I agree that synchronizing ACL between clusters is a very useful feature for DR scenarios. In fact, I would prefer this to be a default setting since almost every prod implementation requires a DR cluster.
There are some scenarios when replication between clusters is done for some other reasons (like cluster migration for example) but this in my opinion is less common than DR scenario. Igor On Tue, Aug 8, 2023 at 9:33 AM Ryanne Dolan <ryannedo...@gmail.com> wrote: > hudeqi, I'd call the configuration property something that describes what > it does rather than it's intended use-case. > > Ryanne > > On Tue, Aug 8, 2023, 4:46 AM hudeqi <16120...@bjtu.edu.cn> wrote: > > > Hi, all. I want to submit a kip, and hope get some review and good > > suggestions. the kip is here: > https://cwiki.apache.org/confluence/x/k5KzDw > > > > Motivation: > > > > > > When mirroring ACLs, MirrorMaker downgrades allow ALL ACLs to allow READ. > > The rationale to is prevent other clients to produce to remote topics, > > which is mentioned in KIP-382: MirrorMaker 2.0. > > > > However in disaster recovery scenarios, where the target cluster is not > > used and just a "hot standby", it would be preferable to have exactly the > > same ACLs on both clusters to speed up failover. Therefore, in this > > scenario, we need to synchronize the topic write&read ACL, group ACL, and > > absolute user scram credential of the source cluster topic to the target > > cluster, so that when the user directly switches the read and write > service > > to the target cluster, it can be ran directly. > > > > Proposed changes: > > > > Add a config parameter: disaster.recovery.enabled in MirrorMakerConfig, > > the default is false, it will leave the current sync behavior unchanged, > if > > set true, it will synchronize the topic write&read ACL, group ACL, and > > absolute user scram credential of the source cluster replicated topics to > > the target cluster. > > > > topic write&read ACL: Filter all topic read&write Acl informations > related > > to the topics replicated with the source cluster. > > user scram credential: Filter the user scram credential to be > synchronized > > according to the topic acl information to be synchronized and create user > > in target cluster. > > group ACL: The group Acl information is obtained by filtering the user > > obtained above. > > > > Looking forward to your reply. > > > > Best, hudeqi >
