org.apache.kafka.common.resource.ResourceType Java Examples

public TopologyAclBinding bindRole(
    String principal, String role, String resourceName, Map<String, Object> scope) {
  HttpPost postRequest =
      new HttpPost(mdsServer + "/security/1.0/principals/" + principal + "/roles/" + role);
  postRequest.addHeader("accept", " application/json");
  postRequest.addHeader("Content-Type", "application/json");
  postRequest.addHeader("Authorization", "Basic " + basicCredentials);

  try {
    postRequest.setEntity(new StringEntity(JSON.asString(scope)));
    LOGGER.debug("bind.entity: " + JSON.asString(scope));
    post(postRequest);
    return new TopologyAclBinding(
        ResourceType.CLUSTER, resourceName, "*", role, principal, PatternType.ANY.name());
  } catch (IOException e) {
    e.printStackTrace();
    return null;
  }
}
 

public TopologyAclBinding bind(String principal, String role, RequestScope scope) {
  HttpPost postRequest =
      new HttpPost(
          mdsServer + "/security/1.0/principals/" + principal + "/roles/" + role + "/bindings");
  postRequest.addHeader("accept", " application/json");
  postRequest.addHeader("Content-Type", "application/json");
  postRequest.addHeader("Authorization", "Basic " + basicCredentials);

  try {
    postRequest.setEntity(new StringEntity(scope.asJson()));
    LOGGER.debug("bind.entity: " + scope.asJson());
    post(postRequest);
    ResourceType resourceType = ResourceType.fromString(scope.getResource(0).get(RESOURCE_TYPE));
    String resourceName = scope.getResource(0).get(RESOURCE_NAME);
    String patternType = scope.getResource(0).get(RESOURCE_PATTERN_TYPE);
    return new TopologyAclBinding(resourceType, resourceName, "*", role, principal, patternType);
  } catch (IOException e) {
    e.printStackTrace();
    return null;
  }
}
 

@Test
public void testFromCrdToKafkaResourcePatternForGroupResource()  {
    // Regular group
    AclRuleResource resource = new AclRuleGroupResourceBuilder()
            .withName("my-group")
            .withPatternType(AclResourcePatternType.LITERAL)
            .build();
    ResourcePattern expectedKafkaGroupResourcePattern = new ResourcePattern(ResourceType.GROUP, "my-group", PatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromCrd(resource).toKafkaResourcePattern(), is(expectedKafkaGroupResourcePattern));

    // Prefixed group
    resource = new AclRuleGroupResourceBuilder()
            .withName("my-")
            .withPatternType(AclResourcePatternType.PREFIX)
            .build();
    expectedKafkaGroupResourcePattern = new ResourcePattern(ResourceType.GROUP, "my-", PatternType.PREFIXED);
    assertThat(SimpleAclRuleResource.fromCrd(resource).toKafkaResourcePattern(), is(expectedKafkaGroupResourcePattern));
}
 

@Test
public void testFromCrdToKafkaResourcePatternForTopicResource()    {
    // Regular group
    AclRuleResource resource = new AclRuleTopicResourceBuilder()
            .withName("my-topic")
            .withPatternType(AclResourcePatternType.LITERAL)
            .build();
    ResourcePattern expectedKafkaTopicResourcePattern = new ResourcePattern(ResourceType.TOPIC, "my-topic", PatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromCrd(resource).toKafkaResourcePattern(), is(expectedKafkaTopicResourcePattern));

    // Prefixed topic
    resource = new AclRuleTopicResourceBuilder()
            .withName("my-")
            .withPatternType(AclResourcePatternType.PREFIX)
            .build();
    expectedKafkaTopicResourcePattern = new ResourcePattern(ResourceType.TOPIC, "my-", PatternType.PREFIXED);
    assertThat(SimpleAclRuleResource.fromCrd(resource).toKafkaResourcePattern(), is(expectedKafkaTopicResourcePattern));
}
 

