Calvin, that's an interesting idea. The motivation behind the current behavior is to only grant principals access to data they already have access to. If a principal can access data in one cluster, there's no harm in providing read access to the same data in another cluster. But you are right that the resulting ACLs are far from completely synchronized.
With topic renaming, there's a clear distinction between source topics and replicated topics. With consumer groups we can be smart about which direction to replicate by looking at which consumer groups are active and inactive. But it's not immediately clear how we'd replicate other types of ACLs without introducing races. We'd need a way to reconcile differences between corresponding ACLs in different clusters. Do they get unioned together? Does the latest change win? etc. I agree this would be a nice feature tho. You might want to bring it up on the dev list. Ryanne On Thu, Jun 17, 2021, 10:24 AM Calvin Chen <pingc...@hotmail.com> wrote: > Hi all > > I have a question, does kafka mirror2.0 mirror kafka users(created by > kafka-configs.sh dynamically) and kafka acls(topic/group)? > > I setup below fields in mirror config file, and I think kafka mirror2.0 > should mirror users and acls(topic/group) into remote cluster, but I see > only part of acl are mirrored, basically missing users and group info. > > > topics=.* > groups=.* > sync.topic.acls.enabled = true > > I manually created kafka user and acl in remote kafka cluster and then > mirror works on copying message, do I miss some configuration? I think > kafka user and acls(topic/group) should be automatically mirrored... > > Thanks > -Calvin >
