Merge pull request #279 from deviceinsight/feature/acl

more granular control when listing/deleting acls

Author: d-rk

CHANGELOG.md

@@ -5,6 +5,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+### Added
+- [#276](https://github.com/deviceinsight/kafkactl/issues/276) More granular control when listing/deleting acls
+
+### Fixed
 - Do not commit offset for messages over the max-messages
 
 ## 5.10.1 - 2025-07-02

README.adoc

@@ -1036,6 +1036,10 @@ kafkactl get access-control-list
 kafkactl get acl --topics
 # filter only consumer group resources with operation read
 kafkactl get acl --groups --operation read
+# filter specific topic and user
+kafkactl get acl --resource-name my-topic --principal User:myUser
+# filter specific topic and host
+kafkactl get acl --resource-name my-topic --host my-host
 ----
 
 ==== Delete ACLs
@@ -1050,6 +1054,10 @@ kafkactl delete acl --topics --operation any --pattern any
 kafkactl delete acl --cluster --operation any --pattern any
 # delete all consumer-group acls with operation describe, patternType prefixed and permissionType allow
 kafkactl delete acl --groups --operation describe --pattern prefixed --allow
+# delete all topic acls for a principal
+kafkactl delete acl --topics --operation any --pattern any --prinicipal User:myUser
+# delete all topic acls for a host
+kafkactl delete acl --topics --operation any --pattern any --host my-host
 ----
 
 === Getting Brokers

cmd/deletion/delete-acl.go

@@ -27,6 +27,9 @@ func newDeleteACLCmd() *cobra.Command {
 	cmdDeleteACL.Flags().StringVarP(&flags.Operation, "operation", "o", "", "operation of acl")
 	cmdDeleteACL.Flags().StringVarP(&flags.PatternType, "pattern", "", "", "pattern type. one of (any, match, prefixed, literal)")
 
+	cmdDeleteACL.Flags().StringVarP(&flags.Principal, "principal", "p", "", "principal of acl")
+	cmdDeleteACL.Flags().StringVarP(&flags.Host, "host", "", "", "host of acl")
+
 	// specify permissionType
 	cmdDeleteACL.Flags().BoolVarP(&flags.Allow, "allow", "a", false, "acl of permissionType 'allow'")
 	cmdDeleteACL.Flags().BoolVarP(&flags.Deny, "deny", "d", false, "acl of permissionType 'deny'")

cmd/deletion/delete-acl_test.go

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/deviceinsight/kafkactl/v5/internal/acl"
+
 	"github.com/deviceinsight/kafkactl/v5/internal/testutil"
 )
 