@Test
public void shouldRunQueryWithChangeLogsAgainstKafkaClusterWithWildcardAcls() throws Exception {
  // Given:
  givenAllowAcl(NORMAL_USER, ResourceType.CLUSTER, "kafka-cluster",
                ImmutableSet.of(AclOperation.DESCRIBE_CONFIGS, AclOperation.CREATE));

  givenAllowAcl(NORMAL_USER, ResourceType.TOPIC, "*",
                ImmutableSet.of(AclOperation.DESCRIBE, AclOperation.READ,
                                AclOperation.WRITE, AclOperation.DELETE));

  givenAllowAcl(NORMAL_USER, ResourceType.GROUP, "*",
                ImmutableSet.of(AclOperation.DESCRIBE, AclOperation.READ));

  givenTestSetupWithConfig(getKsqlConfig(NORMAL_USER));

  // Then:
  assertCanRunRepartitioningKsqlQuery();
}
 

@Test
public void testStoreAndFetch() throws IOException {

  String host = redis.getContainerIpAddress();
  int port = redis.getFirstMappedPort();
  RedisSateProcessor rsp = new RedisSateProcessor(host, port);
  rsp.createOrOpen();

  rsp.saveType("acls");
  TopologyAclBinding binding =
      TopologyAclBinding.build(
          ResourceType.TOPIC.name(), "foo", "*", "Write", "User:foo", "LITERAL");
  rsp.saveBindings(Arrays.asList(binding));

  List<TopologyAclBinding> bindings = rsp.load();

  Assert.assertEquals(1, bindings.size());
  Assert.assertEquals(binding.getPrincipal(), bindings.get(0).getPrincipal());
}
 

private void verifyControlCenterAcls(Platform platform)
    throws ExecutionException, InterruptedException {

  List<ControlCenter> c3List = platform.getControlCenter();

  for (ControlCenter c3 : c3List) {
    ResourcePatternFilter resourceFilter =
        new ResourcePatternFilter(ResourceType.TOPIC, null, PatternType.ANY);

    AccessControlEntryFilter entryFilter =
        new AccessControlEntryFilter(
            c3.getPrincipal(), null, AclOperation.ANY, AclPermissionType.ALLOW);

    AclBindingFilter filter = new AclBindingFilter(resourceFilter, entryFilter);

    Collection<AclBinding> acls = kafkaAdminClient.describeAcls(filter).values().get();

    Assert.assertEquals(16, acls.size());
  }
}
 

@Test
public void testGetUsersFromAcls(VertxTestContext context)  {
    Admin mockAdminClient = mock(AdminClient.class);
    SimpleAclOperator aclOp = new SimpleAclOperator(vertx, mockAdminClient);

    ResourcePattern res1 = new ResourcePattern(ResourceType.TOPIC, "my-topic", PatternType.LITERAL);
    ResourcePattern res2 = new ResourcePattern(ResourceType.GROUP, "my-group", PatternType.LITERAL);

    KafkaPrincipal foo = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "CN=foo");
    AclBinding fooAclBinding = new AclBinding(res1, new AccessControlEntry(foo.toString(), "*",
            org.apache.kafka.common.acl.AclOperation.READ, AclPermissionType.ALLOW));
    KafkaPrincipal bar = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "CN=bar");
    AclBinding barAclBinding = new AclBinding(res1, new AccessControlEntry(bar.toString(), "*",
            org.apache.kafka.common.acl.AclOperation.READ, AclPermissionType.ALLOW));
    KafkaPrincipal baz = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "baz");
    AclBinding bazAclBinding = new AclBinding(res2, new AccessControlEntry(baz.toString(), "*",
            org.apache.kafka.common.acl.AclOperation.READ, AclPermissionType.ALLOW));
    KafkaPrincipal all = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "*");
    AclBinding allAclBinding = new AclBinding(res1, new AccessControlEntry(all.toString(), "*",
            org.apache.kafka.common.acl.AclOperation.READ, AclPermissionType.ALLOW));
    KafkaPrincipal anonymous = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "ANONYMOUS");
    AclBinding anonymousAclBinding = new AclBinding(res2, new AccessControlEntry(anonymous.toString(), "*",
            org.apache.kafka.common.acl.AclOperation.READ, AclPermissionType.ALLOW));

