Sébastien Launay created KAFKA-3790: ---------------------------------------
Summary: Default options when removing ACLs do not comply with documentation Key: KAFKA-3790 URL: https://issues.apache.org/jira/browse/KAFKA-3790 Project: Kafka Issue Type: Bug Affects Versions: 0.10.0.0, 0.9.0.1 Reporter: Sébastien Launay Priority: Minor When removing ACLs without providing options like principal, host or operation, we got a prompt for removing all the matching ACLs but when executing the command none get removed. The following commands can be used to reproduce the inconsistency: {noformat} $ ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 -list -topic test Current ACLs for resource `Topic:test`: $ ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Alice --operation Write --topic test --allow-host 1.2.3.4 Adding ACLs for resource `Topic:test`: User:Alice has Allow permission for operations: Write from hosts: 1.2.3.4 Current ACLs for resource `Topic:test`: User:Alice has Allow permission for operations: Write from hosts: 1.2.3.4 $ ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --remove --allow-principal User:Alice --topic test Are you sure you want to remove ACLs: User:Alice has Allow permission for operations: All from hosts: * from resource `Topic:test`? (y/n) y Current ACLs for resource `Topic:test`: User:Alice has Allow permission for operations: Write from hosts: 1.2.3.4 {noformat} *The Current ACLs for resource {{Topic:test}} is expected to be empty after the last command.* Only a specific ACL (when all options mentioned above are provided) or else all the ACLs for a given resource (none of the options mentioned above are provided) can get removed as shown by the following code snippets: {noformat} // AclCommand.scala ... private def removeAcl(opts: AclCommandOptions) { withAuthorizer(opts) { authorizer => val resourceToAcl = getResourceToAcls(opts) for ((resource, acls) <- resourceToAcl) { if (acls.isEmpty) { if (confirmAction(opts, s"Are you sure you want to delete all ACLs for resource `${resource}`? (y/n)")) authorizer.removeAcls(resource) } else { if (confirmAction(opts, s"Are you sure you want to remove ACLs: $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline from resource `${resource}`? (y/n)")) authorizer.removeAcls(acls, resource) } } listAcl(opts) } } ... // SimpleAclAuthorizer.scala ... override def removeAcls(aclsTobeRemoved: Set[Acl], resource: Resource): Boolean = { inWriteLock(lock) { updateResourceAcls(resource) { currentAcls => currentAcls -- aclsTobeRemoved } } } {noformat} A workaround consists of listing the ACL in order to know which exact one to remove which make the automation of ACL management trickier. -- This message was sent by Atlassian JIRA (v6.3.4#6332)