@@ -62,3 +64,105 @@ func TestDeleteTopicReadAclIntegration(t *testing.T) {
 
 	testutil.AssertErrorContainsOneOf(t, []string{pre28ErrorMessage, errorMessage}, err)
 }
+
+func TestDeleteAclByPrincipalIntegration(t *testing.T) {
+
+	testutil.StartIntegrationTestWithContext(t, "sasl-admin")
+
+	kafkaCtl := testutil.CreateKafkaCtlCommand()
+
+	topicName := testutil.CreateTopic(t, "acl-topic-principal")
+
+	// add read acl
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:user"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// add write acl for other user
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:admin"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// list acls
+	if _, err := kafkaCtl.Execute("get", "acl", "--resource-name", topicName, "-o", "yaml"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	acls, err := acl.FromYaml(kafkaCtl.GetStdOut())
+	if err != nil {
+		t.Fatalf("failed to read yaml: %v", err)
+	}
+	testutil.AssertIntEquals(t, 1, len(acls))
+	testutil.AssertIntEquals(t, 2, len(acls[0].Acls))
+	testutil.AssertEquals(t, "User:user", acls[0].Acls[0].Principal)
+	testutil.AssertEquals(t, "User:admin", acls[0].Acls[1].Principal)
+
+	// delete the acl
+	if _, err := kafkaCtl.Execute("delete", "acl", "--topics", "--operation", "read", "--principal", "User:user", "--pattern", "literal"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// list acls
+	if _, err := kafkaCtl.Execute("get", "acl", "--resource-name", topicName, "-o", "yaml"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	acls, err = acl.FromYaml(kafkaCtl.GetStdOut())
+	if err != nil {
+		t.Fatalf("failed to read yaml: %v", err)
+	}
+	testutil.AssertIntEquals(t, 1, len(acls))
+	testutil.AssertIntEquals(t, 1, len(acls[0].Acls))
+	testutil.AssertEquals(t, "User:admin", acls[0].Acls[0].Principal)
+}
+
+func TestDeleteAclByHostIntegration(t *testing.T) {
+
+	testutil.StartIntegrationTestWithContext(t, "sasl-admin")
+
+	kafkaCtl := testutil.CreateKafkaCtlCommand()
+
+	topicName := testutil.CreateTopic(t, "acl-topic-host")
+
+	// add acl for host-a
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:user", "--host", "host-a"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// add acl for host-b
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:user", "--host", "host-b"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// list acls
+	if _, err := kafkaCtl.Execute("get", "acl", "--resource-name", topicName, "-o", "yaml"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	acls, err := acl.FromYaml(kafkaCtl.GetStdOut())
+	if err != nil {
+		t.Fatalf("failed to read yaml: %v", err)
+	}
+	testutil.AssertIntEquals(t, 1, len(acls))
+	testutil.AssertIntEquals(t, 2, len(acls[0].Acls))
+	testutil.AssertEquals(t, "host-a", acls[0].Acls[0].Host)
+	testutil.AssertEquals(t, "host-b", acls[0].Acls[1].Host)
+
+	// delete the acl
+	if _, err := kafkaCtl.Execute("delete", "acl", "--topics", "--operation", "read", "--host", "host-a", "--pattern", "literal"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// list acls
+	if _, err := kafkaCtl.Execute("get", "acl", "--resource-name", topicName, "-o", "yaml"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	acls, err = acl.FromYaml(kafkaCtl.GetStdOut())
+	if err != nil {
+		t.Fatalf("failed to read yaml: %v", err)
+	}
+	testutil.AssertIntEquals(t, 1, len(acls))
+	testutil.AssertIntEquals(t, 1, len(acls[0].Acls))
+	testutil.AssertEquals(t, "host-b", acls[0].Acls[0].Host)
+}

cmd/get/get-acl.go

@@ -27,6 +27,10 @@ func newGetACLCmd() *cobra.Command {
 	cmdGetAcls.Flags().StringVarP(&flags.Operation, "operation", "", "any", "operation of acl")
 	cmdGetAcls.Flags().StringVarP(&flags.PatternType, "pattern", "", "any", "pattern type. one of (any, match, prefixed, literal)")
 
+	cmdGetAcls.Flags().StringVarP(&flags.ResourceName, "resource-name", "r", "", "resource name of acl (e.g. topic name)")
+	cmdGetAcls.Flags().StringVarP(&flags.Principal, "principal", "p", "", "principal of acl")
+	cmdGetAcls.Flags().StringVarP(&flags.Host, "host", "", "", "host of acl")
+
 	// specify permissionType
 	cmdGetAcls.Flags().BoolVarP(&flags.Allow, "allow", "a", false, "acl of permissionType 'allow'")
 	cmdGetAcls.Flags().BoolVarP(&flags.Deny, "deny", "d", false, "acl of permissionType 'deny'")

cmd/get/get-acl_test.go

@@ -6,6 +6,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/deviceinsight/kafkactl/v5/internal/acl"
+
 	"github.com/deviceinsight/kafkactl/v5/internal/testutil"
 )
 
