Hi Tom My initial thought was that the constructor with config and delegator would be for testing while the one with config is the one that will be used by MM2. I can removed one of them and keep only one.
Sent from my iPhone > On 22 Jun 2022, at 08:15, Tom Bentley <[email protected]> wrote: > > Hi Omnia, > > Thanks for those answers. I'm a bit confused by the changes you've made for > 1 though. It's MM2 that's going to instantiate the class named in > forwarding.admin.class, so it's MM2 that needs to know the constructor > signature. The easiest way of doing this is to specify the signature as > part of the contract for forwarding.admin.class. But ForwardingAdmin now > has two constructors, which is confusing for someone who wants to subclass > it. Surely only one is needed? It would also be a good idea to show the > documentation that forward.admin.class will have. > > Kind regards, > > Tom > >> On Tue, 21 Jun 2022 at 17:06, Omnia Ibrahim <[email protected]> wrote: >> >> Hi Tom >> >>> 1. I assume there's an undocumented requirement in the KIP that whatever >>> class is named for forwarding.admin.class it has a public single argument >>> constructor that takes an Admin instance? >>> >> you are right, I updated the KIP to reflect the missing one. >> 3. What if the implementation needs to distinguish between creating ACLs on >> the source cluster and creating them on the destination cluster? E.g. the >> one should be done one way, but the other using a different mechanism? >> Users will need to define 2 implementations, one for source and another for >> target and configure each using <cluster_alias>.forwarding.admin.class. for >> example >> - target.forwarding.admin.class = TargetAdmin >> - source.forwarding.admin.class = SourceAdmin >> >>> On Tue, Jun 21, 2022 at 2:14 PM Tom Bentley <[email protected]> wrote: >>> >>> Hi Omnia, >>> >>> Thanks for the KIP! I'm sorry for the delay in this response. I have a >> few >>> questions: >>> >>> 1. I assume there's an undocumented requirement in the KIP that whatever >>> class is named for forwarding.admin.class it has a public single argument >>> constructor that takes an Admin instance? >>> 2. If 1 is correct then what about an implementation that requires extra >>> configuration, e.g. for whatever infra-as-code API it needs to use >> (instead >>> of using an Admin instance directly) how does it learn about that >> non-Kafka >>> config when it's only receiving an Admin instance? >>> 3. What if the implementation needs to distinguish between creating ACLs >> on >>> the source cluster and creating them on the destination cluster? E.g. the >>> one should be done one way, but the other using a different mechanism? >>> >>> Kind regards, >>> >>> Tom >>> >>> >>> On Mon, 20 Jun 2022 at 17:13, Omnia Ibrahim <[email protected]> >>> wrote: >>> >>>> Hi Chris, sorry for the late reply. >>>> ..Hi, >>>> >>>>> 1. I might be missing something, but can you give a concrete Java >>> example >>>>> of how the proposed ForwardingAdmin class is more convenient than >>>>> subclassing the KafkaAdminClient class? AFAICT the two would be >>> virtually >>>>> identical. >>>> >>>> I might be misunderstanding exactly how that class will be used; >>>>> I'm envisioning it as the pluggable class that users will implement >> for >>>>> custom administration logic and specify as the value for the >>>>> "forwarding.admin.class" (or "<cluster>.forwarding.admin.class") >>>> property, >>>>> and that it will be instantiated with a KafkaAdminClient instance >> that >>>> can >>>>> be used to get the same logic that MM2 provides today. In the case >> you >>>>> mentioned (KafkaAdminClient for read/describe, custom Admin for >>>>> create/update), I'd imagine one could override the createTopics, >>>>> deleteTopics, createAcls, deleteAcls (maybe?), alterConfigs (maybe?), >>>> etc. >>>>> methods, and then leave other methods such as listTopics, >>> describeTopics, >>>>> describeCluster, etc. as they are. >>>>> >>>> The Forwarding decorator is one alternative for inheritance so you are >>>> right to say that they look identical. However, I would like to point >> out >>>> few points >>>> 1. that Kafka codebase has few wrappers or decorators around >> AdminClient >>>> instead of inheritance so using decorator over inheritance isn't new >>>> proposal for example >>>> >>>> - - >>> `org.apache.kafka.streams.processor.internals.InternalTopicManager` >>>> which has