Blocker: customUserAcls - Plan command - Marks the action for every entry on the state.yaml as "REMOVE". about kafka-gitops HOT 14 OPEN

I am using the latest version 0.2.15.
This seems to be a complete blocker. Can this please be taken-up on priority ?

from kafka-gitops.

Hi @jaykatti, can you provide an example state.yaml file to help reproduce?

Do note that ACLs do not update, they only add/remove. (so a change to an ACL should have one create and one delete).

from kafka-gitops.

Hello Shawn @devshawn , Thanks for your response !

For the below sample state.yaml, if I have to change the permission for describe_configs_topic to "DENY". I change the permission to "DENY" for that block and then run the kafka-gitops command for validate, plan.
When I run the plan, I see that, the plan indicates "Delete" or "Remvove" for all the ACL's present in my system and not just the ones in the yaml file.

customUserAcls:
User:kattijay:
describe_configs_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: DESCRIBE_CONFIGS
describe_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: DESCRIBE
write_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: WRITE
read_topic:
name: topic1
pattern: LITERAL
host: ""
permission: ALLOW
type: TOPIC
operation: READ

from kafka-gitops.

host above is * for all the records.

from kafka-gitops.

Hello @devshawn , Any further update for me on this please ?

from kafka-gitops.

Hi @jaykatti, can you provide an example state.yaml file to help reproduce?

Do note that ACLs do not update, they only add/remove. (so a change to an ACL should have one create and one delete).

I have generated a yaml (initial state) for my existing cluster. Now, this includes a large list of users and ACL's. I will use this as my base configuration and start modifying it based on the requirement. Either update an ACL or delete or Add a new one.
Say, I want to add a new ACL to the existing list, How do I go about this ? I do not want any of my existing ACL's to be deleted.

Kindly advise at the earliest as I need to get this wrapped up and start using it on our cluster.

Thanks,
Jay.

from kafka-gitops.

Hi @jaykatti,

You have to have every ACL listed in your state file. So you need to take your existing cluster and make an initial state file with all topics / ACLs until you run a plan and it says there are no changes. Then, you can start adding/removing ACLs and it will only have the changes you want.

Or am I misunderstanding the situation?

from kafka-gitops.

from kafka-gitops.

Hi @jaykatti

You're stating a customUserAcls in the above text - do you have a matching users in your state.yaml file as well?

Every customUserAcls and customServiceAcls is connected to a matching users and service respectively.

If you're only claiming the customUserAcls in your state file without the matching users definition, then the plan will disregard the customUserAcls listed in your state file.

For example, if I were to add a customUserAcls named Access_Bob then I'd have in my state file:

users:
  Access_Bob:
    principal: User:Bob
customUserAcls:
  Access_Bob:
    read-kstream-topics:
      name: kstream-
      type: TOPIC
      pattern: PREFIXED
      host: "*"
      operation: READ
      permission: ALLOW

from kafka-gitops.

Hi @jaykatti

You're stating a customUserAcls in the above text - do you have a matching users in your state.yaml file as well?

Every customUserAcls and customServiceAcls is connected to a matching users and service respectively.

If you're only claiming the customUserAcls in your state file without the matching users definition, then the plan will disregard the customUserAcls listed in your state file.

For example, if I were to add a customUserAcls named Access_Bob then I'd have in my state file:

users:
  Access_Bob:
    principal: User:Bob
customUserAcls:
  Access_Bob:
    read-kstream-topics:
      name: kstream-
      type: TOPIC
      pattern: PREFIXED
      host: "*"
      operation: READ
      permission: ALLOW

Oh !! Okay, Let me try that.

Thanks !, I will keep you posted.

from kafka-gitops.

Sorry, closed by mistake

from kafka-gitops.

Hi @jaykatti
You're stating a customUserAcls in the above text - do you have a matching users in your state.yaml file as well?
Every customUserAcls and customServiceAcls is connected to a matching users and service respectively.
If you're only claiming the customUserAcls in your state file without the matching users definition, then the plan will disregard the customUserAcls listed in your state file.
For example, if I were to add a customUserAcls named Access_Bob then I'd have in my state file:

users:
  Access_Bob:
    principal: User:Bob
customUserAcls:
  Access_Bob:
    read-kstream-topics:
      name: kstream-
      type: TOPIC
      pattern: PREFIXED
      host: "*"
      operation: READ
      permission: ALLOW

Oh !! Okay, Let me try that.

Thanks !, I will keep you posted.

Hello @fireydagostino @devshawn

I tried with that and it seems to be working. So many thanks !

Do we also need to list all the topics as part of the state.yaml ?
I see, when I run the plan, it is marking the topics for deletion, even though, there are ACL's for those topics.
Kindly confirm !

Thanks,
Jay.

from kafka-gitops.

Yeah @jaykatti

The state file literally claims everything that should be present within the current state of your Kafka cluster.

Any topics/ACLs that are on Kafka, but not defined for in your state will be privy to deletion upon execution - and respectively the opposite for topics/Acls defined in your state but not present on Kafka.

Your state.yaml file will need

• default options / blacklisted topic prefixes
• topics
• users + customUserAcl
• services + customServiceAcl

In my production environment, we have some of these separated into specific directories/files pertaining to different teams/technologies and then utilize yq4 to merge all the information into the state.yaml file.

from kafka-gitops.

from kafka-gitops.