[jira] [Created] (KAFKA-3790) Default options when removing ACLs do not comply with documentation

[JIRA]

Sébastien Launay created KAFKA-3790:
---------------------------------------

             Summary: Default options when removing ACLs do not comply with 
documentation
                 Key: KAFKA-3790
                 URL: https://issues.apache.org/jira/browse/KAFKA-3790
             Project: Kafka
          Issue Type: Bug
    Affects Versions: 0.10.0.0, 0.9.0.1
            Reporter: Sébastien Launay
            Priority: Minor


When removing ACLs without providing options like principal, host or operation, 
we got a prompt for removing all the matching ACLs but when executing the 
command none get removed.

The following commands can be used to reproduce the inconsistency:
{noformat}
$ ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 
-list -topic test
Current ACLs for resource `Topic:test`: 


$ ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 
--add --allow-principal User:Alice --operation Write --topic test --allow-host 
1.2.3.4
Adding ACLs for resource `Topic:test`: 
        User:Alice has Allow permission for operations: Write from hosts: 
1.2.3.4 

Current ACLs for resource `Topic:test`: 
        User:Alice has Allow permission for operations: Write from hosts: 
1.2.3.4 

$ ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 
--remove --allow-principal User:Alice --topic test 
Are you sure you want to remove ACLs: 
        User:Alice has Allow permission for operations: All from hosts: * 
 from resource `Topic:test`? (y/n)
y
Current ACLs for resource `Topic:test`: 
        User:Alice has Allow permission for operations: Write from hosts: 
1.2.3.4 

{noformat}

*The Current ACLs for resource {{Topic:test}} is expected to be empty after the 
last command.*

Only a specific ACL (when all options mentioned above are provided) or else all 
the ACLs for a given resource (none of the options mentioned above are 
provided) can get removed as shown by the following code snippets:
{noformat}
  // AclCommand.scala
  ...
  private def removeAcl(opts: AclCommandOptions) {
    withAuthorizer(opts) { authorizer =>
      val resourceToAcl = getResourceToAcls(opts)

      for ((resource, acls) <- resourceToAcl) {
        if (acls.isEmpty) {
          if (confirmAction(opts, s"Are you sure you want to delete all ACLs 
for resource `${resource}`? (y/n)"))
            authorizer.removeAcls(resource)
        } else {
          if (confirmAction(opts, s"Are you sure you want to remove ACLs: 
$Newline ${acls.map("\t" + _).mkString(Newline)} $Newline from resource 
`${resource}`? (y/n)"))
            authorizer.removeAcls(acls, resource)
        }
      }

      listAcl(opts)
    }
  }
...
  // SimpleAclAuthorizer.scala
...
  override def removeAcls(aclsTobeRemoved: Set[Acl], resource: Resource): 
Boolean = {
     inWriteLock(lock) {
       updateResourceAcls(resource) { currentAcls =>
        currentAcls -- aclsTobeRemoved
       }
     }
   }
{noformat}

A workaround consists of listing the ACL in order to know which exact one to 
remove which make the automation of ACL management trickier.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)