Status

Current state: Under Discussion

Discussion thread: here

JIRA: KAFKA-15172

Motivation

When mirroring ACLs, MirrorMaker downgrades allow ALL ACLs to allow READ. The rationale to is prevent other clients to produce to remote topics, which is mentioned in KIP-382: MirrorMaker 2.0.

However in disaster recovery scenarios, where the target cluster is not used and just a "hot standby", it would be preferable to have exactly the same ACLs on both clusters to speed up failover. Therefore, in this scenario, we can add a configuration to MirrorMakerConfig  whether to support disaster recovery, where we need to synchronize the topic write&read ACL, group ACL, and absolute user scram credential of the source cluster topic to the target cluster, so that when the user directly switches the read and write service to the target cluster, it can be ran directly.

Public Interfaces

Add a configuration in MirrorMakerConfig.

  • config name: sync.full.acl.enabled
  • config definition: Whether the MirrorMaker supports disaster recovery, the default is false.

Proposed Changes

Add a config parameter: sync.full.acl.enabled, the default is false, it will leave the current sync behavior unchanged, if set true, it will synchronize the topic write&read ACL, group ACL, and absolute user scram credential of the source cluster replicated topics to the target cluster.

  • topic write&read ACL: Filter all topic read&write Acl informations related to the topics replicated with the source cluster.
  • user scram credential: Filter the user scram credential to be synchronized according to the topic acl information to be synchronized and create user in target cluster.
  • group ACL: The group Acl information is obtained by filtering the user obtained above.

Compatibility, Deprecation, and Migration Plan

There is no impact on existing behavior, and  the existing behavior is not deprecated. just sync more infos when enable sync.full.acl.enabled.

Test Plan

  • add unit test for extra syncing.
  • actual mirror maker service to verify acl syncing when sync.full.acl.enabled is set to true or false.

Rejected Alternatives


  • No labels