KAFKA-3152; kafka-acl doesn't allow space in principal name

* Add quotes to `$` in shell scripts This is necessary for correct processing of quotes in the user command. * Minor improvements to AclCommand messages * Use a principal with a space in `SslEndToEndAuthorizationTest` This passed without any other changes, but good avoid regressions. * Clean-up `TestSslUtils`: Remove unused methods, fix unnecessary verbosity and don't set security.protocol (it should be done at a higher-level). Author: Ismael Juma <ismael@juma.me.uk> Reviewers: Grant Henke <granthenke@gmail.com>, Jun Rao <junrao@gmail.com Closes #818 from ijuma/kafka-3152-kafka-acl-space-in-principal
9 years ago · 523562c109
28 changed files with 75 additions and 103 deletions
--- a/bin/kafka-acls.sh
+++ b/bin/kafka-acls.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.admin.AclCommand $@
+exec $(dirname $0)/kafka-run-class.sh kafka.admin.AclCommand "$@"
--- a/bin/kafka-configs.sh
+++ b/bin/kafka-configs.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.admin.ConfigCommand $@
+exec $(dirname $0)/kafka-run-class.sh kafka.admin.ConfigCommand "$@"
--- a/bin/kafka-console-consumer.sh
+++ b/bin/kafka-console-consumer.sh
@ -18,4 +18,4 @@ if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
				@@ -18,4 +18,4 @@ if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
    export KAFKA_HEAP_OPTS="-Xmx512M"
 fi

-exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsoleConsumer $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsoleConsumer "$@"
--- a/bin/kafka-console-producer.sh
+++ b/bin/kafka-console-producer.sh
@ -17,4 +17,4 @@
				@@ -17,4 +17,4 @@
 if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
    export KAFKA_HEAP_OPTS="-Xmx512M"
 fi
-exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsoleProducer $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsoleProducer "$@"
--- a/bin/kafka-consumer-groups.sh
+++ b/bin/kafka-consumer-groups.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.admin.ConsumerGroupCommand $@
+exec $(dirname $0)/kafka-run-class.sh kafka.admin.ConsumerGroupCommand "$@"
--- a/bin/kafka-consumer-offset-checker.sh
+++ b/bin/kafka-consumer-offset-checker.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsumerOffsetChecker $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsumerOffsetChecker "$@"
--- a/bin/kafka-consumer-perf-test.sh
+++ b/bin/kafka-consumer-perf-test.sh
@ -17,4 +17,4 @@
				@@ -17,4 +17,4 @@
 if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
    export KAFKA_HEAP_OPTS="-Xmx512M"
 fi
-exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsumerPerformance $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsumerPerformance "$@"
--- a/bin/kafka-mirror-maker.sh
+++ b/bin/kafka-mirror-maker.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.tools.MirrorMaker $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.MirrorMaker "$@"
--- a/bin/kafka-preferred-replica-election.sh
+++ b/bin/kafka-preferred-replica-election.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.admin.PreferredReplicaLeaderElectionCommand $@
+exec $(dirname $0)/kafka-run-class.sh kafka.admin.PreferredReplicaLeaderElectionCommand "$@"
--- a/bin/kafka-producer-perf-test.sh
+++ b/bin/kafka-producer-perf-test.sh
@ -17,4 +17,4 @@
				@@ -17,4 +17,4 @@
 if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
    export KAFKA_HEAP_OPTS="-Xmx512M"
 fi
-exec $(dirname $0)/kafka-run-class.sh org.apache.kafka.tools.ProducerPerformance $@
+exec $(dirname $0)/kafka-run-class.sh org.apache.kafka.tools.ProducerPerformance "$@"
--- a/bin/kafka-reassign-partitions.sh
+++ b/bin/kafka-reassign-partitions.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.admin.ReassignPartitionsCommand $@
+exec $(dirname $0)/kafka-run-class.sh kafka.admin.ReassignPartitionsCommand "$@"
--- a/bin/kafka-replay-log-producer.sh
+++ b/bin/kafka-replay-log-producer.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.tools.ReplayLogProducer $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.ReplayLogProducer "$@"
--- a/bin/kafka-replica-verification.sh
+++ b/bin/kafka-replica-verification.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.tools.ReplicaVerificationTool $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.ReplicaVerificationTool "$@"
--- a/bin/kafka-server-start.sh
+++ b/bin/kafka-server-start.sh
@ -41,4 +41,4 @@ case $COMMAND in
				@@ -41,4 +41,4 @@ case $COMMAND in
    ;;
 esac