    Collection<AclBinding> aclBindings =
            asList(fooAclBinding, barAclBinding, bazAclBinding, allAclBinding, anonymousAclBinding);

    assertDoesNotThrow(() -> mockDescribeAcls(mockAdminClient, AclBindingFilter.ANY, aclBindings));
    assertThat(aclOp.getUsersWithAcls(), is(new HashSet<>(asList("foo", "bar", "baz"))));
    context.completeNow();
}
 

@Test
public void testFromCrdToKafkaResourcePatternForTransactionalIdResource()  {
    // Regular transactionalId
    AclRuleResource resource = new AclRuleTransactionalIdResourceBuilder()
            .withName("my-transactionalId")
            .build();
    ResourcePattern expectedKafkaTransactionalIdResourcePattern = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "my-transactionalId", PatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromCrd(resource).toKafkaResourcePattern(), is(expectedKafkaTransactionalIdResourcePattern));
}
 

@Test
public void testReconcileInternalDelete(VertxTestContext context) {
    Admin mockAdminClient = mock(AdminClient.class);
    SimpleAclOperator aclOp = new SimpleAclOperator(vertx, mockAdminClient);

    ResourcePattern resource = new ResourcePattern(ResourceType.TOPIC, "my-topic", PatternType.LITERAL);

    KafkaPrincipal foo = new KafkaPrincipal("User", "CN=foo");
    AclBinding readAclBinding = new AclBinding(resource, new AccessControlEntry(foo.toString(), "*", org.apache.kafka.common.acl.AclOperation.READ, AclPermissionType.ALLOW));

    ArgumentCaptor<Collection<AclBindingFilter>> aclBindingFiltersCaptor = ArgumentCaptor.forClass(Collection.class);
    assertDoesNotThrow(() -> {
        mockDescribeAcls(mockAdminClient, null, Collections.singleton(readAclBinding));
        mockDeleteAcls(mockAdminClient, Collections.singleton(readAclBinding), aclBindingFiltersCaptor);
    });

    Checkpoint async = context.checkpoint();
    aclOp.reconcile("CN=foo", null)
            .onComplete(context.succeeding(rr -> context.verify(() -> {

                Collection<AclBindingFilter> capturedAclBindingFilters = aclBindingFiltersCaptor.getValue();
                assertThat(capturedAclBindingFilters, hasSize(1));
                assertThat(capturedAclBindingFilters, hasItem(readAclBinding.toFilter()));

                Set<ResourcePatternFilter> capturedResourcePatternFilters =
                        capturedAclBindingFilters.stream().map(AclBindingFilter::patternFilter).collect(Collectors.toSet());
                assertThat(capturedResourcePatternFilters, hasSize(1));
                assertThat(capturedResourcePatternFilters, hasItem(resource.toFilter()));

                async.flag();
            })));
}
 

@Test
public void testToKafkaResourcePatternForTopicResource()  {
    // Regular topic
    SimpleAclRuleResource topicResourceRules = new SimpleAclRuleResource("my-topic", SimpleAclRuleResourceType.TOPIC, AclResourcePatternType.LITERAL);
    ResourcePattern expectedKafkaResourcePattern = new ResourcePattern(ResourceType.TOPIC, "my-topic", PatternType.LITERAL);
    assertThat(topicResourceRules.toKafkaResourcePattern(), is(expectedKafkaResourcePattern));

    // Prefixed topic
    topicResourceRules = new SimpleAclRuleResource("my-", SimpleAclRuleResourceType.TOPIC, AclResourcePatternType.PREFIX);
    expectedKafkaResourcePattern = new ResourcePattern(ResourceType.TOPIC, "my-", PatternType.PREFIXED);
    assertThat(topicResourceRules.toKafkaResourcePattern(), is(expectedKafkaResourcePattern));
}
 

