Because it (usually) doesn't make sense to write to a "remote topic". Doing so would mean it no longer is a simple copy of the source topic. Only MM itself should be writing to a remote topic.
That said, it may make sense to replicate write ACLs for the corresponding *source* topics on the remote cluster, however. That is something I've done with external tooling, but IMO it would be problematic for MM to do itself. MM doesn't modify source topics, and it might be surprising if it did. In particular, it would be difficult to determine which sources are "sources of truth" and which should be automatically updated. Ryanne On Fri, Apr 11, 2025, 11:35 AM Mehrtens, Mazrim <mmehr...@amazon.com.invalid> wrote: > Does anyone know why MirrorMaker2 doesn’t replicate write ACLs? > > This is the logic MM2 uses for choosing ACLs to replicate, which excludes > GROUP resources and ALLOW WRITE permissions: > > > https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java > - L425-L433< > https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L425-L433 > > > MirrorSourceConnector.java< > https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java > > > > > ListAclBinding<https://app.slack.com/client/AclBinding> > filteredBindings = rawBindings.get().stream() > .filter(x -> x.pattern().resourceType() == ResourceType.TOPIC) > .filter(x -> x.pattern().patternType() == PatternType.LITERAL) > .filter(this::shouldReplicateAcl) > .filter(x -> shouldReplicateTopic(x.pattern().name())) > > .map(this::targetAclBinding) > > Further, MM2 will downgrade write ACLs ALLOW ALL to ALLOW READ: > > > https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java#L689-L690But > there should still be replicated ACLs > MirrorSourceConnector.java< > https://github.com/apache/kafka/blob/trunk/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceConnector.java > > > > > if (sourceAclBinding.entry().permissionType() == > AclPermissionType.ALLOW > && sourceAclBinding.entry().operation() == > AclOperation.ALL) { > > What’s the rationale for this behavior? Is there any reason we don’t allow > a configuration to let users choose ACL replication behavior for > themselves? The configuration documentation is misleading for how ACL > replication works: > > sync.topic.acls.enabled< > https://kafka.apache.org/documentation/#mirror_source_sync.topic.acls.enabled > > > > Whether to periodically configure remote topic ACLs to match their > corresponding upstream topics. > > This would indicate the remote topics would match the upstream – which > isn’t the case ;) >