-exec $base_dir/kafka-run-class.sh $EXTRA_ARGS kafka.Kafka $@
+exec $base_dir/kafka-run-class.sh $EXTRA_ARGS kafka.Kafka "$@"
--- a/bin/kafka-simple-consumer-shell.sh
+++ b/bin/kafka-simple-consumer-shell.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.tools.SimpleConsumerShell $@
+exec $(dirname $0)/kafka-run-class.sh kafka.tools.SimpleConsumerShell "$@"
--- a/bin/kafka-topics.sh
+++ b/bin/kafka-topics.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.admin.TopicCommand $@
+exec $(dirname $0)/kafka-run-class.sh kafka.admin.TopicCommand "$@"
--- a/bin/kafka-verifiable-consumer.sh
+++ b/bin/kafka-verifiable-consumer.sh
@ -17,4 +17,4 @@
				@@ -17,4 +17,4 @@
 if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
    export KAFKA_HEAP_OPTS="-Xmx512M"
 fi
-exec $(dirname $0)/kafka-run-class.sh org.apache.kafka.tools.VerifiableConsumer $@
+exec $(dirname $0)/kafka-run-class.sh org.apache.kafka.tools.VerifiableConsumer "$@"
--- a/bin/kafka-verifiable-producer.sh
+++ b/bin/kafka-verifiable-producer.sh
@ -17,4 +17,4 @@
				@@ -17,4 +17,4 @@
 if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
    export KAFKA_HEAP_OPTS="-Xmx512M"
 fi
-exec $(dirname $0)/kafka-run-class.sh org.apache.kafka.tools.VerifiableProducer $@
+exec $(dirname $0)/kafka-run-class.sh org.apache.kafka.tools.VerifiableProducer "$@"
--- a/bin/zookeeper-security-migration.sh
+++ b/bin/zookeeper-security-migration.sh
@ -14,4 +14,4 @@
				@@ -14,4 +14,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-exec $(dirname $0)/kafka-run-class.sh kafka.admin.ZkSecurityMigrator $@
+exec $(dirname $0)/kafka-run-class.sh kafka.admin.ZkSecurityMigrator "$@"
--- a/bin/zookeeper-server-start.sh
+++ b/bin/zookeeper-server-start.sh
@ -41,5 +41,4 @@ case $COMMAND in
				@@ -41,5 +41,4 @@ case $COMMAND in
     ;;
 esac

-exec $base_dir/kafka-run-class.sh $EXTRA_ARGS org.apache.zookeeper.server.quorum.QuorumPeerMain $@
-
+exec $base_dir/kafka-run-class.sh $EXTRA_ARGS org.apache.zookeeper.server.quorum.QuorumPeerMain "$@"
--- a/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/EchoServer.java
@ -37,20 +37,23 @@ class EchoServer extends Thread {
				@@ -37,20 +37,23 @@ class EchoServer extends Thread {
    private final ServerSocket serverSocket;
    private final List<Thread> threads;
    private final List<Socket> sockets;
-    private SecurityProtocol protocol = SecurityProtocol.PLAINTEXT;
-    private SslFactory sslFactory;
+    private final SslFactory sslFactory;
    private final AtomicBoolean renegotiate = new AtomicBoolean();

