Project 'infra/sysadm-environment' was moved to 'swh/infra/sysadm-environment'. Please update any links and bookmarks that may still have the old path.
staging/journal: create douardda credentials
@douardda needs credentials on the staging's journal to test the mirror infra: one user with access to the privileged topics and one with only access to the public topics
- swh-douardda
- swh-douardda-privileged (if no restrictions on the username length)
commands are listed on #1829 (closed)
Migrated from T3188 (view on Phabricator)
Activity
added System administration priority:Normal labels
added state:wip label
- unprivileged user :
username=swh-douardda password=XXXXX # Create the user journal0 ~ % /opt/kafka/bin/kafka-configs.sh \ --zookeeper ${zookeeper_servers}/kafka/softwareheritage \ --alter \ --add-config "SCRAM-SHA-256=[iterations=8192,password=$password],SCRAM-SHA-512=[password=$password]" \ --entity-type users \ --entity-name $username Warning: --zookeeper is deprecated and will be removed in a future version of Kafka. Use --bootstrap-server instead to specify a broker to connect to. Completed updating config for entity: user-principal 'swh-douardda'. # Allow READ and DESCRIBE on unprivileged topics journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation READ Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation DESCRIBE Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --list --resource-pattern-type PREFIXED --topic swh.journal.objects. --principal User:$username ACLs for principal `User:swh-douardda` Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) # Allow READ on consumer groups prefixed with `$username-` journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --group ${username}- --allow-principal User:$username --operation READ Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-, patternType=PREFIXED)`: (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-, patternType=PREFIXED)`: (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW)- privileged user :
username=swh-douardda-privileged password=XXXXX journal0 ~ % /opt/kafka/bin/kafka-configs.sh \ --zookeeper ${zookeeper_servers}/kafka/softwareheritage \ --alter \ --add-config "SCRAM-SHA-256=[iterations=8192,password=$password],SCRAM-SHA-512=[password=$password]" \ --entity-type users \ --entity-name $username Warning: --zookeeper is deprecated and will be removed in a future version of Kafka. Use --bootstrap-server instead to specify a broker to connect to. Completed updating config for entity: user-principal 'swh-douardda-privileged'. journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation READ Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation DESCRIBE Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) (principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) # Allow READ and DESCRIBE on **privileged** topics journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects_privileged. --allow-principal User:$username --operation READ Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects_privileged. --allow-principal User:$username --operation DESCRIBE Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --group ${username}- --allow-principal User:$username --operation READ Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-privileged-, patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-privileged-, patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) ## Status: journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --list --resource-pattern-type PREFIXED --topic swh.journal.objects. --principal User:$username ACLs for principal `User:swh-douardda-privileged` Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --list --resource-pattern-type PREFIXED --topic swh.journal.objects_privileged. --principal User:$username ACLs for principal `User:swh-douardda-privileged` Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: (principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) (principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW)removed state:wip label
Please register or sign in to reply