You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Steven Lu <lu...@gmail.com> on 2020/02/16 11:09:25 UTC

Re: [DISCUSS] KIP-565: Using AclCommand,avoid call the global method loadcache in SimpleAclAuthorizer

Thanks for your replay,
this switch same not the best.I have changed another way to solve this problom,can you help me review the pr:  https://github.com/apache/kafka/pull/7706/files


On 2020/01/21 09:48:00, Rajini Sivaram <ra...@gmail.com> wrote: 
> Hi Steven,
> 
> Thanks for the KIP. A few questions/comments:
> 
> 1) The command line option for AclCommand makes it the user's
> responsibility to determine whether cache should be loaded. That doesn't
> feel like a good idea. If you are listing ACLs, you need the cache. More
> importantly, you need the cache for some code paths in delete and that
> could be authorizer-dependent. It feels dangerous to make that a choice
> when the result of not doing so would potentially retain ACLs that you
> didn't intend to.
> 
> 2) Even though the KIP talks about the deprecated SimpleAclAuthorizer, I
> guess you also mean the new AclAuthorizer since the PR updates the new one.
> We should clarify in the KIP.
> 
> 3) The recommended way to update ACLs is using --bootstrap-server option
> for AclCommand which uses the Kafka protocol to talk to brokers and the
> update is performed by brokers which already have all ACLs loaded into
> their cache. In case you have found issues with this approach, it will be
> good to understand what the issues are so that we can improve this path.
> 
> On Tue, Jan 21, 2020 at 1:50 AM Steven Lu <lu...@gmail.com> wrote:
> 
> > Hello all,
> >
> > In the class Named AclCommand,configure SimpleAclAuthorizer,but no need
> > call loadCache.
> > now we have 20,000 topics in kafka cluster,everytime I run AclCommand,all
> > these topics's Alcs need to be authed, it will be very slow.
> > The purpose of this optimization is:we can choose to not load the acl of
> > all topics into memory, mainly for adding and deleting permissions.
> >
> > PR Available here: https://github.com/apache/kafka/pull/7706
> > KIP Available here:
> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-565%3A+Using+AclCommand%2Cavoid+call+the+global+method+loadcache+in+SimpleAclAuthorizer
> > Issue Available here: https://issues.apache.org/jira/browse/KAFKA-9424
> >
> > mainly for adding and deleting permissions,we can choose to not load the
> > acl of all topics into memory,then we can add two args "--load-acl-cache"
> > "false" in AclCommand.main;else you don't add these args, it will load the
> > acl cache defaultly.
> >
> > we can choose improve the running time from minutes to less than one
> > second.
> >
> > Thanks,
> > Steven
> >
>