kafka/tests/kafkatest/services/security/kafka_acls.py

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import time

class ACLs:
    def __init__(self, context):
        self.context = context

    def add_cluster_acl(self, kafka, principal, additional_cluster_operations_to_grant = [], security_protocol=None):
        """
        :param kafka: Kafka cluster upon which ClusterAction ACL is created
        :param principal: principal for which ClusterAction ACL is created
        :param node: Node to use when determining connection settings
        :param additional_cluster_operations_to_grant may be set to ['Alter', 'Create'] if the cluster is secured since these are required
               to create SCRAM credentials and topics, respectively
        :param security_protocol set it to explicitly determine whether we use client or broker credentials, otherwise
                we use the client security protocol unless inter-broker security protocol is PLAINTEXT, in which case we use PLAINTEXT.
                Then we use the broker's credentials if the selected security protocol matches the inter-broker security protocol,
                otherwise we use the client's credentials.
        """
        node = kafka.nodes[0]

        for operation in ['ClusterAction'] + additional_cluster_operations_to_grant:
            cmd = "%(cmd_prefix)s --add --cluster --operation=%(operation)s --allow-principal=%(principal)s" % {
                'cmd_prefix': kafka.kafka_acls_cmd_with_optional_security_settings(node, security_protocol),
                'operation': operation,
                'principal': principal
            }
            kafka.run_cli_tool(node, cmd)

    def remove_cluster_acl(self, kafka, principal, additional_cluster_operations_to_remove = [], security_protocol=None):
        """
        :param kafka: Kafka cluster upon which ClusterAction ACL is deleted
        :param principal: principal for which ClusterAction ACL is deleted
        :param node: Node to use when determining connection settings
        :param additional_cluster_operations_to_remove may be set to ['Alter', 'Create'] if the cluster is secured since these are required
               to create SCRAM credentials and topics, respectively
        :param security_protocol set it to explicitly determine whether we use client or broker credentials, otherwise
                we use the client security protocol unless inter-broker security protocol is PLAINTEXT, in which case we use PLAINTEXT.
                Then we use the broker's credentials if the selected security protocol matches the inter-broker security protocol,
                otherwise we use the client's credentials.
        """
        node = kafka.nodes[0]

        for operation in ['ClusterAction'] + additional_cluster_operations_to_remove:
            cmd = "%(cmd_prefix)s --remove --force --cluster --operation=%(operation)s --allow-principal=%(principal)s" % {
                'cmd_prefix': kafka.kafka_acls_cmd_with_optional_security_settings(node, security_protocol),
                'operation': operation,
                'principal': principal
            }
            kafka.logger.info(cmd)
            kafka.run_cli_tool(node, cmd)
KAFKA-2979: Enable authorizer and ACLs in ducktape tests Patch by fpj and benstopford. Author: flavio junqueira <fpj@apache.org> Author: Flavio Junqueira <fpj@apache.org> Author: Ben Stopford <benstopford@gmail.com> Reviewers: Ben Stopford <benstopford@gmail.com>, Geoff Anderson <geoff@confluent.io>, Ewen Cheslack-Postava <ewen@confluent.io> Closes #683 from fpj/KAFKA-2979 2016-01-08 12:04:24 +08:00			`# Licensed to the Apache Software Foundation (ASF) under one or more`
			`# contributor license agreements. See the NOTICE file distributed with`
			`# this work for additional information regarding copyright ownership.`
			`# The ASF licenses this file to You under the Apache License, Version 2.0`
			`# (the "License"); you may not use this file except in compliance with`
			`# the License. You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

