From 45d32f446f6d10bff00d1e32a8b036313a2f808b Mon Sep 17 00:00:00 2001
From: Francesco D'Orlandi <francesco.dorlandi@aiven.io>
Date: Mon, 2 Dec 2024 16:55:27 +0100
Subject: [PATCH] add(kafka): commands for managing native ACLs

---
 docs/tools/cli/service-cli.md       |  7 +++
 docs/tools/cli/service/acl.md       |  2 +-
 docs/tools/cli/service/kafka-acl.md | 71 +++++++++++++++++++++++++++++
 sidebars.ts                         |  1 +
 4 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 docs/tools/cli/service/kafka-acl.md

diff --git a/docs/tools/cli/service-cli.md b/docs/tools/cli/service-cli.md
index db066b79f..1daa4cddc 100644
--- a/docs/tools/cli/service-cli.md
+++ b/docs/tools/cli/service-cli.md
@@ -233,6 +233,13 @@ More information on `integration-delete`, `integration-endpoint-create`,
 can be found in
 [the dedicated page](service/integration).
 
+### `avn service kafka-acl`
+
+Manages the Apache Kafka® native ACL entries.
+
+More information on `kafka-acl-add`, `kafka-acl-delete` and `kafka-acl-list` can be found
+in [the dedicated page](service/kafka-acl).
+
 ### `avn service keypair get`
 
 Service keypair commands. The use cases for this command are limited to
diff --git a/docs/tools/cli/service/acl.md b/docs/tools/cli/service/acl.md
index 94f53b225..4701d1193 100644
--- a/docs/tools/cli/service/acl.md
+++ b/docs/tools/cli/service/acl.md
@@ -58,7 +58,7 @@ Lists Aiven for Apache Kafka® ACL entries.
 avn service acl-list kafka-doc
 ```
 
-An example of `account service acl-list` output:
+An example of `avn service acl-list` output:
 
 ```text
 ID              USERNAME  TOPIC      PERMISSION
diff --git a/docs/tools/cli/service/kafka-acl.md b/docs/tools/cli/service/kafka-acl.md
new file mode 100644
index 000000000..5596802ff
--- /dev/null
+++ b/docs/tools/cli/service/kafka-acl.md
@@ -0,0 +1,71 @@
+---
+title: avn service kafka-acl
+---
+
+Full list of commands for `avn service kafka-acl`.
+
+## Manage Apache Kafka® native access control lists
+
+Commands for managing Apache Kafka® native ACLs via `avn` commands.
+
+### `avn service kafka-acl-add`
+
+Adds an Apache Kafka® native ACL entry.
+
+| Parameter                 | Information                                                                     |
+| ------------------------- | ------------------------------------------------------------------------------- |
+| `service_name`            | The name of the service                                                         |
+| `--principal`             | The principal for the ACLs, must be in the form User:name                       |
+| `--topic`                 | Topic resource type to which ACL should be added                                |
+| `--group`                 | Group resource type to which ACL should be added                                |
+| `--cluster`               | The ACL is applied to the clusger resource                                      |
+| `--transactional-id`      | TransactionalId resource type to which ACL should be added                      |
+| `--operation`             | The operation type: possible values are `Describe`,`DescribeConfigs`,<br/>`Alter`,`IdempotentWrite`,`Read`,`Delete`,`Create`,`ClusterAction`,<br/>`All`,`Write`,`AlterConfigs`,`CreateTokens`,`DescribeTokens`                     |
+| `--host`                  | The host for the ACLs, a value of '*' matches all hosts (default: *)            |
+| `--resource-pattern-type` | The type of the resource pattern, can be LITERAL or PREFIXED (default: LITERAL) |
+! `--deny`                  | Create a DENY rule (default is ALLOW)                                           |
+
+**Example:** Add an ACLs for user `userA` to `Read` on topics having name starting
+with `topic2020` in the service `kafka-doc`.
+
+```
+avn service kafka-acl-add kafka-doc --principal User:userA --operation Read --topic topic2020 --resource-pattern-type PREFIXED
+```
+
+### `avn service kafka-acl-delete`
+
+Deletes an Apache Kafka® native ACL entry.
+
+| Parameter      | Information                 |
+| -------------- | --------------------------- |
+| `service_name` | The name of the service     |
+| `acl_id`       | The id of the ACL to delete |
+
+**Example:** Delete the native ACL with id `acl3604f96c74a` on service named `kafka-doc`.
+
+```
+avn service kafka-acl-delete kafka-doc acl3604f96c74a
+```
+
+### `avn service kafka-acl-list`
+
+Lists Apache Kafka® native ACL entries.
+
+| Parameter      | Information             |
+| -------------- | ----------------------- |
+| `service_name` | The name of the service |
+
+**Example:** List the ACLs defined for a service named `kafka-doc`.
+
+```
+avn service kafka-acl-list kafka-doc
+```
+
+An example of `avn service kafka-acl-list` output:
+
+```text
+ID              PERMISSION_TYPE  PRINCIPAL   OPERATION  RESOURCE_TYPE  PATTERN_TYPE  RESOURCE_NAME  HOST
+==============  ===============  ==========  =========  =============  ============  =============  ====
+acl4f9ed69c8aa  ALLOW            User:John   Write      Topic          LITERAL       orders         *
+acl4f9ed6e6371  ALLOW            User:Frida  Write      Topic          PREFIXED      invoices       *
+```
diff --git a/sidebars.ts b/sidebars.ts
index 2bbdfbf7a..e7325d087 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -465,6 +465,7 @@ const sidebars: SidebarsConfig = {
                 'tools/cli/service/es-acl',
                 'tools/cli/service/flink',
                 'tools/cli/service/integration',
+                'tools/cli/service/kafka-acl',
                 'tools/cli/service/m3',
                 'tools/cli/service/privatelink',
                 'tools/cli/service/schema-registry-acl',