Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dbaas: added commands for dbaas acl management #659

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

dbaas: added commands for dbaas acl management #659

wants to merge 20 commits into from
+850 −0

Conversation

elkezza
Copy link
Contributor

@elkezza elkezza commented Dec 20, 2024
edited
Loading

Description

Adding commands the DBaaS ACL management.

Checklist

(For exoscale contributors)

  • Changelog updated (under Unreleased block)
  • Testing

Testing

acl sub-command

go run . dbaas -h                                                                             
Database as a Service management

Usage:
  exo dbaas [command]

Available Commands:
  acl                  Manage DBaaS acl
  ca-certificate       Retrieve the Database CA certificate
  create               Create a Database Service
  delete               Delete a Database Service
  external-endpoint    Manage DBaaS external endpoints
  external-integration Manage DBaaS external integrations
  list                 List Database Services
  logs                 Query a Database Service logs
  metrics              Query a Database Service metrics over time
  migration            database migration management
  show                 Show a Database Service details
  type                 Database Services types management
  update               Update Database Service
  user                 Manage DBaaS users

Flags:
  -h, --help   help for dbaas

Global Flags:
  -C, --config string            Specify an alternate config file [env EXOSCALE_CONFIG]
  -O, --output-format string     Output format (table|json|text), see "exo output --help" for more information
      --output-template string   Template to use if output format is "text"
  -Q, --quiet                    Quiet mode (disable non-essential command output)
  -A, --use-account string       Account to use in config file [env EXOSCALE_ACCOUNT]

Use "exo dbaas [command] --help" for more information about a command.

dbaas acl -h sub-command

  go run . dbaas acl -h       
Manage DBaaS acl

Usage:
  exo dbaas acl [command]

Available Commands:
  create      Create an ACL entry for a DBaaS service
  delete      Delete an ACL entry for a DBaaS service
  list        List ACL entries for a DBaaS service
  show        Show the details of an acl
  update      Update an ACL entry for a DBaaS service

Flags:
  -h, --help   help for acl

Global Flags:
  -C, --config string            Specify an alternate config file [env EXOSCALE_CONFIG]
  -O, --output-format string     Output format (table|json|text), see "exo output --help" for more information
      --output-template string   Template to use if output format is "text"
  -Q, --quiet                    Quiet mode (disable non-essential command output)
  -A, --use-account string       Account to use in config file [env EXOSCALE_ACCOUNT]

Use "exo dbaas acl [command] --help" for more information about a command.

show DBaas service acl user

show helper sub-command

go run . dbaas acl show -h
This command show an acl entty and its details for a specified DBAAS service.

Usage:
  exo dbaas acl show [flags]

Flags:
  -h, --help              help for show
      --name string       Name of the DBaaS service
  -t, --type string       type of the DBaaS service (e.g., kafka, opensearch)
      --username string   Username of the ACL entry

Global Flags:
  -C, --config string            Specify an alternate config file [env EXOSCALE_CONFIG]
  -O, --output-format string     Output format (table|json|text), see "exo output --help" for more information
      --output-template string   Template to use if output format is "text"
  -Q, --quiet                    Quiet mode (disable non-essential command output)
  -A, --use-account string       Account to use in config file [env EXOSCALE_ACCOUNT]

Kafka Tests

show user
 go run . dbaas acl show --type=kafka --name=se-test-2  --username=avnadmin     
┼────────────┼──────────┼
│ ACL ENTRY  │          │
┼────────────┼──────────┼
│ Username   │ avnadmin │
│ Topic      │ *        │
│ Permission │ admin    │
┼────────────┼──────────┼

Opensearch Tests

go run . dbaas acl show --type=opensearch --name=se-test-4  --username=avnadmin
┼──────────────────────┼────────────────────────────────────────────────────────────────────────┼
│        FIELD         │                                 VALUE                                  │
┼──────────────────────┼────────────────────────────────────────────────────────────────────────┼
│ ACL Enabled          │ false                                                                  │
│ Extended ACL Enabled │ false                                                                  │
│ Rule                 │ ACL pattern: test_1_and_test_2_and_test_4_and_test_4, Permission: deny │
│ Rule                 │ ACL pattern: book, Permission: admin                                   │
┼──────────────────────┼────────────────────────────────────────────────────────────────────────┼
use-case-1: Show acl with wrong Db name

if the user entered db name that exists in different service other the one stated in the flag if it exists in the other db it will give info about the other db that contains the he service, e.g. below se-test-2 is kafka service but in the command below opensearch was stated instead

go run . dbaas acl show --name=se-test-2 --username=avnadmin  --type=opensearch
error: mismatched service type: expected "opensearch" but got "kafka" for service "se-test-2"
exit status 1
use-case-2: Show acl with missing required flag
go run . dbaas acl show --name=se-test-2 --username=avnadmin              
error: both --name, --username and --type flags must be specified
exit status 1

list DBaas service acl user

list helper sub-command

 go run . dbaas acl list -h
This command lists ACL entries for a specified DBaaS service, including Kafka and OpenSearch, across all available zones.