MINOR: Support using the ZK authorizer with KRaft (#10550) This patch adds support for running the ZooKeeper-based kafka.security.authorizer.AclAuthorizer with KRaft clusters. Set the authorizer.class.name config as well as the zookeeper.connect config while also setting the typical KRaft configs (node.id, process.roles, etc.), and the cluster will use KRaft for metadata and ZooKeeper for ACL storage. A system test that exercises the authorizer is included. This patch also changes "Raft" to "KRaft" in several system test files. It also fixes a bug where system test admin clients were unable to connect to a cluster with broker credentials via the SSL security protocol when the broker was using that for inter-broker communication and SASL for client communication. Reviewers: Colin P. McCabe <cmccabe@apache.org>, Ismael Juma <ismael@juma.me.uk> 2021-05-20 01:32:56 +08:00			`import time`
KAFKA-2979: Enable authorizer and ACLs in ducktape tests Patch by fpj and benstopford. Author: flavio junqueira <fpj@apache.org> Author: Flavio Junqueira <fpj@apache.org> Author: Ben Stopford <benstopford@gmail.com> Reviewers: Ben Stopford <benstopford@gmail.com>, Geoff Anderson <geoff@confluent.io>, Ewen Cheslack-Postava <ewen@confluent.io> Closes #683 from fpj/KAFKA-2979 2016-01-08 12:04:24 +08:00
MINOR: ACLs for secured cluster system tests (#9378) This PR adds missing broker ACLs required to create topics and SCRAM credentials when ACLs are enabled for a system test. This PR also adds support for using PLAINTEXT as the inter broker security protocol when using SCRAM from the client in a system test with a secured cluster-- without this it would always be necessary to set both the inter-broker and client mechanisms to a SCRAM mechanism. Also contains some refactoring to make assumptions clearer. Reviewers: Rajini Sivaram <rajinisivaram@googlemail.com> 2020-10-09 22:34:53 +08:00			`class ACLs:`
KAFKA-3592: System test - configurable paths This patch adds logic for the following: - remove hard-coded paths to various scripts and jars in kafkatest service classes - provide a mechanism for overriding path resolution logic with a "pluggable" path resolver class Author: Geoff Anderson <geoff@confluent.io> Reviewers: Ewen Cheslack-Postava <ewen@confluent.io> Closes #1245 from granders/configurable-install-path 2016-05-07 02:10:27 +08:00			`def __init__(self, context):`
			`self.context = context`
KAFKA-2979: Enable authorizer and ACLs in ducktape tests Patch by fpj and benstopford. Author: flavio junqueira <fpj@apache.org> Author: Flavio Junqueira <fpj@apache.org> Author: Ben Stopford <benstopford@gmail.com> Reviewers: Ben Stopford <benstopford@gmail.com>, Geoff Anderson <geoff@confluent.io>, Ewen Cheslack-Postava <ewen@confluent.io> Closes #683 from fpj/KAFKA-2979 2016-01-08 12:04:24 +08:00
KAFKA-17715 Remove argument force_use_zk_connection from kafka_acls_cmd_with_optional_security_settings (#19209) The e2e tests currently cover version 2.1.0 and above. Thus, we can remove `force_use_zk_connection` in `kafka_acls_cmd_with_optional_security_settings` In contrast, the `force_use_zk_connection` in `kafka_topics_cmd_with_optional_security_settings` and `kafka_configs_cmd_with_optional_security_settings` still needs to be kept as `kafka-topics.sh` does not support `--bootstrap-server` in 2.1 and 2.2 e2e test result: ``` =========================================== SESSION REPORT (ALL TESTS) ducktape version: 0.12.0 session_id: 2025-07-02--001 run time: 200 minutes 28.399 seconds tests run: 90 passed: 90 flaky: 0 failed: 0 ignored: 0 =========================================== ``` Reviewers: Ken Huang <s7133700@gmail.com>, TengYao Chi <kitingiao@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com> 2025-07-09 17:07:56 +08:00			`def add_cluster_acl(self, kafka, principal, additional_cluster_operations_to_grant = [], security_protocol=None):`
