getMessage}")
@@ -69,7 +59,21 @@ object AclCommand {
     }
   }
 
-  private def addAcl(authZ: Authorizer, opts: AclCommandOptions) {
+  def getAuthorizer(opts: AclCommandOptions): Authorizer = {
+    var authorizerProperties = Map.empty[String, Any]
+    if (opts.options.has(opts.authorizerPropertiesOpt)) {
+      val props = opts.options.valuesOf(opts.authorizerPropertiesOpt).asScala.map(_.split("="))
+      props.foreach(pair => authorizerProperties += (pair(0).trim -> pair(1).trim))
+    }
+
+    val authorizerClass = opts.options.valueOf(opts.authorizerOpt)
+    val authZ: Authorizer = CoreUtils.createObject(authorizerClass)
+    authZ.configure(authorizerProperties.asJava)
+    authZ
+  }
+
+  private def addAcl(opts: AclCommandOptions) {
+    val authZ: Authorizer = getAuthorizer(opts)
     val resourceToAcl = getResourceToAcls(opts)
 
     if (resourceToAcl.values.exists(_.isEmpty))
@@ -81,10 +85,11 @@ object AclCommand {
       authZ.addAcls(acls, resource)
     }
 
-    listAcl(authZ, opts)
+    listAcl(opts)
   }
 
-  private def removeAcl(authZ: Authorizer, opts: AclCommandOptions) {
+  private def removeAcl(opts: AclCommandOptions) {
+    val authZ: Authorizer = getAuthorizer(opts)
     val resourceToAcl = getResourceToAcls(opts)
 
     for ((resource, acls) <- resourceToAcl) {
@@ -97,10 +102,11 @@ object AclCommand {
       }
     }
 
-    listAcl(authZ, opts)
+    listAcl(opts)
   }
 
-  private def listAcl(authZ: Authorizer, opts: AclCommandOptions) {
+  private def listAcl(opts: AclCommandOptions) {
+    val authZ = getAuthorizer(opts)
     val resources = getResource(opts, dieIfNoResourceFound = false)
 
     val resourceToAcls = if(resources.isEmpty)
@@ -284,23 +290,21 @@ object AclCommand {
       .defaultsTo(All.name)
       .withValuesSeparatedBy(Delimiter)
 
-    val allowPrincipalsOpt = parser.accepts("allow-principals", "Comma separated list of
principals where principal is in principalType:name format." +
+    val allowPrincipalsOpt = parser.accepts("allow-principal", "principal is in principalType:name
format." +
       " User:* is the wild card indicating all users.")
       .withRequiredArg
-      .describedAs("allow-principals")
+      .describedAs("allow-principal")
       .ofType(classOf[String])
-      .withValuesSeparatedBy(Delimiter)
 
-    val denyPrincipalsOpt = parser.accepts("deny-principals", "Comma separated list of principals
where principal is in " +
-      "principalType: name format. By default anyone not in --allow-principals list is denied
access. " +
+    val denyPrincipalsOpt = parser.accepts("deny-principal", "principal is in principalType:
name format. " +
+      "By default anyone not added through --allow-principal is denied access. " +
       "You only need to use this option as negation to already allowed set. " +
       "For example if you wanted to allow access to all users in the system but not test-user
you can define an acl that " +
-      "allows access to User:* and specify --deny-principals=User:test@EXAMPLE.COM. " +
+      "allows access to User:* and specify --deny-principal=User:test@EXAMPLE.COM. " +
       "AND PLEASE REMEMBER DENY RULES TAKES PRECEDENCE OVER ALLOW RULES.")
       .withRequiredArg
-      .describedAs("deny-principals")
+      .describedAs("deny-principal")
       .ofType(classOf[String])
-      .withValuesSeparatedBy(Delimiter)
 
     val allowHostsOpt = parser.accepts("allow-hosts", "Comma separated list of hosts from
which principals listed in --allow-principals will have access. " +
       "If you have specified --allow-principals then the default for this option will be
set to * which allows access from all hosts.")

http://git-wip-us.apache.org/repos/asf/kafka/blob/501ac028/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
----------------------------------------------------------------------
diff --git a/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala b/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
index 1266598..1e9cdae 100644
--- a/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
+++ b/core/src/test/scala/unit/kafka/admin/AclCommandTest.scala
@@ -25,12 +25,11 @@ import kafka.server.KafkaConfig
 import kafka.utils.{Logging, TestUtils}
 import kafka.zk.ZooKeeperTestHarness
 import org.apache.kafka.common.security.auth.KafkaPrincipal
-import org.junit.{Assert, Test}
+import org.junit.Test
 
 class AclCommandTest extends ZooKeeperTestHarness with Logging {
 
-  private val Users = Set(KafkaPrincipal.fromString("User:test1"), KafkaPrincipal.fromString("User:test2"))
-  private val UsersString = Users.mkString(AclCommand.Delimiter.toString)
+  private val Users = Set(KafkaPrincipal.fromString("User:CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown"),
KafkaPrincipal.fromString("User:test2"))
   private val Hosts = Set("host1", "host2")
   private val HostsString = Hosts.mkString(AclCommand.Delimiter.toString)
 
@@ -118,10 +117,11 @@ class AclCommandTest extends ZooKeeperTestHarness with Logging {
   }
 
   private def getCmd(permissionType: PermissionType): Array[String] = {
-    if (permissionType == Allow)
-      Array("--allow-principals", UsersString, "--allow-hosts", HostsString)
-    else
-      Array("--deny-principals", UsersString, "--deny-hosts", HostsString)
+    val principalCmd = if (permissionType == Allow) "--allow-principal" else "--deny-principal"
+    val hostCmd = if (permissionType == Allow) "--allow-hosts" else "--deny-hosts"
+
+    val cmd = Array(hostCmd, HostsString)
+    Users.foldLeft(cmd) ((cmd, user) => cmd ++ Array(principalCmd, user.toString))
   }
 
   def getAuthorizer(props: Properties): Authorizer = {


Mime
View raw message