@Test
public void testToKafkaResourcePatternForGroupResource()  {
    // Regular group
    SimpleAclRuleResource groupResourceRules = new SimpleAclRuleResource("my-group", SimpleAclRuleResourceType.GROUP, AclResourcePatternType.LITERAL);
    ResourcePattern expectedKafkaResourcePattern = new ResourcePattern(ResourceType.GROUP, "my-group", PatternType.LITERAL);
    assertThat(groupResourceRules.toKafkaResourcePattern(), is(expectedKafkaResourcePattern));

    // Prefixed group
    groupResourceRules = new SimpleAclRuleResource("my-", SimpleAclRuleResourceType.GROUP, AclResourcePatternType.PREFIX);
    expectedKafkaResourcePattern = new ResourcePattern(ResourceType.GROUP, "my-", PatternType.PREFIXED);
    assertThat(groupResourceRules.toKafkaResourcePattern(), is(expectedKafkaResourcePattern));
}
 

@Test
public void testToKafkaResourcePatternForClusterResource()  {
    // Regular cluster
    SimpleAclRuleResource clusterResourceRules = new SimpleAclRuleResource(null, SimpleAclRuleResourceType.CLUSTER, null);
    ResourcePattern expectedKafkaResourcePattern = new ResourcePattern(ResourceType.CLUSTER, "kafka-cluster", PatternType.LITERAL);
    assertThat(clusterResourceRules.toKafkaResourcePattern(), is(expectedKafkaResourcePattern));
}
 

@Test
public void testToKafkaResourcePatternForTransactionalIdResource()  {
    // Regular transactionalId
    SimpleAclRuleResource transactionalIdResourceRules = new SimpleAclRuleResource("my-transactionalId", SimpleAclRuleResourceType.TRANSACTIONAL_ID, null);
    ResourcePattern expectedKafkaResourcePattern = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "my-transactionalId", PatternType.LITERAL);
    assertThat(transactionalIdResourceRules.toKafkaResourcePattern(), is(expectedKafkaResourcePattern));

    // Prefixed transactionalId
    transactionalIdResourceRules = new SimpleAclRuleResource("my-", SimpleAclRuleResourceType.TRANSACTIONAL_ID, AclResourcePatternType.PREFIX);
    expectedKafkaResourcePattern = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "my-", PatternType.PREFIXED);
    assertThat(transactionalIdResourceRules.toKafkaResourcePattern(), is(expectedKafkaResourcePattern));
}
 

@Test
public void testFromKafkaResourcePatternWithTopicResource()  {
    // Regular topic
    ResourcePattern kafkaTopicResourcePattern = new ResourcePattern(ResourceType.TOPIC, "my-topic", PatternType.LITERAL);
    SimpleAclRuleResource expectedTopicResourceRules = new SimpleAclRuleResource("my-topic", SimpleAclRuleResourceType.TOPIC, AclResourcePatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafkaTopicResourcePattern), is(expectedTopicResourceRules));

    // Prefixed topic
    kafkaTopicResourcePattern = new ResourcePattern(ResourceType.TOPIC, "my-", PatternType.PREFIXED);
    expectedTopicResourceRules = new SimpleAclRuleResource("my-", SimpleAclRuleResourceType.TOPIC, AclResourcePatternType.PREFIX);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafkaTopicResourcePattern), is(expectedTopicResourceRules));
}
 

@Test
public void testFromKafkaResourcePatternWithGroupResource()  {
    // Regular group
    ResourcePattern kafkaGroupResourcePattern = new ResourcePattern(ResourceType.GROUP, "my-group", PatternType.LITERAL);
    SimpleAclRuleResource expectedGroupResourceRules = new SimpleAclRuleResource("my-group", SimpleAclRuleResourceType.GROUP, AclResourcePatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafkaGroupResourcePattern), is(expectedGroupResourceRules));

    // Prefixed group
    kafkaGroupResourcePattern = new ResourcePattern(ResourceType.GROUP, "my-", PatternType.PREFIXED);
    expectedGroupResourceRules = new SimpleAclRuleResource("my-", SimpleAclRuleResourceType.GROUP, AclResourcePatternType.PREFIX);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafkaGroupResourcePattern), is(expectedGroupResourceRules));
}
 