Usage:
  exo dbaas acl list [flags]

Flags:
  -h, --help          help for list
      --name string   Name of the DBaaS service
  -t, --type string   Type of the DBaaS service (e.g., kafka, opensearch)

Global Flags:
  -C, --config string            Specify an alternate config file [env EXOSCALE_CONFIG]
  -O, --output-format string     Output format (table|json|text), see "exo output --help" for more information
      --output-template string   Template to use if output format is "text"
  -Q, --quiet                    Quiet mode (disable non-essential command output)
  -A, --use-account string       Account to use in config file [env EXOSCALE_ACCOUNT]

Kafka Tests

list users
go run . dbaas acl list --name=se-test-2 --type=kafka  
┼────────────────┼───────┼────────────┼
│    USERNAME    │ TOPIC │ PERMISSION │
┼────────────────┼───────┼────────────┼
│ avnadmin       │ *     │ admin      │
│ UserTestName   │ Test  │ admin      │
│ UserTestName-2 │ Test  │ admin      │
┼────────────────┼───────┼────────────┼

Opensearch Tests

list users
go run . dbaas acl list --name=se-test-4 -t=opensearch
┼──────────────────────┼────────────────────────────────────────────────────────────────────┼
│        FIELD         │                               VALUE                                │
┼──────────────────────┼────────────────────────────────────────────────────────────────────┼
│ ACL Enabled          │ true                                                               │
│ Extended ACL Enabled │ true                                                               │
│ Username             │ avnadmin                                                           │
│   Rule               │ Pattern: test_1_and_test_2_and_test_4_and_test_4, Permission: deny │
│   Rule               │ Pattern: book, Permission: admin                                   │
┼──────────────────────┼────────────────────────────────────────────────────────────────────┼
use-case-1: list acl users with service does not exists
 go run . dbaas acl list --name=se-test-6 --type=kafka  
error: service "se-test-6" not found in any zone
exit status 1
use-case-2: list acl users with wrong db name

 go run . dbaas acl list --name=se-test-4 --type=kafka  
error: mismatched service type: expected "kafka" but got "opensearch" for service "se-test-4"
exit status 1
use-case-3: list acl users with missing --type flag
 go run . dbaas acl list --name=se-test-4              
error: both --name and --type flags must be specified
exit status 1
use-case-4: list acl users with missing --name flag
 go run . dbaas acl list -t=opensearch                 
error: both --name and --type flags must be specified
exit status 1

delete DBaas service acl user

delete helper sub-command

 go run . dbaas acl delete -h
This command deletes a specified ACL entry for a DBaaS service, such as Kafka or OpenSearch, across all available zones.

Usage:
  exo dbaas acl delete [flags]

Flags:
  -h, --help              help for delete
      --name string       Name of the DBaaS service
  -t, --type string       DBaaS service type (e.g., kafka, opensearch)
      --username string   Username of the ACL entry

Global Flags:
  -C, --config string            Specify an alternate config file [env EXOSCALE_CONFIG]
  -O, --output-format string     Output format (table|json|text), see "exo output --help" for more information
      --output-template string   Template to use if output format is "text"
  -Q, --quiet                    Quiet mode (disable non-essential command output)
  -A, --use-account string       Account to use in config file [env EXOSCALE_ACCOUNT]

Kafka Tests

delete user
 go run . dbaas acl delete --name=se-test-2 --type=kafka --username=avnadmin
Successfully deleted ACL entry for username "avnadmin" in service "se-test-2".
delete the user again
 go run . dbaas acl delete --name=se-test-2 --type=kafka --username=avnadmin
error: no ACL entry found for username "avnadmin" in service "se-test-2"
exit status 1
list the user to delete and one of them
 go run . dbaas acl list --name=se-test-2 --type=kafka                          
┼────────────────┼───────┼────────────┼
│    USERNAME    │ TOPIC │ PERMISSION │
┼────────────────┼───────┼────────────┼
│ UserTestName   │ Test  │ admin      │
│ UserTestName-2 │ Test  │ admin      │
┼────────────────┼───────┼────────────┼


go run . dbaas acl delete --name=se-test-2 --type=kafka --username=UserTestName
Successfully deleted ACL entry for username "UserTestName" in service "se-test-2".
```

```
go run . dbaas acl list --name=se-test-2 --type=kafka
┼────────────────┼───────┼────────────┼
│    USERNAME    │ TOPIC │ PERMISSION │
┼────────────────┼───────┼────────────┼
│ UserTestName-2 │ Test  │ admin      │
┼────────────────┼───────┼────────────┼

```


### Create DBaas service acl user
```
go run . dbaas acl create -h
This command creates an ACL entry for a specified DBaaS service, automatically searching for the service across all available zones.

