cmccabe commented on a change in pull request #10550: URL: https://github.com/apache/kafka/pull/10550#discussion_r630601127
########## File path: tests/kafkatest/services/security/kafka_acls.py ########## @@ -66,17 +67,46 @@ def add_cluster_acl(self, kafka, principal, force_use_zk_connection=False, addit This is necessary for the case where we are bootstrapping ACLs before Kafka is started or before authorizer is enabled :param additional_cluster_operations_to_grant may be set to ['Alter', 'Create'] if the cluster is secured since these are required to create SCRAM credentials and topics, respectively + :param security_protocol set it to explicitly determine whether we use client or broker credentials, otherwise + we use the the client security protocol unless inter-broker security protocol is PLAINTEXT, in which case we use PLAINTEXT. + Then we use the broker's credentials if the selected security protocol matches the inter-broker security protocol, + otherwise we use the client's credentials. """ node = kafka.nodes[0] for operation in ['ClusterAction'] + additional_cluster_operations_to_grant: cmd = "%(cmd_prefix)s --add --cluster --operation=%(operation)s --allow-principal=%(principal)s" % { - 'cmd_prefix': kafka.kafka_acls_cmd_with_optional_security_settings(node, force_use_zk_connection), + 'cmd_prefix': kafka.kafka_acls_cmd_with_optional_security_settings(node, force_use_zk_connection, security_protocol), 'operation': operation, 'principal': principal } kafka.run_cli_tool(node, cmd) + def remove_cluster_acl(self, kafka, principal, force_use_zk_connection=False, additional_cluster_operations_to_remove = [], security_protocol=None): Review comment: Since this is new code, it would be really good to avoid introducing `force_use_zk_connection` here if possible. I can't see anywhere in this PR where it is used, is this really necessary? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org