AdminClient as parameter instead of inheatance >>>> - - `org.apache.kafka.connect.util.SharedTopicAdmin` and >>>> `org.apache.kafka.connect.util.TopicAdmin` don't inherit >>>> KafkaAdminClient >>>> instead initialize KafkaAdminClient. >>>> >>>> 2. Using ForwardingAdmin will make it easier to test which methods use >>>> KafkaAdminClient and which don't this make the test for any customized >>>> implementation easier. We can't have this with inheatcancs >>>> 3. Inhearting KafkaAdminClient has the following limitation >>>> a. KafkaAdminClient doesn't have a public default constructor, >> so >>>> isn't gonna be easy to have contractor that initialize both >>>> KafkaAdminClient (to be used for read/describe/list) and customized >>>> fedrated client (to be used for create/update). (Note I don't want to >>> touch >>>> anything in KafkaAdminClient code base to change that) >>>> b. the only way to initialize instance is by >> using`createInternal` >>>> which is static and can't be overridden to include creating customized >>>> fedrated client. This is the method used by `Admin.create` to >>>> initialize `KafkaAdminClient`in >>>> most MM2 and Kafka codebase. >>>> >>>> 3. KIP-158 deals with the topics that source connectors write to, not >> the >>>>> internal topics used by the Connect framework. IIUC this includes the >>>>> topics that MM2 mirrors. I think it's still fine if we want to leave >>>>> support for this out and say that this KIP only addresses code that >>> lives >>>>> inside the connect/mirror (and possibly connect/mirror-client?) >>> modules, >>>> I >>>>> just want to make sure that whatever behavior we settle on is >> specified >>>>> clearly in the KIP and user-facing documentation. >>>> >>>> MM2 deals with a large number of topics, creating the topic if not >>>> existing, adding new partitions if the number of partitions increases >> and >>>> syncing configs and ACLs, so while KIP-158 can stop the source connect >>> from >>>> creating a topic, this wouldn't be a great solution for MM2 when it >> runs >>> on >>>> a large scale as this will add too much operation headache on the teams >>>> that run MM2 to create/update large number of topics manually. Also, it >>>> prevents teams from enabling MM2 to sync configs and ACLs as this still >>>> will be at odds with the federated solution. >>>> >>>> 4. That's fine 👍 Just out of curiosity, is the motivation for this >>>>> decision to simplify the implementation? I can imagine it'd be easier >>> to >>>>> modify the MM2 codebase exclusively and not have to worry about >>> touching >>>>> the Connect framework as well given the possibility for unintended >>>>> consequences for other connectors with the latter. >>>> >>>> The motivation of the KIP is to have the option to let MM2 create >>> topics, >>>> add partitions, and sync configs and ACLs without being at odds with >>>> federated or capacity solutions when it runs on a large scale instead >> of >>>> just turning the admin client off. >>>> >>>>> Wondering if there's a >>>>> distinction on the feature front as well that makes MM2 internal >> topics >>>>> different from Connect internal topics. >>>> >>>> >>>> The only diff here is the MM2 call TopicManager directly to create >> these >>>> topics. >>>> >>>> >>>> Thanks >>>> Omnia >>>> >>>> >>>> On Tue, Jun 7, 2022 at 5:05 AM Chris Egerton <[email protected]> >>>> wrote: >>>> >>>>> Hi Omnia, >>>>> >>>>> 1. I might be missing something, but can you give a concrete Java >>> example >>>>> of how the proposed ForwardingAdmin class is more convenient than >>>>> subclassing the KafkaAdminClient class? AFAICT the two would be >>> virtually >>>>> identical. I might be misunderstanding exactly how that class will be >>>> used; >>>>> I'm envisioning it as the pluggable class that users will implement >> for >>>>> custom administration logic and specify as the value for the >>>>> "forwarding.admin.class" (or "<cluster>.forwarding.admin.class") >>>> property, >>>>> and that it will be instantiated with a KafkaAdminClient instance >> that >>>> can >>>>> be used to get the same logic that MM2 provides today. In the case >> you >>>>> mentioned (KafkaAdminClient for read/describe, custom Admin for >>>>> create/update), I'd imagine one could override the createTopics, >>>>> deleteTopics, createAcls, deleteAcls (maybe?), alterConfigs (maybe?), >>>> etc. >>>>> methods, and then leave other methods such as