You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by sh...@apache.org on 2022/04/24 08:51:12 UTC
[kafka] branch trunk updated: KAFKA-13852: Kafka Acl documentation bug for wildcard '*' (#12090)
This is an automated email from the ASF dual-hosted git repository.
showuon pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new ff3d42a18c KAFKA-13852: Kafka Acl documentation bug for wildcard '*' (#12090)
ff3d42a18c is described below
commit ff3d42a18cc8dd91427411e6d0c71a3af8414764
Author: Hongten <ho...@foxmail.com>
AuthorDate: Sun Apr 24 16:50:44 2022 +0800
KAFKA-13852: Kafka Acl documentation bug for wildcard '*' (#12090)
The wildcard * in command without wrapped by single quote will be replaced into the file name under the current folder by bash. So we need to wrap with single quote. Update the doc and command option description.
Reviewers: dengziming <de...@gmail.com>, Luke Chen <sh...@gmail.com>
---
core/src/main/scala/kafka/admin/AclCommand.scala | 16 ++++++++--------
docs/security.html | 4 ++--
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/core/src/main/scala/kafka/admin/AclCommand.scala b/core/src/main/scala/kafka/admin/AclCommand.scala
index 116ca24f7b..cca997d408 100644
--- a/core/src/main/scala/kafka/admin/AclCommand.scala
+++ b/core/src/main/scala/kafka/admin/AclCommand.scala
@@ -518,20 +518,20 @@ object AclCommand extends Logging {
.ofType(classOf[String])
val topicOpt = parser.accepts("topic", "topic to which ACLs should be added or removed. " +
- "A value of * indicates ACL should apply to all topics.")
+ "A value of '*' indicates ACL should apply to all topics.")
.withRequiredArg
.describedAs("topic")
.ofType(classOf[String])
val clusterOpt = parser.accepts("cluster", "Add/Remove cluster ACLs.")
val groupOpt = parser.accepts("group", "Consumer Group to which the ACLs should be added or removed. " +
- "A value of * indicates the ACLs should apply to all groups.")
+ "A value of '*' indicates the ACLs should apply to all groups.")
.withRequiredArg
.describedAs("group")
.ofType(classOf[String])
val transactionalIdOpt = parser.accepts("transactional-id", "The transactionalId to which ACLs should " +
- "be added or removed. A value of * indicates the ACLs should apply to all transactionalIds.")
+ "be added or removed. A value of '*' indicates the ACLs should apply to all transactionalIds.")
.withRequiredArg
.describedAs("transactional-id")
.ofType(classOf[String])
@@ -541,7 +541,7 @@ object AclCommand extends Logging {
"the producer is authorized to a particular transactional-id.")
val delegationTokenOpt = parser.accepts("delegation-token", "Delegation token to which ACLs should be added or removed. " +
- "A value of * indicates ACL should apply to all tokens.")
+ "A value of '*' indicates ACL should apply to all tokens.")
.withRequiredArg
.describedAs("delegation-token")
.ofType(classOf[String])
@@ -569,7 +569,7 @@ object AclCommand extends Logging {
val allowPrincipalsOpt = parser.accepts("allow-principal", "principal is in principalType:name format." +
" Note that principalType must be supported by the Authorizer being used." +
- " For example, User:* is the wild card indicating all users.")
+ " For example, User:'*' is the wild card indicating all users.")
.withRequiredArg
.describedAs("allow-principal")
.ofType(classOf[String])
@@ -579,7 +579,7 @@ object AclCommand extends Logging {
"You only need to use this option as negation to already allowed set. " +
"Note that principalType must be supported by the Authorizer being used. " +
"For example if you wanted to allow access to all users in the system but not test-user you can define an ACL that " +
- "allows access to User:* and specify --deny-principal=User:test@EXAMPLE.COM. " +
+ "allows access to User:'*' and specify --deny-principal=User:test@EXAMPLE.COM. " +
"AND PLEASE REMEMBER DENY RULES TAKES PRECEDENCE OVER ALLOW RULES.")
.withRequiredArg
.describedAs("deny-principal")
@@ -592,13 +592,13 @@ object AclCommand extends Logging {
.ofType(classOf[String])
val allowHostsOpt = parser.accepts("allow-host", "Host from which principals listed in --allow-principal will have access. " +
- "If you have specified --allow-principal then the default for this option will be set to * which allows access from all hosts.")
+ "If you have specified --allow-principal then the default for this option will be set to '*' which allows access from all hosts.")
.withRequiredArg
.describedAs("allow-host")
.ofType(classOf[String])
val denyHostsOpt = parser.accepts("deny-host", "Host from which principals listed in --deny-principal will be denied access. " +
- "If you have specified --deny-principal then the default for this option will be set to * which denies access from all hosts.")
+ "If you have specified --deny-principal then the default for this option will be set to '*' which denies access from all hosts.")
.withRequiredArg
.describedAs("deny-host")
.ofType(classOf[String])
diff --git a/docs/security.html b/docs/security.html
index 2a31942662..846ce5f20b 100644
--- a/docs/security.html
+++ b/docs/security.html
@@ -1383,7 +1383,7 @@ RULE:[n:string](regexp)s/pattern/replacement/g/U</code></pre>
Above examples add acls to a topic by specifying --topic [topic-name] as the resource pattern option. Similarly user can add acls to cluster by specifying --cluster and to a consumer group by specifying --group [group-name].
You can add acls on any resource of a certain type, e.g. suppose you wanted to add an acl "Principal User:Peter is allowed to produce to any Topic from IP 198.51.200.0"
You can do that by using the wildcard resource '*', e.g. by executing the CLI with following options:
- <pre class="line-numbers"><code class="language-bash">> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Peter --allow-host 198.51.200.1 --producer --topic *</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Peter --allow-host 198.51.200.1 --producer --topic '*'</code></pre>
You can add acls on prefixed resource patterns, e.g. suppose you want to add an acl "Principal User:Jane is allowed to produce to any Topic whose name starts with 'Test-' from any host".
You can do that by executing the CLI with following options:
<pre class="line-numbers"><code class="language-bash">> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Jane --producer --topic Test- --resource-pattern-type prefixed</code></pre>
@@ -1400,7 +1400,7 @@ RULE:[n:string](regexp)s/pattern/replacement/g/U</code></pre>
<pre class="line-numbers"><code class="language-bash">> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic Test-topic</code></pre>
However, this will only return the acls that have been added to this exact resource pattern. Other acls can exist that affect access to the topic,
e.g. any acls on the topic wildcard '*', or any acls on prefixed resource patterns. Acls on the wildcard resource pattern can be queried explicitly:
- <pre class="line-numbers"><code class="language-bash">> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic *</code></pre>
+ <pre class="line-numbers"><code class="language-bash">> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic '*'</code></pre>
However, it is not necessarily possible to explicitly query for acls on prefixed resource patterns that match Test-topic as the name of such patterns may not be known.
We can list <i>all</i> acls affecting Test-topic by using '--resource-pattern-type match', e.g.
<pre class="line-numbers"><code class="language-bash">> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic Test-topic --resource-pattern-type match</code></pre>