Hi Steven, Thanks for the KIP. A few questions/comments:
1) The command line option for AclCommand makes it the user's responsibility to determine whether cache should be loaded. That doesn't feel like a good idea. If you are listing ACLs, you need the cache. More importantly, you need the cache for some code paths in delete and that could be authorizer-dependent. It feels dangerous to make that a choice when the result of not doing so would potentially retain ACLs that you didn't intend to. 2) Even though the KIP talks about the deprecated SimpleAclAuthorizer, I guess you also mean the new AclAuthorizer since the PR updates the new one. We should clarify in the KIP. 3) The recommended way to update ACLs is using --bootstrap-server option for AclCommand which uses the Kafka protocol to talk to brokers and the update is performed by brokers which already have all ACLs loaded into their cache. In case you have found issues with this approach, it will be good to understand what the issues are so that we can improve this path. On Tue, Jan 21, 2020 at 1:50 AM Steven Lu <lushiji2...@gmail.com> wrote: > Hello all, > > In the class Named AclCommand,configure SimpleAclAuthorizer,but no need > call loadCache. > now we have 20,000 topics in kafka cluster,everytime I run AclCommand,all > these topics's Alcs need to be authed, it will be very slow. > The purpose of this optimization is:we can choose to not load the acl of > all topics into memory, mainly for adding and deleting permissions. > > PR Available here: https://github.com/apache/kafka/pull/7706 > KIP Available here: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-565%3A+Using+AclCommand%2Cavoid+call+the+global+method+loadcache+in+SimpleAclAuthorizer > Issue Available here: https://issues.apache.org/jira/browse/KAFKA-9424 > > mainly for adding and deleting permissions,we can choose to not load the > acl of all topics into memory,then we can add two args "--load-acl-cache" > "false" in AclCommand.main;else you don't add these args, it will load the > acl cache defaultly. > > we can choose improve the running time from minutes to less than one > second. > > Thanks, > Steven >