KAFKA-10131: Remove use_zk_connection flag from ducktape (#9274) Reviewers: Colin P. McCabe <cmccabe@apache.org> 2020-09-15 06:56:21 +08:00			`"""`
			`:param kafka: Kafka cluster upon which ClusterAction ACL is created`
			`:param principal: principal for which ClusterAction ACL is created`
			`:param node: Node to use when determining connection settings`
MINOR: ACLs for secured cluster system tests (#9378) This PR adds missing broker ACLs required to create topics and SCRAM credentials when ACLs are enabled for a system test. This PR also adds support for using PLAINTEXT as the inter broker security protocol when using SCRAM from the client in a system test with a secured cluster-- without this it would always be necessary to set both the inter-broker and client mechanisms to a SCRAM mechanism. Also contains some refactoring to make assumptions clearer. Reviewers: Rajini Sivaram <rajinisivaram@googlemail.com> 2020-10-09 22:34:53 +08:00			`:param additional_cluster_operations_to_grant may be set to ['Alter', 'Create'] if the cluster is secured since these are required`
			`to create SCRAM credentials and topics, respectively`
MINOR: Support using the ZK authorizer with KRaft (#10550) This patch adds support for running the ZooKeeper-based kafka.security.authorizer.AclAuthorizer with KRaft clusters. Set the authorizer.class.name config as well as the zookeeper.connect config while also setting the typical KRaft configs (node.id, process.roles, etc.), and the cluster will use KRaft for metadata and ZooKeeper for ACL storage. A system test that exercises the authorizer is included. This patch also changes "Raft" to "KRaft" in several system test files. It also fixes a bug where system test admin clients were unable to connect to a cluster with broker credentials via the SSL security protocol when the broker was using that for inter-broker communication and SASL for client communication. Reviewers: Colin P. McCabe <cmccabe@apache.org>, Ismael Juma <ismael@juma.me.uk> 2021-05-20 01:32:56 +08:00			`:param security_protocol set it to explicitly determine whether we use client or broker credentials, otherwise`
MINOR: typo in javadoc (#20113) This PR fixes a typo in the Javadoc. --------- Signed-off-by: see-quick <maros.orsak159@gmail.com> Reviewers: Luke Chen <showuon@gmail.com> 2025-07-24 19:05:07 +08:00			`we use the client security protocol unless inter-broker security protocol is PLAINTEXT, in which case we use PLAINTEXT.`
MINOR: Support using the ZK authorizer with KRaft (#10550) This patch adds support for running the ZooKeeper-based kafka.security.authorizer.AclAuthorizer with KRaft clusters. Set the authorizer.class.name config as well as the zookeeper.connect config while also setting the typical KRaft configs (node.id, process.roles, etc.), and the cluster will use KRaft for metadata and ZooKeeper for ACL storage. A system test that exercises the authorizer is included. This patch also changes "Raft" to "KRaft" in several system test files. It also fixes a bug where system test admin clients were unable to connect to a cluster with broker credentials via the SSL security protocol when the broker was using that for inter-broker communication and SASL for client communication. Reviewers: Colin P. McCabe <cmccabe@apache.org>, Ismael Juma <ismael@juma.me.uk> 2021-05-20 01:32:56 +08:00			`Then we use the broker's credentials if the selected security protocol matches the inter-broker security protocol,`
			`otherwise we use the client's credentials.`
KAFKA-10131: Remove use_zk_connection flag from ducktape (#9274) Reviewers: Colin P. McCabe <cmccabe@apache.org> 2020-09-15 06:56:21 +08:00			`"""`
			`node = kafka.nodes[0]`