@Test
public void testFromKafkaResourcePatternWithClusterResource()  {
    // Regular cluster
    ResourcePattern kafkaClusterResourcePattern = new ResourcePattern(ResourceType.CLUSTER, "kafka-cluster", PatternType.LITERAL);
    SimpleAclRuleResource expectedClusterResourceRules = new SimpleAclRuleResource("kafka-cluster", SimpleAclRuleResourceType.CLUSTER, AclResourcePatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafkaClusterResourcePattern), is(expectedClusterResourceRules));
}
 

@Test
public void testFromKafkaResourcePatternWithTransactionalIdResource()  {
    // Regular transactionalId
    ResourcePattern kafkaTransactionalIdResourcePattern = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "my-transactionalId", PatternType.LITERAL);
    SimpleAclRuleResource expectedTransactionalIdResourceRules = new SimpleAclRuleResource("my-transactionalId", SimpleAclRuleResourceType.TRANSACTIONAL_ID, AclResourcePatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafkaTransactionalIdResourcePattern), is(expectedTransactionalIdResourceRules));

    // Prefixed transactionalId
    kafkaTransactionalIdResourcePattern = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "my-", PatternType.PREFIXED);
    expectedTransactionalIdResourceRules = new SimpleAclRuleResource("my-", SimpleAclRuleResourceType.TRANSACTIONAL_ID, AclResourcePatternType.PREFIX);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafkaTransactionalIdResourcePattern), is(expectedTransactionalIdResourceRules));
}
 

@Test
public void testFromKafkaResourcePatternToKafkaResourcePatternRoundTripForTopicResource()    {
    // Regular topic
    ResourcePattern kafka = new ResourcePattern(ResourceType.TOPIC, "my-topic", PatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafka).toKafkaResourcePattern(), is(kafka));

    // Prefixed topic
    kafka = new ResourcePattern(ResourceType.TOPIC, "my-", PatternType.PREFIXED);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafka).toKafkaResourcePattern(), is(kafka));
}
 

@Test
public void testFromKafkaResourcePatternToKafkaResourcePatternRoundTripForGroupResource()  {
    // Regular group
    ResourcePattern kafka = new ResourcePattern(ResourceType.GROUP, "my-group", PatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafka).toKafkaResourcePattern(), is(kafka));

    // Prefixed group
    kafka = new ResourcePattern(ResourceType.GROUP, "my-", PatternType.PREFIXED);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafka).toKafkaResourcePattern(), is(kafka));
}
 

@Test
public void testFromKafkaResourcePatternToKafkaResourcePatternRoundTripForTransactionalIdResource()  {
    // Regular transactionID
    ResourcePattern kafka = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "my-transactionID", PatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafka).toKafkaResourcePattern(), is(kafka));

    // Prefixed transactionID
    kafka = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "my-", PatternType.PREFIXED);
    assertThat(SimpleAclRuleResource.fromKafkaResourcePattern(kafka).toKafkaResourcePattern(), is(kafka));
}
 

@Test
public void testFromCrdToKafkaResourcePatternForClusterResource()  {
    // Regular cluster
    AclRuleResource resource = new AclRuleClusterResource();
    ResourcePattern expectedKafkaClusterResourcePattern = new ResourcePattern(ResourceType.CLUSTER, "kafka-cluster", PatternType.LITERAL);
    assertThat(SimpleAclRuleResource.fromCrd(resource).toKafkaResourcePattern(), is(expectedKafkaClusterResourcePattern));
}
 

@Test
public void shouldRunQueryWithChangeLogsAgainstKafkaClusterWithAclsAndCustomPrefixed()
    throws Exception {
  // Given:
  outputTopic = "ACLS_TEST_4";

  givenAllowAcl(NORMAL_USER, ResourceType.CLUSTER, "kafka-cluster",
                ImmutableSet.of(AclOperation.DESCRIBE_CONFIGS, AclOperation.CREATE));

  givenAllowAcl(NORMAL_USER, ResourceType.TOPIC, INPUT_TOPIC,
                ImmutableSet.of(AclOperation.DESCRIBE, AclOperation.READ));