Usage:
  exo dbaas acl create [flags]

Flags:
  -h, --help                help for create
      --name string         Name of the DBaaS service
      --pattern string      The pattern for the ACL rule (index* for OpenSearch or topic for Kafka, max 249 characters)
      --permission string   Permission to apply (should be one of admin, read, readwrite, write, or deny (only for OpenSearch))
  -t, --type string         Type of the DBaaS service (e.g., kafka opensearch)
      --username string     Username for the ACL entry

Global Flags:
  -C, --config string            Specify an alternate config file [env EXOSCALE_CONFIG]
  -O, --output-format string     Output format (table|json|text), see "exo output --help" for more information
      --output-template string   Template to use if output format is "text"
  -Q, --quiet                    Quiet mode (disable non-essential command output)
  -A, --use-account string       Account to use in config file [env EXOSCALE_ACCOUNT]
```
#### Kafka Tests
##### create users 

```
go run . dbaas acl create --name se-test-2 --type kafka --username user123456 --pattern index1 --permission read     
 ✔ Creating Kafka ACL entry for user "user123456" 0s                                                                                                                                                                                
Kafka ACL entry for user "user123456" successfully created in service "se-test-2"
```
Now we check if the user was created
```
 go run . dbaas acl show --type=kafka --name=se-test-2  --username user123456                                          
┼────────────┼────────────┼
│ ACL ENTRY  │            │
┼────────────┼────────────┼
│ Username   │ user123456 │
│ Topic      │ index1     │
│ Permission │ read       │
┼────────────┼────────────┼

```

#### Opensearch Tests
##### create users 
```
 go run . dbaas acl create --name se-test-4 --type opensearch --username user123456 --pattern index1 --permission read
 ✔ Creating ACL entry for user "user123456" 0s                                                                                                                                                                                      
ACL entry for username "user123456" created successfully in service "se-test-4"
```
Now we check if the user was created

```
o run . dbaas acl show --type=opensearch --name=se-test-4  --username user123456                                     
┼──────────────────────┼───────────────────────────────────────┼
│        FIELD         │                 VALUE                 │
┼──────────────────────┼───────────────────────────────────────┼
│ ACL Enabled          │ false                                 │
│ Extended ACL Enabled │ false                                 │
│ Rule                 │ ACL pattern: index1, Permission: read │
┼──────────────────────┼───────────────────────────────────────┼

```
##### other tests

###### use-case-1: create acl user with wrong db name
```
 go run . dbaas acl create --name se-test-2 --type opensearch --username user123456 --pattern index1 --permission read                          
error: service type mismatch: expected "opensearch" but got "kafka" for service "se-test-2"
exit status 1

```
### Update DBaas service acl user
```
go run . dbaas acl update -h                                                                                                                   
This command updates an ACL entry for a specified DBaaS service. You can also update the username with the --new-username flag.

Usage:
  exo dbaas acl update [flags]

Flags:
  -h, --help                  help for update
      --name string           Name of the DBaaS service
      --new-username string   New username to replace the current one (optional)
      --pattern string        The pattern for the ACL rule (index* for OpenSearch or topic for Kafka, max 249 characters)
      --permission string     Permission to apply (should be one of admin, read, readwrite, write, or deny (only for OpenSearch))
  -t, --type string           Type of the DBaaS service (e.g., opensearch)
      --username string       Current username of the ACL entry to update

Global Flags:
  -C, --config string            Specify an alternate config file [env EXOSCALE_CONFIG]
  -O, --output-format string     Output format (table|json|text), see "exo output --help" for more information
      --output-template string   Template to use if output format is "text"
  -Q, --quiet                    Quiet mode (disable non-essential command output)
  -A, --use-account string       Account to use in config file [env EXOSCALE_ACCOUNT]
```
#### Opensearch Tests
Before we update anything let us first list all the acl entries

```
go run . dbaas acl list --name se-test-4 --type opensearch                                                                                  
┼──────────────────────┼─────────────────────────────────────┼
│        FIELD         │                VALUE                │
┼──────────────────────┼─────────────────────────────────────┼
│ ACL Enabled          │ false                               │
│ Extended ACL Enabled │ false                               │
│ Username             │ user22                              │
│   Rule               │ Pattern: index22, Permission: write │
┼──────────────────────┼─────────────────────────────────────┼
```
##### update users 

```
go run . dbaas acl update --name se-test-4  --username user22  --type opensearch  --pattern newPattern  --permission read --new-username newUserName 
ACL entry for username "user22" updated successfully in service "se-test-4"
```

Now we can check if the user was updated