-    public EchoServer(Map<String, ?> configs) throws Exception {
-        this.protocol =  configs.containsKey("security.protocol") ?
-            SecurityProtocol.forName((String) configs.get("security.protocol")) : SecurityProtocol.PLAINTEXT;
-        if (protocol == SecurityProtocol.SSL) {
-            this.sslFactory = new SslFactory(Mode.SERVER);
-            this.sslFactory.configure(configs);
-            SSLContext sslContext = this.sslFactory.sslContext();
-            this.serverSocket = sslContext.getServerSocketFactory().createServerSocket(0);
-        } else {
-            this.serverSocket = new ServerSocket(0);
+    public EchoServer(SecurityProtocol securityProtocol, Map<String, ?> configs) throws Exception {
+        switch (securityProtocol) {
+            case SSL:
+                this.sslFactory = new SslFactory(Mode.SERVER);
+                this.sslFactory.configure(configs);
+                SSLContext sslContext = this.sslFactory.sslContext();
+                this.serverSocket = sslContext.getServerSocketFactory().createServerSocket(0);
+                break;
+            case PLAINTEXT:
+                this.serverSocket = new ServerSocket(0);
+                this.sslFactory = null;
+                break;
+            default:
+                throw new IllegalArgumentException("Unsupported securityProtocol " + securityProtocol);
        }
        this.port = this.serverSocket.getLocalPort();
        this.threads = Collections.synchronizedList(new ArrayList<Thread>());
--- a/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SelectorTest.java
@ -23,6 +23,7 @@ import java.net.ServerSocket;
				@@ -23,6 +23,7 @@ import java.net.ServerSocket;
 import java.nio.ByteBuffer;

 import org.apache.kafka.common.metrics.Metrics;
+import org.apache.kafka.common.protocol.SecurityProtocol;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.common.utils.Time;
 import org.apache.kafka.common.utils.Utils;
@ -45,9 +46,9 @@ public class SelectorTest {
				@@ -45,9 +46,9 @@ public class SelectorTest {
    private Metrics metrics;

    @Before
-    public void setup() throws Exception {
+    public void setUp() throws Exception {
        Map<String, Object> configs = new HashMap<>();
-        this.server = new EchoServer(configs);
+        this.server = new EchoServer(SecurityProtocol.PLAINTEXT, configs);
        this.server.start();
        this.time = new MockTime();
        this.channelBuilder = new PlaintextChannelBuilder();
@ -57,7 +58,7 @@ public class SelectorTest {
				@@ -57,7 +58,7 @@ public class SelectorTest {
    }

    @After
-    public void teardown() throws Exception {
+    public void tearDown() throws Exception {
        this.selector.close();
        this.server.close();
        this.metrics.close();
--- a/clients/src/test/java/org/apache/kafka/common/network/SslSelectorTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SslSelectorTest.java
@ -26,6 +26,7 @@ import java.net.InetSocketAddress;
				@@ -26,6 +26,7 @@ import java.net.InetSocketAddress;

 import org.apache.kafka.common.metrics.Metrics;
 import org.apache.kafka.common.config.SslConfigs;
+import org.apache.kafka.common.protocol.SecurityProtocol;
 import org.apache.kafka.common.security.ssl.SslFactory;
 import org.apache.kafka.common.utils.MockTime;
 import org.apache.kafka.test.TestSslUtils;
@ -42,16 +43,15 @@ public class SslSelectorTest extends SelectorTest {
				@@ -42,16 +43,15 @@ public class SslSelectorTest extends SelectorTest {
    private Map<String, Object> sslClientConfigs;

    @Before
-    public void setup() throws Exception {
+    public void setUp() throws Exception {
        File trustStoreFile = File.createTempFile("truststore", ".jks");