  givenAllowAcl(NORMAL_USER, ResourceType.TOPIC, "__consumer_offsets",
                ImmutableSet.of(AclOperation.DESCRIBE));

  givenAllowAcl(NORMAL_USER, ResourceType.TOPIC, outputTopic,
                ImmutableSet.of(AclOperation.DESCRIBE, AclOperation.WRITE));

  givenAllowAcl(NORMAL_USER, ResourceType.TOPIC,
                "_confluent-ksql-t4_query_CTAS_ACLS_TEST_4-KSTREAM-AGGREGATE-STATE-STORE-0000000006-repartition",
                ImmutableSet.of(AclOperation.DESCRIBE, AclOperation.READ, AclOperation.WRITE,
                                AclOperation.DELETE));

  givenAllowAcl(NORMAL_USER, ResourceType.TOPIC,
                "_confluent-ksql-t4_query_CTAS_ACLS_TEST_4-KSTREAM-AGGREGATE-STATE-STORE-0000000006-changelog",
                ImmutableSet
                    .of(AclOperation.DESCRIBE, /* READ for recovery, */ AclOperation.WRITE,
                        AclOperation.DELETE));

  givenAllowAcl(NORMAL_USER, ResourceType.GROUP, "_confluent-ksql-t4_query_CTAS_ACLS_TEST_4",
                ImmutableSet.of(AclOperation.DESCRIBE, AclOperation.READ));

  final Map<String, Object> ksqlConfig = getKsqlConfig(NORMAL_USER);
  ksqlConfig.put(KsqlConfig.KSQL_SERVICE_ID_CONFIG, "t4_");
  givenTestSetupWithConfig(ksqlConfig);

  // Then:
  assertCanRunRepartitioningKsqlQuery();
}
 

/**
 * Topology ACL binding wrapper class constructor
 *
 * @param resourceType The resource type as described in ResourceType
 * @param resourceName The resource name
 * @param host the host this acl is allowed to
 * @param operation an operation
 * @param principal the selected principal
 * @param pattern a pattern to match this acl
 */
public TopologyAclBinding(
    ResourceType resourceType,
    String resourceName,
    String host,
    String operation,
    String principal,
    String pattern) {
  this.resourceType = resourceType;
  this.resourceName = resourceName;
  this.host = host;
  this.operation = operation;
  this.principal = principal;
  this.pattern = pattern;
}
 

/**
 * Build method
 *
 * @param resourceTypeString
 * @param resourceName
 * @param host
 * @param operation
 * @param principal
 * @param pattern
 * @return
 */
public static TopologyAclBinding build(
    String resourceTypeString,
    String resourceName,
    String host,
    String operation,
    String principal,
    String pattern) {

  ResourceType resourceType = ResourceType.valueOf(resourceTypeString);
  return new TopologyAclBinding(resourceType, resourceName, host, operation, principal, pattern);
}
 

public List<AclBinding> setAclsForControlCenter(String principal, String appId)
    throws IOException {
  List<AclBinding> bindings = new ArrayList<>();

  bindings.add(buildGroupLevelAcl(principal, appId, PatternType.PREFIXED, AclOperation.READ));
  bindings.add(
      buildGroupLevelAcl(principal, appId + "-command", PatternType.PREFIXED, AclOperation.READ));

  Arrays.asList("_confluent-monitoring", "_confluent-command", " _confluent-metrics")
      .forEach(
          topic ->
              Stream.of(
                      AclOperation.WRITE,
                      AclOperation.READ,
                      AclOperation.CREATE,
                      AclOperation.DESCRIBE)
                  .map(
                      aclOperation ->
                          buildTopicLevelAcl(principal, topic, PatternType.LITERAL, aclOperation))
                  .forEach(aclBinding -> bindings.add(aclBinding)));

  Stream.of(AclOperation.WRITE, AclOperation.READ, AclOperation.CREATE, AclOperation.DESCRIBE)
      .map(
          aclOperation ->
              buildTopicLevelAcl(principal, appId, PatternType.PREFIXED, aclOperation))
      .forEach(aclBinding -> bindings.add(aclBinding));

