Hi Steven, Since we are deprecating ZooKeeper options in AclCommand due to KIP-500 in favour of using bootstrap servers, it is not clear why we need this change. Can you explain why you want to use ZK rather than the secure `--bootstrap-server` option for updating ACLs? Since brokers always have ACLs loaded in memory, wouldn't that be an optimized path that you can use instead?
Regards, Rajini On Fri, Feb 28, 2020 at 7:57 AM Steven Lu <lushiji2...@gmail.com> wrote: > Thanks for your replay, > this switch same not the best.I have changed another way to solve this > problom,can you help me review the pr: > https://github.com/apache/kafka/pull/7706/files > > On 2020/01/21 09:48:00, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > > Hi Steven, > > > > Thanks for the KIP. A few questions/comments: > > > > 1) The command line option for AclCommand makes it the user's > > responsibility to determine whether cache should be loaded. That doesn't > > feel like a good idea. If you are listing ACLs, you need the cache. More > > importantly, you need the cache for some code paths in delete and that > > could be authorizer-dependent. It feels dangerous to make that a choice > > when the result of not doing so would potentially retain ACLs that you > > didn't intend to. > > > > 2) Even though the KIP talks about the deprecated SimpleAclAuthorizer, I > > guess you also mean the new AclAuthorizer since the PR updates the new > one. > > We should clarify in the KIP. > > > > 3) The recommended way to update ACLs is using --bootstrap-server option > > for AclCommand which uses the Kafka protocol to talk to brokers and the > > update is performed by brokers which already have all ACLs loaded into > > their cache. In case you have found issues with this approach, it will be > > good to understand what the issues are so that we can improve this path. > > > > On Tue, Jan 21, 2020 at 1:50 AM Steven Lu <lushiji2...@gmail.com> wrote: > > > > > Hello all, > > > > > > In the class Named AclCommand,configure SimpleAclAuthorizer,but no need > > > call loadCache. > > > now we have 20,000 topics in kafka cluster,everytime I run > AclCommand,all > > > these topics's Alcs need to be authed, it will be very slow. > > > The purpose of this optimization is:we can choose to not load the acl > of > > > all topics into memory, mainly for adding and deleting permissions. > > > > > > PR Available here: https://github.com/apache/kafka/pull/7706 > > > KIP Available here: > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-565%3A+Using+AclCommand%2Cavoid+call+the+global+method+loadcache+in+SimpleAclAuthorizer > > > Issue Available here: https://issues.apache.org/jira/browse/KAFKA-9424 > > > > > > mainly for adding and deleting permissions,we can choose to not load > the > > > acl of all topics into memory,then we can add two args > "--load-acl-cache" > > > "false" in AclCommand.main;else you don't add these args, it will load > the > > > acl cache defaultly. > > > > > > we can choose improve the running time from minutes to less than one > > > second. > > > > > > Thanks, > > > Steven > > > > > >