listTopics, >>> describeTopics, >>>>> describeCluster, etc. as they are. >>>>> >>>>> 3. KIP-158 deals with the topics that source connectors write to, not >>> the >>>>> internal topics used by the Connect framework. IIUC this includes the >>>>> topics that MM2 mirrors. I think it's still fine if we want to leave >>>>> support for this out and say that this KIP only addresses code that >>> lives >>>>> inside the connect/mirror (and possibly connect/mirror-client?) >>> modules, >>>> I >>>>> just want to make sure that whatever behavior we settle on is >> specified >>>>> clearly in the KIP and user-facing documentation. >>>>> >>>>> 4. That's fine 👍 Just out of curiosity, is the motivation for this >>>>> decision to simplify the implementation? I can imagine it'd be easier >>> to >>>>> modify the MM2 codebase exclusively and not have to worry about >>> touching >>>>> the Connect framework as well given the possibility for unintended >>>>> consequences for other connectors with the latter. Wondering if >>> there's a >>>>> distinction on the feature front as well that makes MM2 internal >> topics >>>>> different from Connect internal topics. >>>>> >>>>> Cheers, >>>>> >>>>> Chris >>>>> >>>>> On Mon, Jun 6, 2022 at 6:36 AM Omnia Ibrahim < >> [email protected]> >>>>> wrote: >>>>> >>>>>> Hi Chris, Thanks for having the time to look into this. >>>>>> >>>>>> 1. Is the introduction of the new "ForwardingAdmin" class >> necessary, >>> or >>>>> can >>>>>>> the same behavior can be achieved by subclassing the existing >>>>>>> KafkaAdminClient class? >>>>>> >>>>>> forwarding decorators give more flexibility than the inheritance, >> in >>>> this >>>>>> case, ForwardingAdmin gives the ability to use the default >>>>> KafkaAdminClient >>>>>> for reading/describing resources and at the same time configure >>> another >>>>>> client to connect to the federated solution to create and update >>>>> resources. >>>>>> Using forwarding seems cleaner and more flexible for this use case >>> than >>>>>> inheritance. >>>>>> >>>>>> 2. Would it be just as accurate to name the new Mirror Maker 2 >>> property >>>>>>> "admin.class" instead of "forwarding.admin.class"? I think >> brevity >>>> may >>>>>> work >>>>>>> in our favor here >>>>>>> >>>>>> I don't mind renaming it to "admin.class" if this is better. >>>>>> >>>>>> 3. Would the admin class specified by the user also take effect for >>>>> KIP-158 >>>>>>> [1] style automatic topic creation? (Forgive me if this isn't >>>>> applicable >>>>>>> for Mirror Maker 2; I'm asking solely based on the knowledge that >>> MM2 >>>>> can >>>>>>> be run as a source connector and has its own source task class >>> [2].) >>>>>> >>>>>> No this only control creating/updating mirrored topics and MM2 >>> internal >>>>>> topics. And not going to affect connect runtime's internal topics >>> that >>>>> are >>>>>> needed by connect cluster that runs MM2. >>>>>> >>>>>> 4. Would the admin class specified by the user also take effect for >>>>>>> internal topics created by the Connect framework (i.e., the >> statue, >>>>>> config, >>>>>>> and offsets topics)? >>>>>> >>>>>> No this wouldn't address connect as connect "realtime" uses >>> TopicAdmin >>>>> to >>>>>> manage topics needed for KafkaOffsetBackingStore, >>>> KafkaStatusBackingStore >>>>>> and KafkaConfigBackingStore directly. These 3 topics aren't a huge >>>>> concern >>>>>> for MM2 as they are a small set of topics and can be created >> up-front >>>> as >>>>> a >>>>>> one-time job. However, the main concern of the KIP is addressing >> the >>>>>> mirrored topics, synced configs, synced ACLs and the internal >> topics >>> of >>>>> MM2 >>>>>> which are needed for MM2 features like heartbeat and offset mapping >>>>> between >>>>>> Kafka clusters. >>>>>> >>>>>> The KIP states that Mirror Maker 2 will "Use >>>>>>> ForwardingAdmin in MirrorUtils instead of TopicAdmin to create >>>> internal >>>>>>> compacted topics", but IIUC these topics (the ones created with >> the >>>>>>> MirrorUtils class) are Mirror Maker 2-specific and different from >>> the >>>>>>> Connect framework's internal topics. >>>>>> >>>>>> MM2 has been using 2 patterns to create topics >>>>>> 1- Use AdminClient directly to create/update mirrored topics and >>> their >>>>> ACLs >>>>>> 2- Use TopicAdmin in MirrorUtils to create MM2 internal topics >> which >>>> are >>>>>> heartbeat, mm2-offset-syncs.