Comments (14)
I am using the latest version 0.2.15.
This seems to be a complete blocker. Can this please be taken-up on priority ?
from kafka-gitops.
Hi @jaykatti, can you provide an example state.yaml file to help reproduce?
Do note that ACLs do not update, they only add/remove. (so a change to an ACL should have one create and one delete).
from kafka-gitops.
Hello Shawn @devshawn , Thanks for your response !
For the below sample state.yaml, if I have to change the permission for describe_configs_topic to "DENY". I change the permission to "DENY" for that block and then run the kafka-gitops command for validate, plan.
When I run the plan, I see that, the plan indicates "Delete" or "Remvove" for all the ACL's present in my system and not just the ones in the yaml file.
customUserAcls:
User:kattijay:
describe_configs_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: DESCRIBE_CONFIGS
describe_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: DESCRIBE
write_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: WRITE
read_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: READ
from kafka-gitops.
host above is * for all the records.
from kafka-gitops.
Hello @devshawn , Any further update for me on this please ?
from kafka-gitops.
Hi @jaykatti, can you provide an example state.yaml file to help reproduce?
Do note that ACLs do not update, they only add/remove. (so a change to an ACL should have one create and one delete).
I have generated a yaml (initial state) for my existing cluster. Now, this includes a large list of users and ACL's. I will use this as my base configuration and start modifying it based on the requirement. Either update an ACL or delete or Add a new one.
Say, I want to add a new ACL to the existing list, How do I go about this ? I do not want any of my existing ACL's to be deleted.
Kindly advise at the earliest as I need to get this wrapped up and start using it on our cluster.
Thanks,
Jay.
from kafka-gitops.
Hi @jaykatti,
You have to have every ACL listed in your state file. So you need to take your existing cluster and make an initial state file with all topics / ACLs until you run a plan and it says there are no changes. Then, you can start adding/removing ACLs and it will only have the changes you want.
Or am I misunderstanding the situation?
from kafka-gitops.
from kafka-gitops.
Hi @jaykatti
You're stating a customUserAcls
in the above text - do you have a matching users
in your state.yaml file as well?
Every customUserAcls
and customServiceAcls
is connected to a matching users
and service
respectively.
If you're only claiming the customUserAcls
in your state file without the matching users
definition, then the plan will disregard the customUserAcls
listed in your state file.
For example, if I were to add a customUserAcls
named Access_Bob
then I'd have in my state file:
users:
Access_Bob:
principal: User:Bob
customUserAcls:
Access_Bob:
read-kstream-topics:
name: kstream-
type: TOPIC
pattern: PREFIXED
host: "*"
operation: READ
permission: ALLOW
from kafka-gitops.
Hi @jaykatti
You're stating a
customUserAcls
in the above text - do you have a matchingusers
in your state.yaml file as well?Every
customUserAcls
andcustomServiceAcls
is connected to a matchingusers
andservice
respectively.If you're only claiming the
customUserAcls
in your state file without the matchingusers
definition, then the plan will disregard thecustomUserAcls
listed in your state file.For example, if I were to add a
customUserAcls
namedAccess_Bob
then I'd have in my state file:users: Access_Bob: principal: User:Bob customUserAcls: Access_Bob: read-kstream-topics: name: kstream- type: TOPIC pattern: PREFIXED host: "*" operation: READ permission: ALLOW
Oh !! Okay, Let me try that.
Thanks !, I will keep you posted.
from kafka-gitops.
Sorry, closed by mistake
from kafka-gitops.
Hi @jaykatti
You're stating acustomUserAcls
in the above text - do you have a matchingusers
in your state.yaml file as well?
EverycustomUserAcls
andcustomServiceAcls
is connected to a matchingusers
andservice
respectively.
If you're only claiming thecustomUserAcls
in your state file without the matchingusers
definition, then the plan will disregard thecustomUserAcls
listed in your state file.
For example, if I were to add acustomUserAcls
namedAccess_Bob
then I'd have in my state file:users: Access_Bob: principal: User:Bob customUserAcls: Access_Bob: read-kstream-topics: name: kstream- type: TOPIC pattern: PREFIXED host: "*" operation: READ permission: ALLOW
Oh !! Okay, Let me try that.
Thanks !, I will keep you posted.
Hello @fireydagostino @devshawn
I tried with that and it seems to be working. So many thanks !
Do we also need to list all the topics as part of the state.yaml ?
I see, when I run the plan, it is marking the topics for deletion, even though, there are ACL's for those topics.
Kindly confirm !
Thanks,
Jay.
from kafka-gitops.
Yeah @jaykatti
The state file literally claims everything that should be present within the current state of your Kafka cluster.
Any topics/ACLs that are on Kafka, but not defined for in your state will be privy to deletion upon execution - and respectively the opposite for topics/Acls defined in your state but not present on Kafka.
Your state.yaml
file will need
- default options / blacklisted topic prefixes
- topics
- users + customUserAcl
- services + customServiceAcl
In my production environment, we have some of these separated into specific directories/files pertaining to different teams/technologies and then utilize yq4
to merge all the information into the state.yaml
file.
from kafka-gitops.
from kafka-gitops.
Related Issues (20)
- rror thrown when attempting to create a Kafka topic: org.apache.kafka.common.errors.TopicExistsException: Topic 'zuora-email-history' already exists. HOT 1
- Add support for partitions as part of default configurations
- Version update to resolve vulnerability’s
- A list of configs are getting
- plan dies with a nullpointer exception HOT 5
- MSK IAMs Authentication Support HOT 3
- Documentation around usage HOT 3
- Brew warning about use of deprecated bottle call HOT 3
- Plans for Move to `confluent` vs. `ccloud` CLI? HOT 7
- Topic Configs are considered to be added in "Plan" even if they are present in the existing system. HOT 1
- Can I apply changes(the plan json) selectively for ACLs only ? HOT 2
- Invert deletion / creation process HOT 2
- Feature Request: Support Topic Whitelisting HOT 1
- Feature Request: Provide public Docker image based on java 11 HOT 1
- Entire configuration including password is logged HOT 1
- Latest Docker version (0.2.15 - master) cannot parse state file HOT 2
- kafka-gitops should never output passwords HOT 2
- Missing properties are not reported clearly HOT 1
- kafka-gitopts via homebrew : look for java in JAVA_HOME ? HOT 1
- Connecting to service accounts created in CC
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kafka-gitops.