  ResourcePattern resourcePattern =
      new ResourcePattern(ResourceType.CLUSTER, "kafka-cluster", PatternType.LITERAL);
  AccessControlEntry entry =
      new AccessControlEntry(principal, "*", AclOperation.DESCRIBE, AclPermissionType.ALLOW);
  bindings.add(new AclBinding(resourcePattern, entry));

  entry =
      new AccessControlEntry(
          principal, "*", AclOperation.DESCRIBE_CONFIGS, AclPermissionType.ALLOW);
  bindings.add(new AclBinding(resourcePattern, entry));
  createAcls(bindings);
  return bindings;
}
 

public List<AclBinding> setAclsForConnect(
    String principal, String topicPrefix, List<String> readTopics, List<String> writeTopics)
    throws IOException {

  List<AclBinding> acls = new ArrayList<>();

  List<String> topics = Arrays.asList("connect-status", "connect-offsets", "connect-configs");
  for (String topic : topics) {
    acls.add(buildTopicLevelAcl(principal, topic, PatternType.LITERAL, AclOperation.READ));
    acls.add(buildTopicLevelAcl(principal, topic, PatternType.LITERAL, AclOperation.WRITE));
  }

  ResourcePattern resourcePattern =
      new ResourcePattern(ResourceType.CLUSTER, "kafka-cluster", PatternType.LITERAL);
  AccessControlEntry entry =
      new AccessControlEntry(principal, "*", AclOperation.CREATE, AclPermissionType.ALLOW);
  acls.add(new AclBinding(resourcePattern, entry));

  resourcePattern = new ResourcePattern(ResourceType.GROUP, "*", PatternType.LITERAL);
  entry = new AccessControlEntry(principal, "*", AclOperation.READ, AclPermissionType.ALLOW);
  acls.add(new AclBinding(resourcePattern, entry));

  if (readTopics != null) {
    readTopics.forEach(
        topic -> {
          acls.add(buildTopicLevelAcl(principal, topic, PatternType.LITERAL, AclOperation.READ));
        });
  }

  if (writeTopics != null) {
    writeTopics.forEach(
        topic -> {
          acls.add(buildTopicLevelAcl(principal, topic, PatternType.LITERAL, AclOperation.WRITE));
        });
  }

  createAcls(acls);
  return acls;
}
 

private AclBinding buildTopicLevelAcl(
    String principal, String topic, PatternType patternType, AclOperation op) {
  return new AclBuilder(principal)
      .addResource(ResourceType.TOPIC, topic, patternType)
      .addControlEntry("*", op, AclPermissionType.ALLOW)
      .build();
}
 

private AclBinding buildGroupLevelAcl(
    String principal, String group, PatternType patternType, AclOperation op) {
  return new AclBuilder(principal)
      .addResource(ResourceType.GROUP, group, patternType)
      .addControlEntry("*", op, AclPermissionType.ALLOW)
      .build();
}
 

private void verifyProducerAcls(List<Producer> producers, String topic)
    throws InterruptedException, ExecutionException {

  for (Producer producer : producers) {
    ResourcePatternFilter resourceFilter = ResourcePatternFilter.ANY;
    AccessControlEntryFilter entryFilter =
        new AccessControlEntryFilter(
            producer.getPrincipal(), null, AclOperation.ANY, AclPermissionType.ALLOW);

    AclBindingFilter filter = new AclBindingFilter(resourceFilter, entryFilter);
    Collection<AclBinding> acls = kafkaAdminClient.describeAcls(filter).values().get();

    Assert.assertEquals(2, acls.size());

    List<ResourceType> types =
        acls.stream()
            .map(aclBinding -> aclBinding.pattern().resourceType())
            .collect(Collectors.toList());

    Assert.assertTrue(types.contains(ResourceType.TOPIC));

    List<AclOperation> ops =
        acls.stream()
            .map(aclsBinding -> aclsBinding.entry().operation())
            .collect(Collectors.toList());

    Assert.assertTrue(ops.contains(AclOperation.DESCRIBE));
    Assert.assertTrue(ops.contains(AclOperation.WRITE));
  }
}