<cluster_alias>.internal and >>>>>> <cluster_alias>.checkpoints.internal >>>>>> >>>>>> This KIP will only replace AdminClient and TopicAdmin in the MM2 >>>> codebase >>>>>> by ForwardingAdmin and not connect related topics. >>>>>> As Colin mentioned before we can have a feature KIP where we use >>>>>> ForwardingAdmin outside MM2 but this is not addressed in this KIP. >>>>>> >>>>>> Hope this answered your questions. >>>>>> >>>>>> Best >>>>>> Omnia >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jun 1, 2022 at 2:14 AM Chris Egerton < >>> [email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Omnia, >>>>>>> >>>>>>> Thank you for your patience with this KIP! I have a few quick >>>> thoughts: >>>>>>> >>>>>>> 1. Is the introduction of the new "ForwardingAdmin" class >>> necessary, >>>> or >>>>>> can >>>>>>> the same behavior can be achieved by subclassing the existing >>>>>>> KafkaAdminClient class? >>>>>>> >>>>>>> 2. Would it be just as accurate to name the new Mirror Maker 2 >>>> property >>>>>>> "admin.class" instead of "forwarding.admin.class"? I think >> brevity >>>> may >>>>>> work >>>>>>> in our favor here >>>>>>> >>>>>>> 3. Would the admin class specified by the user also take effect >> for >>>>>> KIP-158 >>>>>>> [1] style automatic topic creation? (Forgive me if this isn't >>>>> applicable >>>>>>> for Mirror Maker 2; I'm asking solely based on the knowledge that >>> MM2 >>>>> can >>>>>>> be run as a source connector and has its own source task class >>> [2].) >>>>>>> >>>>>>> 4. Would the admin class specified by the user also take effect >> for >>>>>>> internal topics created by the Connect framework (i.e., the >> statue, >>>>>> config, >>>>>>> and offsets topics)? The KIP states that Mirror Maker 2 will "Use >>>>>>> ForwardingAdmin in MirrorUtils instead of TopicAdmin to create >>>> internal >>>>>>> compacted topics", but IIUC these topics (the ones created with >> the >>>>>>> MirrorUtils class) are Mirror Maker 2-specific and different from >>> the >>>>>>> Connect framework's internal topics. >>>>>>> >>>>>>> [1] - >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-158%3A+Kafka+Connect+should+allow+source+connectors+to+set+topic-specific+settings+for+new+topics >>>>>>> [2] - >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> https://github.com/apache/kafka/blob/4c9eeef5b2dff9a4f0977fbc5ac7eaaf930d0d0e/connect/mirror/src/main/java/org/apache/kafka/connect/mirror/MirrorSourceTask.java >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> On Wed, May 25, 2022 at 5:26 AM Omnia Ibrahim < >>>> [email protected] >>>>>> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi everyone, If there's no major concern anymore, I'll start >> the >>>>>>>> voting process. >>>>>>>> >>>>>>>> On Fri, May 20, 2022 at 5:58 PM Omnia Ibrahim < >>>>> [email protected] >>>>>>> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Colin, >>>>>>>>> >>>>>>>>>> Thanks for the clarification. I agree it's reasonable for >>> people >>>>> to >>>>>>> want >>>>>>>>> to use their own implementations of Admin. And we could have >> a >>>>> config >>>>>>> for >>>>>>>>> this, so that it becomes pluggable (possibly in other places >>> than >>>>>>>>> MirrorMaker, although we don't have to do that in this KIP). >>>>>>>>>> >>>>>>>>> Allowing people to plug custom implementation of Admin in >> other >>>>>> places >>>>>>>>> sounds like a neat idea indeed. It can be nice addition for >>>>> example ` >>>>>>>>> org.apache.kafka.connect.util.SharedTopicAdmin` in Connect to >>> use >>>>>>> custom >>>>>>>>> Admin as well. But agree no need to have it in this KIP. >>>>>>>>>> We could even try to make this easier on developers. For >>>> example, >>>>> we >>>>>>>>> could provide a public ForwardingAdmin class that forwards >> all >>>>>> requests >>>>>>>> to >>>>>>>>> the regular KafkaAdminClient. Then, people could make their >>>> custom >>>>>>> class >>>>>>>>> inherit from ForwardingAdmin and override >just the specific >>>>> methods >>>>>>> that >>>>>>>>> they wanted to override. So they don't have to implement all >>> the >>>>>>> methods, >>>>>>>>> but just the ones that are different for them. >>>>>>>>>> >>>>>>>>>> I just wanted to make sure we weren't creating a second >> Admin >>>>> client >>>>>>>>> interface -- I think that would really be hard for us to >>> support >>>>>>>> long-term. >>>>>>>>> >>>>>>>>> Forwarding would defiantly make it easier. I have updated the >>> KIP >>>>> to >>>>>>>>> introduce ForwardingAdmin as