CLI-259: Add support for centralized ACLs

[arvindth]

What

Add support for centralized ACLs for the confluent cli tool.

Depends on confluentinc/mds-sdk-go#2

Differences between confluent and ccloud apis:

• confluent acl commands have been placed under confluent iam acl ... whereas existing ccloud acls commands are under ccloud kafka acl ...
  • ccloud placed this under kafka to underscore the point that only kafka acls could be manipulated, and not say schema registry acls.
  • The intention behind moving this under iam is to eventually specify the resource using CRN notation (not implemented yet except in Audit logs). At that point, both schema registry and kafka resources would be specified the same way, so the cli usage would be generic and would make more sense to consolidate with other security related commands under iam.
• confluent iam acl delete prints out a list of matching acls that got deleted. ccloud does not.

Other design decisions:

• Although the backend mds acl delete api allows specifying a filter for matching acls to delete, this is flexible enough to delete all acls by running something like:
  • confluent iam acl delete --kafka-cluster-id
  • To prevent users from accidentally deleting everything without meaning to, the cli deliberately requires users to specify principal/operation/host to narrow to individual acls to delete.
• Backward compatibility:
  • These acl commands will only work against a 5.4+ mds server. Running against a 5.3 server will throw a 404, which is caught by the cli and changed to a more informative error message about the backend version.
  • Until 5.4 is released, the new acl subcommand is wrapped in a feature flag that needs to be set to enable this feature.

References

Related PRs: Depends on confluentinc/mds-sdk-go#2
Related JIRA: CLI-259

Test & Review

Added unit tests. Build using make deps && make build. Test using make test

Run using the following sample commands:

# export XX_FLAG_CENTRALIZED_ACL_ENABLE=true
# confluent login --url http://localhost:8090
# confluent iam acl create --allow --principal User:1522 --operation READ --consumer-group java_example_group_1 --kafka-cluster-id my-cluster
# confluent iam acl create --allow --principal Group:testgroup --operation READ --kafka-cluster-id my-cluster --transactional-id xyz --prefix
# confluent iam acl list --kafka-cluster-id my-cluster
# confluent iam acl delete --allow --principal User:1522 --operation READ --consumer-group java_example_group_1 --kafka-cluster-id my-cluster --host '*'

Out of scope

• Backward compatibility: Have the help and completion dynamically hide/show the acl subcommand based on the version of the backend server. Out of scope because it requires:
  • implementation of a current cli context (in progress but not completed).
  • support from the mds server to return the current version for querying.
  • updates to the bash completion to potentially include a custom completion function to handle these cases
  • an upstream merge of zsh: added custom completions spf13/cobra#884 to enable custom zsh completions before they can be used for this task.

[codyaray]

lgtm

Man I can't wait til we have declarative policies for this stuff. These are some long gnarly commands.

[codyaray]

thanks!

[arvindth]

retest this please