Add new Kafka Role to the docs #3186
Conversation
|
test-me-please |
d942605 to
610d560
Compare
|
test-me-please |
610d560 to
1655cc1
Compare
|
test-me-please |
Documentation/policy/language.rst
Outdated
| message. If set, it has to be a string representing a positive integer. If | ||
| omitted or empty, all versions are allowed. | ||
| Role | ||
| Role is a case-insensitive string and describes a group of API keys |
There was a problem hiding this comment.
case-insensitive string which describes...
Documentation/policy/language.rst
Outdated
| The following values are supported: | ||
| - "produce": Allow producing to the topics specified in the rule | ||
| - "consume": Allow consuming from the topics specified in the rule | ||
| This field is incompatible with the APIKey field, i.e either APIKey or Role |
There was a problem hiding this comment.
either APIKey or Role can be specified -> APIKey and Role cannot both be specified in the same rule
pkg/policy/api/rule.go
Outdated
| // | ||
| // If omitted or empty, the field has no effect and the logic of the APIKey | ||
| // field applies. | ||
| // This field is incompatible with the APIKey field, i.e either APIKey or Role |
There was a problem hiding this comment.
If you take my suggestion above, this one needs updating too.
Documentation/policy/language.rst
Outdated
| - "consume": Allow consuming from the topics specified in the rule | ||
| This field is incompatible with the APIKey field, either APIKey or Role | ||
| may be specified. If omitted or empty, all keys are allowed, if APIKey is also | ||
| the empty |
0f231d7 to
d28ae7a
Compare
|
test-me-please |
fd9eaa0 to
cdeead4
Compare
|
test-me-please |
cdeead4 to
34f03ca
Compare
|
test-me-please |
|
@ianvernon @joestringer : Addressed review comments. Need an approval if everything looks ok. |
|
@eloycoto : Still seeing this test flake unrelated to my docs changes |
|
test-me-please |
Documentation/policy/language.rst
Outdated
|
|
||
| This field is incompatible with the APIKey field, i.e APIKey and Role | ||
| cannot both be specified in the same rule. | ||
| If omitted or empty, all keys are allowed. |
There was a problem hiding this comment.
This last sentence is not true. If omitted, APIKey can still be specified. This needs to be clear.
There was a problem hiding this comment.
Changing this to : If omitted or empty, and if APIKey is not specified then all keys are allowed.
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
| Only allow producing to topic empire-announce using Role | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
There was a problem hiding this comment.
This needs a sentence here that describes the motivation of role and when to use roles and when to use apiKeys.
There was a problem hiding this comment.
Planning to add this:
PortRuleKafka is a list of Kafka protocol constraints. All fields are optional,
if all fields are empty or missing, the rule will match all Kafka messages.
There are two ways to specify the Kafka rules. We can choose to specify a
high level "produce" or "consume" role to a topic or choose to specify more
low level kafka protocol specific apiKeys. Thus the rule allows us to specify both
high level role constructs as well as low level Kafka protocol constructs.
There was a problem hiding this comment.
done, please let me know if you think this needs to be improved.
| @@ -0,0 +1,23 @@ | |||
| apiVersion: "cilium.io/v2" | |||
There was a problem hiding this comment.
Rename the filename to all lowercase
pkg/policy/api/rule.go
Outdated
| // | ||
| // If omitted or empty, all keys are allowed. |
There was a problem hiding this comment.
Changed to If omitted or empty, and if Role is not specified, then all keys are allowed.
4820782 to
772cd7c
Compare
|
test-me-please |
|
I am seeing a lot of unrelated CI errors. Not sure what's the best route here? Trying CI again. |
|
test-me-please |
All PRs are seeing these right now. Nee to investigate tomorrow. |
Documentation/policy/language.rst
Outdated
| @@ -524,20 +524,38 @@ Kafka (Tech Preview) | |||
|
|
|||
| PortRuleKafka is a list of Kafka protocol constraints. All fields are optional, | |||
| if all fields are empty or missing, the rule will match all Kafka messages. | |||
| There are two ways to specify the Kafka rules. We can choose to specify a | |||
| high level "produce" or "consume" role to a topic or choose to specify more | |||
Documentation/policy/language.rst
Outdated
| @@ -524,20 +524,38 @@ Kafka (Tech Preview) | |||
|
|
|||
| PortRuleKafka is a list of Kafka protocol constraints. All fields are optional, | |||
| if all fields are empty or missing, the rule will match all Kafka messages. | |||
| There are two ways to specify the Kafka rules. We can choose to specify a | |||
| high level "produce" or "consume" role to a topic or choose to specify more | |||
| low level kafka protocol specific apiKeys. Thus the rule allows us to specify | |||
Documentation/policy/language.rst
Outdated
| There are two ways to specify the Kafka rules. We can choose to specify a | ||
| high level "produce" or "consume" role to a topic or choose to specify more | ||
| low level kafka protocol specific apiKeys. Thus the rule allows us to specify | ||
| both high level role constructs as well as low level Kafka protocol constructs. |
There was a problem hiding this comment.
These last two sentences appear to state the same thing. Perhaps replace the last sentence with something like:
"Writing rules based on Kafka roles is easier and covers most common use cases, however if more granularity is needed then users can alternatively write rules using specific apiKeys."
Documentation/policy/language.rst
Outdated
|
|
||
| The following fields can be matched on: | ||
|
|
||
| Role | ||
| Role is a case-insensitive string which describes a group of API keys | ||
| necessary to perform certain higher level Kafka operations such as "produce" |
Documentation/policy/language.rst
Outdated
| Role is a case-insensitive string which describes a group of API keys | ||
| necessary to perform certain higher level Kafka operations such as "produce" | ||
| or "consume". A Role automatically expands into all APIKeys required | ||
| to perform the specified higher level operation. |
772cd7c to
b62c833
Compare
|
test-me-please |
This change fixes the `Policy` docs to reflect the new `Kafka Role` Fixes: #3118 Signed-off-by: Manali Bhutiyani <manali@covalent.io>
…ents This change makes the `PortRuleKafka` fields consistent with the docs and also improves/corrects the comments. Fixes: #3118 Signed-off-by: Manali Bhutiyani <manali@covalent.io>
…presentation The yaml and json representation of kafka policy was inconsistent. This change fixes this inconsistency. Fixes: #3118 Signed-Off-By: Manali Bhutiyani <manali@covalent.io>
…role Fixes: #3118 Signed-Off-By: Manali Bhutiyani <manali@covalent
b62c833 to
dd4e172
Compare
Fixes: #3118
Signed-off-by: Manali Bhutiyani manali@covalent.io