Page MenuHomeSoftware Heritage

staging/journal: create douardda credentials
Closed, MigratedEdits Locked

Description

@douardda needs credentials on the staging's journal to test the mirror infra: one user with access to the privileged topics and one with only access to the public topics

  • swh-douardda
  • swh-douardda-privileged (if no restrictions on the username length)

commands are listed on T1829#52862

Event Timeline

vsellier changed the task status from Open to Work in Progress.Mar 30 2021, 12:18 PM
vsellier triaged this task as Normal priority.
vsellier created this task.
  • unprivileged user :
username=swh-douardda
password=XXXXX

# Create the user
journal0 ~ % /opt/kafka/bin/kafka-configs.sh \
    --zookeeper ${zookeeper_servers}/kafka/softwareheritage \
    --alter \
    --add-config "SCRAM-SHA-256=[iterations=8192,password=$password],SCRAM-SHA-512=[password=$password]" \
    --entity-type users \
    --entity-name $username

Warning: --zookeeper is deprecated and will be removed in a future version of Kafka.
Use --bootstrap-server instead to specify a broker to connect to.
Completed updating config for entity: user-principal 'swh-douardda'.


# Allow READ and DESCRIBE on unprivileged topics
journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation READ

Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) 



journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation DESCRIBE
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) 



journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --list --resource-pattern-type PREFIXED --topic swh.journal.objects. --principal User:$username
ACLs for principal `User:swh-douardda`
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) 



# Allow READ on consumer groups prefixed with `$username-`
journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --group ${username}- --allow-principal User:$username --operation READ
Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-, patternType=PREFIXED)`: 
 	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-, patternType=PREFIXED)`: 
 	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW)
  • privileged user :
username=swh-douardda-privileged
password=XXXXX

journal0 ~ % /opt/kafka/bin/kafka-configs.sh \
    --zookeeper ${zookeeper_servers}/kafka/softwareheritage \
    --alter \
    --add-config "SCRAM-SHA-256=[iterations=8192,password=$password],SCRAM-SHA-512=[password=$password]" \
    --entity-type users \
    --entity-name $username
Warning: --zookeeper is deprecated and will be removed in a future version of Kafka.
Use --bootstrap-server instead to specify a broker to connect to.
Completed updating config for entity: user-principal 'swh-douardda-privileged'.


journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation READ
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) 


journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects. --allow-principal User:$username --operation DESCRIBE
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-vse, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-vse, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:swh-test, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda, host=*, operation=DESCRIBE, permissionType=ALLOW) 


# Allow READ and DESCRIBE on **privileged** topics
journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects_privileged. --allow-principal User:$username --operation READ
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) 


journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --topic swh.journal.objects_privileged. --allow-principal User:$username --operation DESCRIBE
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) 


journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --add --resource-pattern-type PREFIXED --group ${username}- --allow-principal User:$username --operation READ
Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-privileged-, patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=swh-douardda-privileged-, patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) 


## Status:
journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --list --resource-pattern-type PREFIXED --topic swh.journal.objects. --principal User:$username
ACLs for principal `User:swh-douardda-privileged`
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW) 

journal0 ~ % /opt/kafka/bin/kafka-acls.sh --bootstrap-server $bootstrap_servers --list --resource-pattern-type PREFIXED --topic swh.journal.objects_privileged. --principal User:$username
ACLs for principal `User:swh-douardda-privileged`
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=swh.journal.objects_privileged., patternType=PREFIXED)`: 
 	(principal=User:swh-douardda-privileged, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:swh-douardda-privileged, host=*, operation=READ, permissionType=ALLOW)

credentials sent by PM