Does anyone know why MirrorMaker2 doesn’t replicate write ACLs? This is the logic MM2 uses for choosing ACLs to replicate, which excludes GROUP resources and ALLOW WRITE permissions:
https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java - L425-L433<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L425-L433> MirrorSourceConnector.java<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java> ListAclBinding<https://app.slack.com/client/AclBinding> filteredBindings = rawBindings.get().stream() .filter(x -> x.pattern().resourceType() == ResourceType.TOPIC) .filter(x -> x.pattern().patternType() == PatternType.LITERAL) .filter(this::shouldReplicateAcl) .filter(x -> shouldReplicateTopic(x.pattern().name())) .map(this::targetAclBinding) Further, MM2 will downgrade write ACLs ALLOW ALL to ALLOW READ: https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L689-L690But there should still be replicated ACLs MirrorSourceConnector.java<https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java> if (sourceAclBinding.entry().permissionType() == AclPermissionType.ALLOW && sourceAclBinding.entry().operation() == AclOperation.ALL) { What’s the rationale for this behavior? Is there any reason we don’t allow a configuration to let users choose ACL replication behavior for themselves? The configuration documentation is misleading for how ACL replication works: sync.topic.acls.enabled<https://kafka.apache.org/documentation/#mirror_source_sync.topic.acls.enabled> Whether to periodically configure remote topic ACLs to match their corresponding upstream topics. This would indicate the remote topics would match the upstream – which isn’t the case ;)
