This is an automated email from the ASF dual-hosted git repository.
showuon pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new ff3d42a18c KAFKA-13852: Kafka Acl documentation bug for wildcard '*'
(#12090)
ff3d42a18c is described below
commit ff3d42a18cc8dd91427411e6d0c71a3af8414764
Author: Hongten <[email protected]>
AuthorDate: Sun Apr 24 16:50:44 2022 +0800
KAFKA-13852: Kafka Acl documentation bug for wildcard '*' (#12090)
The wildcard * in command without wrapped by single quote will be replaced
into the file name under the current folder by bash. So we need to wrap with
single quote. Update the doc and command option description.
Reviewers: dengziming <[email protected]>, Luke Chen
<[email protected]>
---
core/src/main/scala/kafka/admin/AclCommand.scala | 16 ++++++++--------
docs/security.html | 4 ++--
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/core/src/main/scala/kafka/admin/AclCommand.scala
b/core/src/main/scala/kafka/admin/AclCommand.scala
index 116ca24f7b..cca997d408 100644
--- a/core/src/main/scala/kafka/admin/AclCommand.scala
+++ b/core/src/main/scala/kafka/admin/AclCommand.scala
@@ -518,20 +518,20 @@ object AclCommand extends Logging {
.ofType(classOf[String])
val topicOpt = parser.accepts("topic", "topic to which ACLs should be
added or removed. " +
- "A value of * indicates ACL should apply to all topics.")
+ "A value of '*' indicates ACL should apply to all topics.")
.withRequiredArg
.describedAs("topic")
.ofType(classOf[String])
val clusterOpt = parser.accepts("cluster", "Add/Remove cluster ACLs.")
val groupOpt = parser.accepts("group", "Consumer Group to which the ACLs
should be added or removed. " +
- "A value of * indicates the ACLs should apply to all groups.")
+ "A value of '*' indicates the ACLs should apply to all groups.")
.withRequiredArg
.describedAs("group")
.ofType(classOf[String])
val transactionalIdOpt = parser.accepts("transactional-id", "The
transactionalId to which ACLs should " +
- "be added or removed. A value of * indicates the ACLs should apply to
all transactionalIds.")
+ "be added or removed. A value of '*' indicates the ACLs should apply to
all transactionalIds.")
.withRequiredArg
.describedAs("transactional-id")
.ofType(classOf[String])
@@ -541,7 +541,7 @@ object AclCommand extends Logging {
"the producer is authorized to a particular transactional-id.")
val delegationTokenOpt = parser.accepts("delegation-token", "Delegation
token to which ACLs should be added or removed. " +
- "A value of * indicates ACL should apply to all tokens.")
+ "A value of '*' indicates ACL should apply to all tokens.")
.withRequiredArg
.describedAs("delegation-token")
.ofType(classOf[String])
@@ -569,7 +569,7 @@ object AclCommand extends Logging {
val allowPrincipalsOpt = parser.accepts("allow-principal", "principal is
in principalType:name format." +
" Note that principalType must be supported by the Authorizer being
used." +
- " For example, User:* is the wild card indicating all users.")
+ " For example, User:'*' is the wild card indicating all users.")
.withRequiredArg
.describedAs("allow-principal")
.ofType(classOf[String])
@@ -579,7 +579,7 @@ object AclCommand extends Logging {
"You only need to use this option as negation to already allowed set. " +
"Note that principalType must be supported by the Authorizer being used.
" +
"For example if you wanted to allow access to all users in the system
but not test-user you can define an ACL that " +
- "allows access to User:* and specify
--deny-principal=User:[email protected]. " +
+ "allows access to User:'*' and specify
--deny-principal=User:[email protected]. " +
"AND PLEASE REMEMBER DENY RULES TAKES PRECEDENCE OVER ALLOW RULES.")
.withRequiredArg
.describedAs("deny-principal")
@@ -592,13 +592,13 @@ object AclCommand extends Logging {
.ofType(classOf[String])
val allowHostsOpt = parser.accepts("allow-host", "Host from which
principals listed in --allow-principal will have access. " +
- "If you have specified --allow-principal then the default for this
option will be set to * which allows access from all hosts.")
+ "If you have specified --allow-principal then the default for this
option will be set to '*' which allows access from all hosts.")
.withRequiredArg
.describedAs("allow-host")
.ofType(classOf[String])
val denyHostsOpt = parser.accepts("deny-host", "Host from which principals
listed in --deny-principal will be denied access. " +
- "If you have specified --deny-principal then the default for this option
will be set to * which denies access from all hosts.")
+ "If you have specified --deny-principal then the default for this option
will be set to '*' which denies access from all hosts.")
.withRequiredArg
.describedAs("deny-host")
.ofType(classOf[String])
diff --git a/docs/security.html b/docs/security.html
index 2a31942662..846ce5f20b 100644
--- a/docs/security.html
+++ b/docs/security.html
@@ -1383,7 +1383,7 @@
RULE:[n:string](regexp)s/pattern/replacement/g/U</code></pre>
Above examples add acls to a topic by specifying --topic
[topic-name] as the resource pattern option. Similarly user can add acls to
cluster by specifying --cluster and to a consumer group by specifying --group
[group-name].
You can add acls on any resource of a certain type, e.g. suppose
you wanted to add an acl "Principal User:Peter is allowed to produce to any
Topic from IP 198.51.200.0"
You can do that by using the wildcard resource '*', e.g. by
executing the CLI with following options:
- <pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--add --allow-principal User:Peter --allow-host 198.51.200.1 --producer --topic
*</code></pre>
+ <pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--add --allow-principal User:Peter --allow-host 198.51.200.1 --producer --topic
'*'</code></pre>
You can add acls on prefixed resource patterns, e.g. suppose you
want to add an acl "Principal User:Jane is allowed to produce to any Topic
whose name starts with 'Test-' from any host".
You can do that by executing the CLI with following options:
<pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--add --allow-principal User:Jane --producer --topic Test-
--resource-pattern-type prefixed</code></pre>
@@ -1400,7 +1400,7 @@
RULE:[n:string](regexp)s/pattern/replacement/g/U</code></pre>
<pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--list --topic Test-topic</code></pre>
However, this will only return the acls that have been added to
this exact resource pattern. Other acls can exist that affect access to the
topic,
e.g. any acls on the topic wildcard '*', or any acls on prefixed
resource patterns. Acls on the wildcard resource pattern can be queried
explicitly:
- <pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--list --topic *</code></pre>
+ <pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--list --topic '*'</code></pre>
However, it is not necessarily possible to explicitly query for
acls on prefixed resource patterns that match Test-topic as the name of such
patterns may not be known.
We can list <i>all</i> acls affecting Test-topic by using
'--resource-pattern-type match', e.g.
<pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--list --topic Test-topic --resource-pattern-type match</code></pre>