        Map<String, Object> sslServerConfigs = TestSslUtils.createSslConfig(false, true, Mode.SERVER, trustStoreFile, "server");
        sslServerConfigs.put(SslConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SslConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
-        this.server = new EchoServer(sslServerConfigs);
+        this.server = new EchoServer(SecurityProtocol.SSL, sslServerConfigs);
        this.server.start();
        this.time = new MockTime();
-        sslClientConfigs = TestSslUtils.createSslConfig(false, false, Mode.SERVER, trustStoreFile, "client");
-
+        sslClientConfigs = TestSslUtils.createSslConfig(false, false, Mode.CLIENT, trustStoreFile, "client");
        this.channelBuilder = new SslChannelBuilder(Mode.CLIENT);
        this.channelBuilder.configure(sslClientConfigs);
        this.metrics = new Metrics();
@ -59,7 +59,7 @@ public class SslSelectorTest extends SelectorTest {
				@@ -59,7 +59,7 @@ public class SslSelectorTest extends SelectorTest {
    }

    @After
-    public void teardown() throws Exception {
+    public void tearDown() throws Exception {
        this.selector.close();
        this.server.close();
        this.metrics.close();
--- a/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java
@ -71,7 +71,6 @@ public class SslTransportLayerTest {
				@@ -71,7 +71,6 @@ public class SslTransportLayerTest {
        clientCertStores = new CertStores(false, "localhost");
        sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
        sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);
-
        this.channelBuilder = new SslChannelBuilder(Mode.CLIENT);
        this.channelBuilder.configure(sslClientConfigs);
        this.selector = new Selector(5000, new Metrics(), new MockTime(), "MetricGroup", channelBuilder);
@ -113,8 +112,8 @@ public class SslTransportLayerTest {
				@@ -113,8 +112,8 @@ public class SslTransportLayerTest {
        clientCertStores = new CertStores(false, "localhost");
        sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
        sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);
-        createEchoServer(sslServerConfigs);
        sslClientConfigs.put(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, "HTTPS");
+        createEchoServer(sslServerConfigs);
        createSelector(sslClientConfigs);
        InetSocketAddress addr = new InetSocketAddress("localhost", server.port);
        selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
--- a/clients/src/test/java/org/apache/kafka/common/security/ssl/SslFactoryTest.java
+++ b/clients/src/test/java/org/apache/kafka/common/security/ssl/SslFactoryTest.java
@ -26,11 +26,9 @@ import static org.junit.Assert.assertEquals;
				@@ -26,11 +26,9 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertTrue;

-
 /**
 * A set of tests for the selector over ssl. These use a test harness that runs a simple socket server that echos back responses.
 */
-
 public class SslFactoryTest {

    @Test
--- a/clients/src/test/java/org/apache/kafka/test/TestSslUtils.java
+++ b/clients/src/test/java/org/apache/kafka/test/TestSslUtils.java
@ -19,7 +19,6 @@ package org.apache.kafka.test;
				@@ -19,7 +19,6 @@ package org.apache.kafka.test;

 import org.apache.kafka.common.config.SslConfigs;
 import org.apache.kafka.common.network.Mode;
-import org.apache.kafka.clients.CommonClientConfigs;

 import java.io.File;
 import java.io.FileOutputStream;
@ -116,11 +115,8 @@ public class TestSslUtils {
				@@ -116,11 +115,8 @@ public class TestSslUtils {

    private static void saveKeyStore(KeyStore ks, String filename,
                                     Password password) throws GeneralSecurityException, IOException {
-        FileOutputStream out = new FileOutputStream(filename);
-        try {
+        try (FileOutputStream out = new FileOutputStream(filename)) {
            ks.store(out, password.value().toCharArray());
-        } finally {
-            out.close();
        }
    }

@ -154,14 +150,6 @@ public class TestSslUtils {
				@@ -154,14 +150,6 @@ public class TestSslUtils {
        saveKeyStore(ks, filename, password);
    }

-    public static void createTrustStore(String filename,
-                                        Password password, String alias,
-                                        Certificate cert) throws GeneralSecurityException, IOException {
-        KeyStore ks = createEmptyKeyStore();
-        ks.setCertificateEntry(alias, cert);
-        saveKeyStore(ks, filename, password);
-    }
-
    public static <T extends Certificate> void createTrustStore(
            String filename, Password password, Map<String, T> certs) throws GeneralSecurityException, IOException {
        KeyStore ks = KeyStore.getInstance("JKS");
@ -178,18 +166,9 @@ public class TestSslUtils {
				@@ -178,18 +166,9 @@ public class TestSslUtils {
        saveKeyStore(ks, filename, password);
    }

