[GitHub] [kafka] cmccabe commented on a change in pull request #10550: MINOR: Add support for ZK Authorizer with KRaft

Tue, 11 May 2021 16:21:34 -0700 


cmccabe commented on a change in pull request #10550:
URL: https://github.com/apache/kafka/pull/10550#discussion_r630601127



##########
File path: tests/kafkatest/services/security/kafka_acls.py
##########
@@ -66,17 +67,46 @@ def add_cluster_acl(self, kafka, principal, 
force_use_zk_connection=False, addit
                This is necessary for the case where we are bootstrapping ACLs 
before Kafka is started or before authorizer is enabled
         :param additional_cluster_operations_to_grant may be set to ['Alter', 
'Create'] if the cluster is secured since these are required
                to create SCRAM credentials and topics, respectively
+        :param security_protocol set it to explicitly determine whether we use 
client or broker credentials, otherwise
+                we use the the client security protocol unless inter-broker 
security protocol is PLAINTEXT, in which case we use PLAINTEXT.
+                Then we use the broker's credentials if the selected security 
protocol matches the inter-broker security protocol,
+                otherwise we use the client's credentials.
         """
         node = kafka.nodes[0]
 
         for operation in ['ClusterAction'] + 
additional_cluster_operations_to_grant:
             cmd = "%(cmd_prefix)s --add --cluster --operation=%(operation)s 
--allow-principal=%(principal)s" % {
-                'cmd_prefix': 
kafka.kafka_acls_cmd_with_optional_security_settings(node, 
force_use_zk_connection),
+                'cmd_prefix': 
kafka.kafka_acls_cmd_with_optional_security_settings(node, 
force_use_zk_connection, security_protocol),
                 'operation': operation,
                 'principal': principal
             }
             kafka.run_cli_tool(node, cmd)
 
+    def remove_cluster_acl(self, kafka, principal, 
force_use_zk_connection=False, additional_cluster_operations_to_remove = [], 
security_protocol=None):

Review comment:
       Since this is new code, it would be really good to avoid introducing 
`force_use_zk_connection` here if possible.  I can't see anywhere in this PR 
where it is used, is this really necessary?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to