Does anyone know why MirrorMaker2 doesn't replicate write ACLs?
This is the logic MM2 uses for choosing ACLs to replicate, which excludes GROUP resources and ALLOW WRITE permissions:
https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java - L425-L433<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L425-L433>
MirrorSourceConnector.java<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java>
ListAclBinding<https://app.slack.com/client/AclBinding> filteredBindings = rawBindings.get().stream()
.filter(x -> x.pattern().resourceType() == ResourceType.TOPIC)
.filter(x -> x.pattern().patternType() == PatternType.LITERAL)
.filter(this::shouldReplicateAcl)
.filter(x -> shouldReplicateTopic(x.pattern().name()))
.map(this::targetAclBinding)
Further, MM2 will downgrade write ACLs ALLOW ALL to ALLOW READ:
https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L689-L690But there should still be replicated ACLs
MirrorSourceConnector.java<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java>
if (sourceAclBinding.entry().permissionType() == AclPermissionType.ALLOW
&& sourceAclBinding.entry().operation() == AclOperation.ALL) {
What's the rationale for this behavior? Is there any reason we don't allow a configuration to let users choose ACL replication behavior for themselves? The configuration documentation is misleading for how ACL replication works:
sync.topic.acls.enabled<https://kafka.apache.org/documentation/#mirror_source_sync.topic.acls.enabled>
Whether to periodically configure remote topic ACLs to match their corresponding upstream topics.
This would indicate the remote topics would match the upstream – which isn't the case ;)
This is the logic MM2 uses for choosing ACLs to replicate, which excludes GROUP resources and ALLOW WRITE permissions:
https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java - L425-L433<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L425-L433>
MirrorSourceConnector.java<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java>
ListAclBinding<https://app.slack.com/client/AclBinding> filteredBindings = rawBindings.get().stream()
.filter(x -> x.pattern().resourceType() == ResourceType.TOPIC)
.filter(x -> x.pattern().patternType() == PatternType.LITERAL)
.filter(this::shouldReplicateAcl)
.filter(x -> shouldReplicateTopic(x.pattern().name()))
.map(this::targetAclBinding)
Further, MM2 will downgrade write ACLs ALLOW ALL to ALLOW READ:
https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L689-L690But there should still be replicated ACLs
MirrorSourceConnector.java<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java>
if (sourceAclBinding.entry().permissionType() == AclPermissionType.ALLOW
&& sourceAclBinding.entry().operation() == AclOperation.ALL) {
What's the rationale for this behavior? Is there any reason we don't allow a configuration to let users choose ACL replication behavior for themselves? The configuration documentation is misleading for how ACL replication works:
sync.topic.acls.enabled<https://kafka.apache.org/documentation/#mirror_source_sync.topic.acls.enabled>
Whether to periodically configure remote topic ACLs to match their corresponding upstream topics.
This would indicate the remote topics would match the upstream – which isn't the case ;)
Comments
Post a Comment