CLI-979 Refactor ccloud kafka acl parameter names to match those of REST

[MuweiHe]

Checklist

1. [CRUCIAL] Is the change for CP or CCloud functionalities that are already live in prod?

   • yes: ok

2. Did you add/update any commands that accept secrets as args/flags?

   • no: ok

What

Change ccloud kafka acl flag names to match the REST Proxy params

Changes would be: {"ServiceAccountId", "Permission", "Operation", "Resource", "Name", "Type"} --> {"Principal", "Permission", "Operation", "ResourceType", "ResourceName", "PatternType"}

Note: this is a breaking change that would ship in ccloud v2.0

References

Test&Review

[DABH]

Some questions about some of the fields, in particular Principal vs. ServiceAccountId, but otherwise this is mostly good

[DABH]

Oh, why do we have both Principal and ServiceAccountId here?

[MuweiHe]

principal is like 'User: 12345' and service account is 'sa-12345'

[DABH]

So does the REST Proxy API also have a service account ID field / service account resource ID field? Or are you saying that this is just an extra field that we show in the CLI, even though the REST Proxy API doesn't use it?

[MuweiHe]

No the acl data doesn't have a sa id field. we're doing a map lookup using the principal to get the corresponding sa id.

[mtodzo]

@MuweiHe I commented about this below, but we should check if ACLs can only be created on a per SA basis, or if they can also be made on a per User basis.

But either way, I think you're using the integer ID to do the map lookup to get the resource ID for the service account. Since we're trying to deprecate the integer ID, we should just replace the integer ID with the resource ID in the principal column. I.e. Something like this:

Principal:

User:sa-123

[MuweiHe]

@mtodzo ACLs only make sense when created for a sa to my understanding 'cause saID is a required param, and admin users should already have access to resources thus don't need acls. Right now the backend service are using the numeric ID principal like 'User:123' to manage acls. So for now I can do a look up from 'User:123' to 'sa-123' and put that under the Principal column. Is that ok?

[mtodzo]

We should update the --service-account flag as well to be --principal. Also, we should figure out whether ACLs can be configured for users (see #929 (comment))

[MuweiHe]

We should update the --service-account flag as well to be --principal. Also, we should figure out whether ACLs can be configured for users (see #929 (comment))

like in {"Principal", "ServiceAccountId", "Permission", "Operation", "ResourceType", "ResourceName", "PatternType"} The first column is like 'User: 1234' the second 'sa-12345'. So do we remove the first column and rename the second to be principal?

[mtodzo]

We should update the --service-account flag as well to be --principal. Also, we should figure out whether ACLs can be configured for users (see #929 (comment))

like in {"Principal", "ServiceAccountId", "Permission", "Operation", "ResourceType", "ResourceName", "PatternType"} The first column is like 'User: 1234' the second 'sa-12345'. So do we remove the first column and rename the second to be principal?

Yeah, except it should probably include the principal prefix, so it would be User:sa-12345 ... maybe check with Ethan, but yeah the 1234 in User:1234 is the numeric ID that we don't want to show.

[DABH]

I left a question, but, this looks good to me overall. I would like @mtodzo to give the final +1 though since he is most familiar with the REST interface. Thank you!

[mtodzo]

few comments, but after those looks good!

[mtodzo]

is this expected to be empty? User:

[MuweiHe]

This file is not used anywhere... I might have changed it to be safe.

[mtodzo]

Should we delete it if it's not used anywhere?

changes addressed

[mtodzo]

lgtm!