MCP Tools Reference: managedkafka

Tool: remove_acl_entry

Removes an ACL entry from an existing Google Cloud Managed service for Apache Kafka ACL. If the removed entry was the last one in the ACL, the ACL will be deleted. Please provide the Project ID, Location, Cluster ID, and ACL ID.

A RemoveAclEntryRequest is used to remove an ACL entry.

  • acl (required): The name of the ACL to remove the ACL entry from. Structured like projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}. The structure of acl_id defines the Resource Pattern (resource_type, resource_name, pattern_type) of the ACL. acl_id is structured like one of the following:
    • For ACLs on the cluster: cluster
    • For ACLs on a single resource within the cluster: topic/{resource_name}, consumerGroup/{resource_name}, or transactionalId/{resource_name}
    • For ACLs on all resources that match a prefix: topicPrefixed/{resource_name}, consumerGroupPrefixed/{resource_name}, or transactionalIdPrefixed/{resource_name}
    • For ACLs on all resources of a given type (i.e. the wildcard literal "*"): allTopics (represents topic/*), allConsumerGroups (represents consumerGroup/*), or allTransactionalIds (represents transactionalId/*)
  • acl_entry (required): The ACL entry to remove. Each ACL entry contains the following fields:
    • principal (required): The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
    • permission_type (required): The permission type. Accepted values are (case insensitive): ALLOW, DENY.
    • operation (required): The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE.
    • host (required): The host. Must be set to "*" for Managed Service for Apache Kafka.

Important Notes:

  • The AI agent should use the get_acl tool to retrieve the details of the acl_entry to be removed, so that the required fields (principal, permission_type, operation, and host) can be filled in the RemoveAclEntryRequest.

The following sample demonstrate how to use curl to invoke the remove_acl_entry MCP tool.

Curl Request 
                  
curl --location 'https://managedkafka.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "remove_acl_entry",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request for RemoveAclEntry.

RemoveAclEntryRequest

JSON representation 
{
  "acl": string,
  "aclEntry": {
    object (AclEntry)
  }
}
Fields
acl

string

Required. The name of the acl to remove the acl entry from. Structured like: projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}.

The structure of acl_id defines the Resource Pattern (resource_type, resource_name, pattern_type) of the acl. See Acl.name for details.
aclEntry

object (AclEntry)

Required. The acl entry to remove.

AclEntry

JSON representation 
{
  "principal": string,
  "permissionType": string,
  "operation": string,
  "host": string
}
Fields
principal

string

Required. The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
permissionType

string

Required. The permission type. Accepted values are (case insensitive): ALLOW, DENY.
operation

string

Required. The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. See https://kafka.apache.org/documentation/#operations_resources_and_protocols for valid combinations of resource_type and operation for different Kafka API requests.
host

string

Required. The host. Must be set to "*" for Managed Service for Apache Kafka.

Output Schema

Response for RemoveAclEntry.

RemoveAclEntryResponse

JSON representation 
{

  // Union field result can be only one of the following:
  "acl": {
    object (Acl)
  },
  "aclDeleted": boolean
  // End of list of possible types for union field result.
}
Fields
Union field result. The result of removing the acl entry, depending on whether the acl was deleted as a result of removing the acl entry. result can be only one of the following:
acl

object (Acl)

The updated acl. Returned if the removed acl entry was not the last entry in the acl.
aclDeleted

boolean

Returned with value true if the removed acl entry was the last entry in the acl, resulting in acl deletion.

Acl

JSON representation 
{
  "name": string,
  "aclEntries": [
    {
      object (AclEntry)
    }
  ],
  "etag": string,
  "resourceType": string,
  "resourceName": string,
  "patternType": string
}
Fields
name

string

Identifier. The name for the acl. Represents a single Resource Pattern. Structured like: projects/{project}/locations/{location}/clusters/{cluster}/acls/{acl_id}

The structure of acl_id defines the Resource Pattern (resource_type, resource_name, pattern_type) of the acl. acl_id is structured like one of the following:

For acls on the cluster: cluster

For acls on a single resource within the cluster: topic/{resource_name} consumerGroup/{resource_name} transactionalId/{resource_name}

For acls on all resources that match a prefix: topicPrefixed/{resource_name} consumerGroupPrefixed/{resource_name} transactionalIdPrefixed/{resource_name}

For acls on all resources of a given type (i.e. the wildcard literal "*"): allTopics (represents topic/*) allConsumerGroups (represents consumerGroup/*) allTransactionalIds (represents transactionalId/*)
aclEntries[]

object (AclEntry)

Required. The ACL entries that apply to the resource pattern. The maximum number of allowed entries 100.
etag

string

Optional. etag is used for concurrency control. An etag is returned in the response to GetAcl and CreateAcl. Callers are required to put that etag in the request to UpdateAcl to ensure that their change will be applied to the same version of the acl that exists in the Kafka Cluster.

A terminal 'T' character in the etag indicates that the AclEntries were truncated; more entries for the Acl exist on the Kafka Cluster, but can't be returned in the Acl due to repeated field limits.
resourceType

string

Output only. The ACL resource type derived from the name. One of: CLUSTER, TOPIC, GROUP, TRANSACTIONAL_ID.
resourceName

string

Output only. The ACL resource name derived from the name. For cluster resource_type, this is always "kafka-cluster". Can be the wildcard literal "*".
patternType

string

Output only. The ACL pattern type derived from the name. One of: LITERAL, PREFIXED.

AclEntry

JSON representation 
{
  "principal": string,
  "permissionType": string,
  "operation": string,
  "host": string
}
Fields
principal

string

Required. The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix "User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users.
permissionType

string

Required. The permission type. Accepted values are (case insensitive): ALLOW, DENY.
operation

string

Required. The operation type. Allowed values are (case insensitive): ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, and IDEMPOTENT_WRITE. See https://kafka.apache.org/documentation/#operations_resources_and_protocols for valid combinations of resource_type and operation for different Kafka API requests.
host

string

Required. The host. Must be set to "*" for Managed Service for Apache Kafka.

Tool Annotations

Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