-    public static Map<String, X509Certificate> createX509Certificates(KeyPair keyPair)
-        throws GeneralSecurityException {
-        Map<String, X509Certificate> certs = new HashMap<String, X509Certificate>();
-        X509Certificate cert = generateCertificate("CN=localhost, O=localhost", keyPair, 30, "SHA1withRSA");
-        certs.put("localhost", cert);
-        return certs;
-    }
-
-    public static Map<String, Object> createSslConfig(Mode mode, File keyStoreFile, Password password, Password keyPassword,
+    private static Map<String, Object> createSslConfig(Mode mode, File keyStoreFile, Password password, Password keyPassword,
                                                      File trustStoreFile, Password trustStorePassword) {
        Map<String, Object> sslConfigs = new HashMap<>();
-        sslConfigs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL"); // kafka security protocol
        sslConfigs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2"); // protocol to create SSLContext

        if (mode == Mode.SERVER || (mode == Mode.CLIENT && keyStoreFile != null)) {
@ -219,27 +198,22 @@ public class TestSslUtils {
				@@ -219,27 +198,22 @@ public class TestSslUtils {

    public static  Map<String, Object> createSslConfig(boolean useClientCert, boolean trustStore, Mode mode, File trustStoreFile, String certAlias, String host)
        throws IOException, GeneralSecurityException {
-        Map<String, X509Certificate> certs = new HashMap<String, X509Certificate>();
+        Map<String, X509Certificate> certs = new HashMap<>();
        File keyStoreFile;
-        Password password;
-
-        if (mode == Mode.SERVER)
-            password = new Password("ServerPassword");
-        else
-            password = new Password("ClientPassword");
+        Password password = mode == Mode.SERVER ? new Password("ServerPassword") : new Password("ClientPassword");

        Password trustStorePassword = new Password("TrustStorePassword");

        if (useClientCert) {
            keyStoreFile = File.createTempFile("clientKS", ".jks");
            KeyPair cKP = generateKeyPair("RSA");
-            X509Certificate cCert = generateCertificate("CN=" + host + ", O=client", cKP, 30, "SHA1withRSA");
+            X509Certificate cCert = generateCertificate("CN=" + host + ", O=A client", cKP, 30, "SHA1withRSA");
            createKeyStore(keyStoreFile.getPath(), password, "client", cKP.getPrivate(), cCert);
            certs.put(certAlias, cCert);
        } else {
            keyStoreFile = File.createTempFile("serverKS", ".jks");
            KeyPair sKP = generateKeyPair("RSA");
-            X509Certificate sCert = generateCertificate("CN=" + host + ", O=server", sKP, 30,
+            X509Certificate sCert = generateCertificate("CN=" + host + ", O=A server", sKP, 30,
                                                        "SHA1withRSA");
            createKeyStore(keyStoreFile.getPath(), password, password, "server", sKP.getPrivate(), sCert);
            certs.put(certAlias, sCert);
@ -249,9 +223,7 @@ public class TestSslUtils {
				@@ -249,9 +223,7 @@ public class TestSslUtils {
            createTrustStore(trustStoreFile.getPath(), trustStorePassword, certs);
        }

-        Map<String, Object> sslConfig = createSslConfig(mode, keyStoreFile, password,
-                                                        password, trustStoreFile, trustStorePassword);
-        return sslConfig;
+        return createSslConfig(mode, keyStoreFile, password, password, trustStoreFile, trustStorePassword);
    }

