[ksqlDB] when using ACLs configure all internal topics with ALL permissions for the ksql server user #433
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JulieOps is not giving enought ACLs to ksql user. Therefore ksql is not working.
Bug fix: Add missing KSQL ACLs (KSQL ACLs missing #432)
When we tried to use ksql we end up getting following error:
[2021-12-23 13:44:54,963] INFO Principal = User:ksql_test is Denied Operation = Describe from host = 123.123.123.123 on resource = Topic:LITERAL:_confluent-ksql-hantti_db_configs for request = Metadata with resourceRefCount = 1 (kafka.authorizer.logger)
This means that JulieOps is not giving access to required internal topic Config Topic. See ksql documentation: https://github.com/confluentinc/ksql/blob/master/docs/operate-and-deploy/how-it-works.md#config-topic
'In headless mode, you supply SQL statements to each server in its SQL file. But ksqlDB still needs to store some internal metadata to ensure that it builds queries compatibly across restarts and upgrades. ksqlDB stores this metadata in an internal topic called the config topic. ksqlDB names the config topic _confluent-ksql-_configs, where is the value in the ksql.service.id property.'
JulieOps will have ACLs that are said in ksqldb documentation.
ksqlDB always requires the following ACLs for its internal operations and data management:
See documentation: https://docs.ksqldb.io/en/latest/operate-and-deploy/installation/server-config/security/#required-acls
Therefore we need to change method that only introduces topic _confluent-ksql-%s_command_topic:
public String commandTopic() {
return String.format("_confluent-ksql-%s_command_topic", ksqlDbId);
}
to more common topic _confluent-ksql-%s method:
public String internalTopics() {
return String.format("_confluent-ksql-%s", ksqlDbId);
}
This way ksql user will have ACL ALL on all internal TOPICS that are PREFIXED with _confluent-ksql-<ksql.service.id>.
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
No.
Other information:
IMPORTANT: Please review the CONTRIBUTING.md file for detailed contributing guidelines.
IMPORTANT: Your pull request MUST target
master
.PLEASE REMOVE THIS TEMPLATE BEFORE SUBMITTING