@@ -37,3 +39,67 @@ func TestGetTopicReadAclIntegration(t *testing.T) {
 
 	testutil.AssertContains(t, fmt.Sprintf("Topic %s Literal User:user * Read Allow", topicName), outputLines)
 }
+
+func TestGetAclByPrincipalIntegration(t *testing.T) {
+
+	testutil.StartIntegrationTestWithContext(t, "sasl-admin")
+
+	kafkaCtl := testutil.CreateKafkaCtlCommand()
+
+	topicName := testutil.CreateTopic(t, "acl-get-topic-principal")
+
+	// add read acl
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:user"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// add write acl for other user
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:admin"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// list acls
+	if _, err := kafkaCtl.Execute("get", "acl", "--resource-name", topicName, "--principal", "User:user", "-o", "yaml"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	acls, err := acl.FromYaml(kafkaCtl.GetStdOut())
+	if err != nil {
+		t.Fatalf("failed to read yaml: %v", err)
+	}
+	testutil.AssertIntEquals(t, 1, len(acls))
+	testutil.AssertIntEquals(t, 1, len(acls[0].Acls))
+	testutil.AssertEquals(t, "User:user", acls[0].Acls[0].Principal)
+}
+
+func TestGetAclByHostIntegration(t *testing.T) {
+
+	testutil.StartIntegrationTestWithContext(t, "sasl-admin")
+
+	kafkaCtl := testutil.CreateKafkaCtlCommand()
+
+	topicName := testutil.CreateTopic(t, "acl-get-topic-host")
+
+	// add acl for host-a
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:user", "--host", "host-a"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// add acl for host-b
+	if _, err := kafkaCtl.Execute("create", "acl", "--topic", topicName, "--operation", "read", "--allow", "--principal", "User:user", "--host", "host-b"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	// list acls
+	if _, err := kafkaCtl.Execute("get", "acl", "--resource-name", topicName, "--host", "host-a", "-o", "yaml"); err != nil {
+		t.Fatalf("failed to execute command: %v", err)
+	}
+
+	acls, err := acl.FromYaml(kafkaCtl.GetStdOut())
+	if err != nil {
+		t.Fatalf("failed to read yaml: %v", err)
+	}
+	testutil.AssertIntEquals(t, 1, len(acls))
+	testutil.AssertIntEquals(t, 1, len(acls[0].Acls))
+	testutil.AssertEquals(t, "host-a", acls[0].Acls[0].Host)
+}

internal/acl/acl-operation.go

@@ -6,6 +6,7 @@ import (
 	"github.com/deviceinsight/kafkactl/v5/internal/output"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v2"
 )
 
 type ResourceACLEntry struct {
@@ -26,7 +27,10 @@ type GetACLFlags struct {
 	OutputFormat string
 	FilterTopic  string
 	Operation    string
+	ResourceName string
 	PatternType  string
+	Principal    string
+	Host         string
 	Allow        bool
 	Deny         bool
 	Topics       bool
@@ -54,6 +58,8 @@ type DeleteACLFlags struct {
 	Cluster      bool
 	Allow        bool
 	Deny         bool
+	Principal    string
+	Host         string
 	Operation    string
 	PatternType  string
 }
@@ -118,6 +124,18 @@ func (operation *Operation) GetACL(flags GetACLFlags) error {
 		filter.ResourcePatternTypeFilter = patternTypeFromString(flags.PatternType)
 	}
 
+	if flags.ResourceName != "" {
+		filter.ResourceName = &flags.ResourceName
+	}
+
+	if flags.Principal != "" {
+		filter.Principal = &flags.Principal
+	}
+
+	if flags.Host != "" {
+		filter.Host = &flags.Host
+	}
+
 	if acls, err = admin.ListAcls(filter); err != nil {
 		return errors.Wrap(err, "failed to list acls")
 	}
@@ -300,6 +318,14 @@ func (operation *Operation) DeleteACL(flags DeleteACLFlags) error {
 		filter.ResourcePatternTypeFilter = patternTypeFromString(flags.PatternType)
 	}
 
+	if flags.Principal != "" {
+		filter.Principal = &flags.Principal
+	}
+
+	if flags.Host != "" {
+		filter.Host = &flags.Host
+	}
+
 	if matchingACL, err = admin.DeleteACL(filter, flags.ValidateOnly); err != nil {
 		return errors.Wrap(err, "failed to delete acl")
 	}
@@ -370,3 +396,9 @@ func CompleteCreateACL(_ *cobra.Command, _ []string, _ string) ([]string, cobra.
 	output.Infof("complete")
 	return nil, cobra.ShellCompDirectiveError
 }
+
+func FromYaml(yamlString string) ([]ResourceACLEntry, error) {
+	var entries []ResourceACLEntry
+	err := yaml.Unmarshal([]byte(yamlString), &entries)
+	return entries, err
+}

internal/testutil/test_util.go

@@ -183,6 +183,13 @@ func AssertEquals(t *testing.T, expected, actual string) {
 	}
 }
 
+func AssertIntEquals(t *testing.T, expected, actual int) {
+	t.Helper()
+	if actual != expected {
+		t.Fatalf("unexpected output:\nexpected:\n--\n%d\n--\nactual:\n--\n%d\n--", expected, actual)
+	}
+}
+
 func AssertArraysEquals(t *testing.T, expected, actual []string) {
 	t.Helper()
 	sort.Strings(expected)