 }
--- a/core/src/main/scala/kafka/admin/AclCommand.scala
+++ b/core/src/main/scala/kafka/admin/AclCommand.scala
@ -52,7 +52,7 @@ object AclCommand {
				@@ -52,7 +52,7 @@ object AclCommand {
        listAcl(opts)
    } catch {
      case e: Throwable =>
-        println(s"Error while executing topic Acl command ${e.getMessage}")
+        println(s"Error while executing ACL command: ${e.getMessage}")
        println(Utils.stackTrace(e))
        System.exit(-1)
    }
@ -79,11 +79,11 @@ object AclCommand {
				@@ -79,11 +79,11 @@ object AclCommand {
      val resourceToAcl = getResourceToAcls(opts)

      if (resourceToAcl.values.exists(_.isEmpty))
-        CommandLineUtils.printUsageAndDie(opts.parser, "You must specify one of: --allow-principal, --deny-principal when trying to add acls.")
+        CommandLineUtils.printUsageAndDie(opts.parser, "You must specify one of: --allow-principal, --deny-principal when trying to add ACLs.")

      for ((resource, acls) <- resourceToAcl) {
        val acls = resourceToAcl(resource)
-        println(s"Adding following acls for resource: $resource $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline")
+        println(s"Adding ACLs for resource `${resource}`: $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline")
        authorizer.addAcls(acls, resource)
      }

@ -97,10 +97,10 @@ object AclCommand {
				@@ -97,10 +97,10 @@ object AclCommand {

      for ((resource, acls) <- resourceToAcl) {
        if (acls.isEmpty) {
-          if (confirmAction(s"Are you sure you want to delete all acls for resource: $resource y/n?"))
+          if (confirmAction(s"Are you sure you want to delete all ACLs for resource `${resource}`? (y/n)"))
            authorizer.removeAcls(resource)
        } else {
-          if (confirmAction(s"Are you sure you want to remove acls: $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline from resource $resource y/n?"))
+          if (confirmAction(s"Are you sure you want to remove ACLs: $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline from resource `${resource}`? (y/n)"))
            authorizer.removeAcls(acls, resource)
        }
      }
@ -119,14 +119,14 @@ object AclCommand {
				@@ -119,14 +119,14 @@ object AclCommand {
        resources.map(resource => (resource -> authorizer.getAcls(resource)))

      for ((resource, acls) <- resourceToAcls)
-        println(s"Following is list of acls for resource: $resource $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline")
+        println(s"Current ACLs for resource `${resource}`: $Newline ${acls.map("\t" + _).mkString(Newline)} $Newline")
    }
  }

  private def getResourceToAcls(opts: AclCommandOptions): Map[Resource, Set[Acl]] = {
    var resourceToAcls = Map.empty[Resource, Set[Acl]]

-    //if none of the --producer or --consumer options are specified , just construct acls from CLI options.
+    //if none of the --producer or --consumer options are specified , just construct ACLs from CLI options.
    if (!opts.options.has(opts.producerOpt) && !opts.options.has(opts.consumerOpt)) {
      resourceToAcls ++= getCliResourceToAcls(opts)
    }
@ -267,22 +267,22 @@ object AclCommand {
				@@ -267,22 +267,22 @@ object AclCommand {
      .describedAs("authorizer-properties")
      .ofType(classOf[String])

-    val topicOpt = parser.accepts("topic", "topic to which acls should be added or removed. " +
-      "A value of * indicates acl should apply to all topics.")
+    val topicOpt = parser.accepts("topic", "topic to which ACLs should be added or removed. " +
+      "A value of * indicates ACL should apply to all topics.")
      .withRequiredArg
      .describedAs("topic")
      .ofType(classOf[String])

-    val clusterOpt = parser.accepts("cluster", "Add/Remove cluster acls.")
-    val groupOpt = parser.accepts("group", "Consumer Group to which the acls should be added or removed. " +
-      "A value of * indicates the acls should apply to all groups.")
+    val clusterOpt = parser.accepts("cluster", "Add/Remove cluster ACLs.")
+    val groupOpt = parser.accepts("group", "Consumer Group to which the ACLs should be added or removed. " +
+      "A value of * indicates the ACLs should apply to all groups.")
      .withRequiredArg
      .describedAs("group")
      .ofType(classOf[String])