MINOR: ACLs for secured cluster system tests (#9378) This PR adds missing broker ACLs required to create topics and SCRAM credentials when ACLs are enabled for a system test. This PR also adds support for using PLAINTEXT as the inter broker security protocol when using SCRAM from the client in a system test with a secured cluster-- without this it would always be necessary to set both the inter-broker and client mechanisms to a SCRAM mechanism. Also contains some refactoring to make assumptions clearer. Reviewers: Rajini Sivaram <rajinisivaram@googlemail.com> 2020-10-09 22:34:53 +08:00			`for operation in ['ClusterAction'] + additional_cluster_operations_to_grant:`
			`cmd = "%(cmd_prefix)s --add --cluster --operation=%(operation)s --allow-principal=%(principal)s" % {`
KAFKA-17715 Remove argument force_use_zk_connection from kafka_acls_cmd_with_optional_security_settings (#19209) The e2e tests currently cover version 2.1.0 and above. Thus, we can remove `force_use_zk_connection` in `kafka_acls_cmd_with_optional_security_settings` In contrast, the `force_use_zk_connection` in `kafka_topics_cmd_with_optional_security_settings` and `kafka_configs_cmd_with_optional_security_settings` still needs to be kept as `kafka-topics.sh` does not support `--bootstrap-server` in 2.1 and 2.2 e2e test result: ``` =========================================== SESSION REPORT (ALL TESTS) ducktape version: 0.12.0 session_id: 2025-07-02--001 run time: 200 minutes 28.399 seconds tests run: 90 passed: 90 flaky: 0 failed: 0 ignored: 0 =========================================== ``` Reviewers: Ken Huang <s7133700@gmail.com>, TengYao Chi <kitingiao@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com> 2025-07-09 17:07:56 +08:00			`'cmd_prefix': kafka.kafka_acls_cmd_with_optional_security_settings(node, security_protocol),`
MINOR: ACLs for secured cluster system tests (#9378) This PR adds missing broker ACLs required to create topics and SCRAM credentials when ACLs are enabled for a system test. This PR also adds support for using PLAINTEXT as the inter broker security protocol when using SCRAM from the client in a system test with a secured cluster-- without this it would always be necessary to set both the inter-broker and client mechanisms to a SCRAM mechanism. Also contains some refactoring to make assumptions clearer. Reviewers: Rajini Sivaram <rajinisivaram@googlemail.com> 2020-10-09 22:34:53 +08:00			`'operation': operation,`
			`'principal': principal`
			`}`
			`kafka.run_cli_tool(node, cmd)`
KAFKA-2979: Enable authorizer and ACLs in ducktape tests Patch by fpj and benstopford. Author: flavio junqueira <fpj@apache.org> Author: Flavio Junqueira <fpj@apache.org> Author: Ben Stopford <benstopford@gmail.com> Reviewers: Ben Stopford <benstopford@gmail.com>, Geoff Anderson <geoff@confluent.io>, Ewen Cheslack-Postava <ewen@confluent.io> Closes #683 from fpj/KAFKA-2979 2016-01-08 12:04:24 +08:00
MINOR: Support using the ZK authorizer with KRaft (#10550) This patch adds support for running the ZooKeeper-based kafka.security.authorizer.AclAuthorizer with KRaft clusters. Set the authorizer.class.name config as well as the zookeeper.connect config while also setting the typical KRaft configs (node.id, process.roles, etc.), and the cluster will use KRaft for metadata and ZooKeeper for ACL storage. A system test that exercises the authorizer is included. This patch also changes "Raft" to "KRaft" in several system test files. It also fixes a bug where system test admin clients were unable to connect to a cluster with broker credentials via the SSL security protocol when the broker was using that for inter-broker communication and SASL for client communication. Reviewers: Colin P. McCabe <cmccabe@apache.org>, Ismael Juma <ismael@juma.me.uk> 2021-05-20 01:32:56 +08:00			`def remove_cluster_acl(self, kafka, principal, additional_cluster_operations_to_remove = [], security_protocol=None):`
			`"""`
			`:param kafka: Kafka cluster upon which ClusterAction ACL is deleted`
			`:param principal: principal for which ClusterAction ACL is deleted`
			`:param node: Node to use when determining connection settings`
			`:param additional_cluster_operations_to_remove may be set to ['Alter', 'Create'] if the cluster is secured since these are required`
			`to create SCRAM credentials and topics, respectively`
			`:param security_protocol set it to explicitly determine whether we use client or broker credentials, otherwise`
MINOR: typo in javadoc (#20113) This PR fixes a typo in the Javadoc. --------- Signed-off-by: see-quick <maros.orsak159@gmail.com> Reviewers: Luke Chen <showuon@gmail.com> 2025-07-24 19:05:07 +08:00			`we use the client security protocol unless inter-broker security protocol is PLAINTEXT, in which case we use PLAINTEXT.`
MINOR: Support using the ZK authorizer with KRaft (#10550) This patch adds support for running the ZooKeeper-based kafka.security.authorizer.AclAuthorizer with KRaft clusters. Set the authorizer.class.name config as well as the zookeeper.connect config while also setting the typical KRaft configs (node.id, process.roles, etc.), and the cluster will use KRaft for metadata and ZooKeeper for ACL storage. A system test that exercises the authorizer is included. This patch also changes "Raft" to "KRaft" in several system test files. It also fixes a bug where system test admin clients were unable to connect to a cluster with broker credentials via the SSL security protocol when the broker was using that for inter-broker communication and SASL for client communication. Reviewers: Colin P. McCabe <cmccabe@apache.org>, Ismael Juma <ismael@juma.me.uk> 2021-05-20 01:32:56 +08:00			`Then we use the broker's credentials if the selected security protocol matches the inter-broker security protocol,`
			`otherwise we use the client's credentials.`
			`"""`
			`node = kafka.nodes[0]`

