[
https://issues.apache.org/jira/browse/KAFKA-18961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17951240#comment-17951240
]
David Jacot commented on KAFKA-18961:
-------------------------------------
[~squah-confluent] It is preferable to have it time-based because the
Authorizer is pluggable so ACLs are not necessarily stored in the metadata
image.
> Consider time-based refresh for server-side RE2J regex
> ------------------------------------------------------
>
> Key: KAFKA-18961
> URL: https://issues.apache.org/jira/browse/KAFKA-18961
> Project: Kafka
> Issue Type: Improvement
> Components: group-coordinator
> Reporter: Lianet Magrans
> Assignee: David Jacot
> Priority: Major
> Labels: kip-848
>
> Consumers can subscribe to an RE2J SubscriptionPattern that will be resolved
> and maintained on the server-side (KIP-848). Currently, those regexes are
> refreshed on the coordinator when a consumer subscribes to a new regex, or if
> there is a new topic metadata image (to ensure regex resolution stays
> up-to-date with existing topics)
> But with KAFKA-18813, the topics matching a regex are filtered based on ACLs.
> This generates a new situation, as regexes resolution do not stay up-to-date
> as topics become visible (ACLs added/delete).
> Ex. A consumer that subscribes to regex1 matching some topics but without
> topic ACLs -> the consumer won't receive any assignment at first as expected
> (matching topics filtered out) -> ACLs added -> the consumer will still not
> receive assignments because the regex is not refreshed (until a member sends
> HB with new regex or a new metadata image comes up)
> We could consider a time-based refresh to ensure that regex resolution stay
> up-to-date with ACLs consistently, at the moment it relies on the unrelated
> conditions mentioned above)
>
> See original PR comment here
> https://github.com/apache/kafka/pull/18989#discussion_r1970551665
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