-    val addOpt = parser.accepts("add", "Indicates you are trying to add acls.")
-    val removeOpt = parser.accepts("remove", "Indicates you are trying to remove acls.")
-    val listOpt = parser.accepts("list", "List acls for the specified resource, use --topic <topic> or --group <group> or --cluster to specify a resource.")
+    val addOpt = parser.accepts("add", "Indicates you are trying to add ACLs.")
+    val removeOpt = parser.accepts("remove", "Indicates you are trying to remove ACLs.")
+    val listOpt = parser.accepts("list", "List ACLs for the specified resource, use --topic <topic> or --group <group> or --cluster to specify a resource.")

    val operationsOpt = parser.accepts("operation", "Operation that is being allowed or denied. Valid operation names are: " + Newline +
      Operation.values.map("\t" + _).mkString(Newline) + Newline)
@ -296,10 +296,10 @@ object AclCommand {
				@@ -296,10 +296,10 @@ object AclCommand {
      .describedAs("allow-principal")
      .ofType(classOf[String])

-    val denyPrincipalsOpt = parser.accepts("deny-principal", "principal is in principalType: name format. " +
+    val denyPrincipalsOpt = parser.accepts("deny-principal", "principal is in principalType:name format. " +
      "By default anyone not added through --allow-principal is denied access. " +
      "You only need to use this option as negation to already allowed set. " +
-      "For example if you wanted to allow access to all users in the system but not test-user you can define an acl that " +
+      "For example if you wanted to allow access to all users in the system but not test-user you can define an ACL that " +
      "allows access to User:* and specify --deny-principal=User:test@EXAMPLE.COM. " +
      "AND PLEASE REMEMBER DENY RULES TAKES PRECEDENCE OVER ALLOW RULES.")
      .withRequiredArg
@ -318,11 +318,11 @@ object AclCommand {
				@@ -318,11 +318,11 @@ object AclCommand {
      .describedAs("deny-host")
      .ofType(classOf[String])

-    val producerOpt = parser.accepts("producer", "Convenience option to add/remove acls for producer role. " +
-      "This will generate acls that allows WRITE,DESCRIBE on topic and CREATE on cluster. ")
+    val producerOpt = parser.accepts("producer", "Convenience option to add/remove ACLs for producer role. " +
+      "This will generate ACLs that allows WRITE,DESCRIBE on topic and CREATE on cluster. ")

-    val consumerOpt = parser.accepts("consumer", "Convenience option to add/remove acls for consumer role. " +
-      "This will generate acls that allows READ,DESCRIBE on topic and READ on group.")
+    val consumerOpt = parser.accepts("consumer", "Convenience option to add/remove ACLs for consumer role. " +
+      "This will generate ACLs that allows READ,DESCRIBE on topic and READ on group.")

    val helpOpt = parser.accepts("help", "Print usage information.")

--- a/core/src/test/scala/integration/kafka/api/SslEndToEndAuthorizationTest.scala
+++ b/core/src/test/scala/integration/kafka/api/SslEndToEndAuthorizationTest.scala
@ -24,6 +24,6 @@ import org.apache.kafka.common.protocol.SecurityProtocol
				@@ -24,6 +24,6 @@ import org.apache.kafka.common.protocol.SecurityProtocol
 class SslEndToEndAuthorizationTest extends EndToEndAuthorizationTest {
  override protected def securityProtocol = SecurityProtocol.SSL
  this.serverConfig.setProperty(SslConfigs.SSL_CLIENT_AUTH_CONFIG, "required")
-  override val clientPrincipal = "O=client,CN=localhost"
-  override val kafkaPrincipal = "O=server,CN=localhost"
+  override val clientPrincipal = "O=A client,CN=localhost"
+  override val kafkaPrincipal = "O=A server,CN=localhost"
 }