```
go run . dbaas acl list --name se-test-4 --type opensearch                                                                                         
┼──────────────────────┼───────────────────────────────────────┼
│        FIELD         │                 VALUE                 │
┼──────────────────────┼───────────────────────────────────────┼
│ ACL Enabled          │ false                                 │
│ Extended ACL Enabled │ false                                 │
│ Username             │ newUserName                           │
│   Rule               │ Pattern: newPattern, Permission: read │
┼──────────────────────┼───────────────────────────────────────┼
```

elkezza added 17 commits December 19, 2024 22:01
@elkezza
creating the structure, and implementation of acl_show and acl_show_k…
a08b993 
…afka
@elkezza
Adding the open search-logic for the show sub-command
a05e812
@elkezza
Adding comment to the code for better readability.
0dff30c
@elkezza
Improve readability.
52a8caf
@elkezza
Improve readability.
58b4dd2
@elkezza
Adding the list sub-commands logic.
be8f14f
@elkezza
adding the delete sub-command tree logic, still missing the opensearc…
a8703f6 
…h becuase the openapi does not support delete opensearch acl entry.
@elkezza
adding the update sub-command tree logic, still missing the kafka bec…
7884c91 
…ause the openapi does not support update for opensearch acl entry.
@elkezza
adding the create sub-command tree logic.
80ebe78
@elkezza
use pattern instead of index as it is more general name, because …
a234463 
…in kafka `topic` is used.
@elkezza
defining FindServiceAcrossZones function instead of repeating the s…
3d74823 
…ame code block in each sub-command for acl management.
@elkezza
using FindServiceAcrossZones function instead of repeating the same…
c7b3194 
… code block in each sub-command for acl management.
@elkezza
using FindServiceAcrossZones function in update sub-commands instea…
09982d5 
…d of repeating the same code block in each sub-command for acl management.
@elkezza
using FindServiceAcrossZones function in delete sub-commands instea…
1dbcc11 
…d of repeating the same code block in each sub-command for acl management.
@elkezza
using FindServiceAcrossZones function in list sub-commands instead …
79bb079 
…of repeating the same code block in each sub-command for acl management.
@elkezza
removing the zone flag from the show command by using `FindServiceAcr…
6376771 
…ossZones` function.
@elkezza
updating the CHANGELOG.md.
31cde21
@elkezza elkezza changed the title CLI: adding dbaas acl management dbaas: added commands for dbaas acl management Jan 2, 2025
@elkezza elkezza marked this pull request as ready for review January 2, 2025 16:01
@elkezza elkezza requested a review from a team January 2, 2025 16:01
aureliar8
aureliar8 reviewed Jan 2, 2025
View reviewed changes
cmd/dbaas.go Outdated Show resolved Hide resolved
aureliar8
aureliar8 reviewed Jan 2, 2025
View reviewed changes
cmd/dbaas_acl_create.go Outdated Show resolved Hide resolved
@elkezza elkezza requested a review from aureliar8 January 2, 2025 16:31
kobajagi
kobajagi reviewed Jan 13, 2025
View reviewed changes
cmd/dbaas_acl_delete.go Outdated Show resolved Hide resolved
@elkezza @kobajagi
Update cmd/dbaas_acl_delete.go
6fb7032 
Co-authored-by: Predrag Janosevic <[email protected]>
simisoft-exo
simisoft-exo requested changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@simisoft-exo simisoft-exo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kafka has two types of ACLs: Topic and Schema Registry.
I only see Topic ones being handled, is the only one in scope of this change?
The naming suggests it's only one type, and might be confusing to add kafka-schema-registry-acl type later.

@elkezza
Copy link
Contributor Author

elkezza commented Jan 13, 2025
edited
Loading

Kafka has two types of ACLs: Topic and Schema Registry. I only see Topic ones being handled, is the only one in scope of this change? The naming suggests it's only one type, and might be confusing to add kafka-schema-registry-acl type later.

@simisoft-exo yes, the scope is only for the Topic.
Here is only for the calls under ACL configuration the kafka-schema-registry-acl is a different endpoint, I think it should be under a different PR, same in the portal it has a separate UI.
e.g. for ACL configuration the endpoint is delete dbaas-kafka/{name}/topic/acl-config/{acl-id} and for kafka-schema-registry-acl the endpoint is DELETE /dbaas-kafka/{name}/schema-registry/acl-config/{acl-id}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kobajagi kobajagi kobajagi left review comments

@simisoft-exo simisoft-exo simisoft-exo requested changes

@sauterp sauterp sauterp approved these changes

@aureliar8 aureliar8 Awaiting requested review from aureliar8

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@elkezza @aureliar8 @kobajagi @sauterp @simisoft-exo