			`for operation in ['ClusterAction'] + additional_cluster_operations_to_remove:`
			`cmd = "%(cmd_prefix)s --remove --force --cluster --operation=%(operation)s --allow-principal=%(principal)s" % {`
KAFKA-17715 Remove argument force_use_zk_connection from kafka_acls_cmd_with_optional_security_settings (#19209) The e2e tests currently cover version 2.1.0 and above. Thus, we can remove `force_use_zk_connection` in `kafka_acls_cmd_with_optional_security_settings` In contrast, the `force_use_zk_connection` in `kafka_topics_cmd_with_optional_security_settings` and `kafka_configs_cmd_with_optional_security_settings` still needs to be kept as `kafka-topics.sh` does not support `--bootstrap-server` in 2.1 and 2.2 e2e test result: ``` =========================================== SESSION REPORT (ALL TESTS) ducktape version: 0.12.0 session_id: 2025-07-02--001 run time: 200 minutes 28.399 seconds tests run: 90 passed: 90 flaky: 0 failed: 0 ignored: 0 =========================================== ``` Reviewers: Ken Huang <s7133700@gmail.com>, TengYao Chi <kitingiao@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com> 2025-07-09 17:07:56 +08:00			`'cmd_prefix': kafka.kafka_acls_cmd_with_optional_security_settings(node, security_protocol),`
MINOR: Support using the ZK authorizer with KRaft (#10550) This patch adds support for running the ZooKeeper-based kafka.security.authorizer.AclAuthorizer with KRaft clusters. Set the authorizer.class.name config as well as the zookeeper.connect config while also setting the typical KRaft configs (node.id, process.roles, etc.), and the cluster will use KRaft for metadata and ZooKeeper for ACL storage. A system test that exercises the authorizer is included. This patch also changes "Raft" to "KRaft" in several system test files. It also fixes a bug where system test admin clients were unable to connect to a cluster with broker credentials via the SSL security protocol when the broker was using that for inter-broker communication and SASL for client communication. Reviewers: Colin P. McCabe <cmccabe@apache.org>, Ismael Juma <ismael@juma.me.uk> 2021-05-20 01:32:56 +08:00			`'operation': operation,`
			`'principal': principal`
			`}`
			`kafka.logger.info(cmd)`
			`kafka.run_cli_tool(node, cmd)`