well. >>>>>>>>> >>>>>>>>> regards, >>>>>>>>> Omnia >>>>>>>>> >>>>>>>>> On Mon, May 16, 2022 at 9:31 PM Colin McCabe < >>> [email protected] >>>>> >>>>>>> wrote: >>>>>>>>> >>>>>>>>>> On Mon, May 16, 2022, at 10:24, Omnia Ibrahim wrote: >>>>>>>>>>> Hi Colin, >>>>>>>>>>> >>>>>>>>>>> Thanks for your reply. >>>>>>>>>>> >>>>>>>>>>> This KIP doesn’t aim to solve any security concerns, but >>>> rather >>>>> a >>>>>>>>>> conflict >>>>>>>>>>> of responsibilities within any Kafka ecosystem that >> includes >>>> MM2 >>>>>> and >>>>>>>> any >>>>>>>>>>> resource management solution. I’m not sure that was clear, >>> so >>>>> I’m >>>>>>>>>> concerned >>>>>>>>>>> about the motivation for your suggestion to close this >> KIP. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi Omnia, >>>>>>>>>> >>>>>>>>>> Thanks for the clarification. I agree it's reasonable for >>> people >>>>> to >>>>>>> want >>>>>>>>>> to use their own implementations of Admin. And we could >> have a >>>>>> config >>>>>>>> for >>>>>>>>>> this, so that it becomes pluggable (possibly in other places >>>> than >>>>>>>>>> MirrorMaker, although we don't have to do that in this KIP). >>>>>>>>>> >>>>>>>>>> We could even try to make this easier on developers. For >>>> example, >>>>> we >>>>>>>>>> could provide a public ForwardingAdmin class that forwards >> all >>>>>>> requests >>>>>>>> to >>>>>>>>>> the regular KafkaAdminClient. Then, people could make their >>>> custom >>>>>>> class >>>>>>>>>> inherit from ForwardingAdmin and override just the specific >>>>> methods >>>>>>> that >>>>>>>>>> they wanted to override. So they don't have to implement all >>> the >>>>>>>> methods, >>>>>>>>>> but just the ones that are different for them. >>>>>>>>>> >>>>>>>>>> I just wanted to make sure we weren't creating a second >> Admin >>>>> client >>>>>>>>>> interface -- I think that would really be hard for us to >>> support >>>>>>>> long-term. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It is generally accepted that resource management should >> be >>>>>>>> centralized, >>>>>>>>>>> especially on the scale of mirroring N number of clusters. >>> The >>>>>> point >>>>>>>> of >>>>>>>>>>> this KIP is that any sort of topic management / federate >>>>> solution >>>>>> / >>>>>>>>>>> up-front capacity planning system will be at odds with MM2 >>> if >>>>> MM2 >>>>>>>> keeps >>>>>>>>>>> using the Admin client directly. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks for the explanation. That makes sense. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I understand your concern that the interface proposed in >> the >>>>> first >>>>>>>>>> approach >>>>>>>>>>> may become too similar to the existing Admin interface. >> I’ll >>>>>> update >>>>>>>> the >>>>>>>>>>> proposal by moving Ryanne’s previous suggestion to re-use >>> the >>>>>> Admin >>>>>>>>>>> interface and add configuration to accept a custom >>>>> implementation. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> +1. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If you still feel this KIP should be closed but can >>> understand >>>>> its >>>>>>>>>>> motivation I can close this one and create a new one. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I think it's reasonable to keep this one open and make the >>>> changes >>>>>> you >>>>>>>>>> talked about above. >>>>>>>>>> >>>>>>>>>> regards, >>>>>>>>>> Colin >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Omnia >>>>>>>>>>> >>>>>>>>>>> On Fri, May 13, 2022 at 6:10 PM Colin McCabe < >>>>> [email protected]> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> On Wed, May 11, 2022, at 15:07, Omnia Ibrahim wrote: >>>>>>>>>>>>> Hi Colin, >>>>>>>>>>>>> I don't mind the idea of MM2 users implementing the >>>>> AdminClient >>>>>>>>>>>> interface. >>>>>>>>>>>>> However, there're two disadvantages to this. >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Having around 70 methods definitions to have >>>>>>> "NotImplemented" >>>>>>>>>> is >>>>>>>>>>>> one >>>>>>>>>>>>> downside, and keep up with these if the AdminClient >>>>>> interface >>>>>>>>>> changes. >>>>>>>>>>>>> 2. It makes it hard to list what admin functionality >>> MM2 >>>>>> uses >>>>>>> as >>>>>>>>>> MM2 >>>>>>>>>>>>> interactions with AdminClient in the codebase are in >>>> many >>>>>>>> places. >>>>>>>>>>>>> >>>>>>>>>>>>> I guess it's OK for MM2 users who want to build their >>> admin >>>>>>> client >>>>>>>> to >>>>>>>>>>>> carry >>>>>>>>>>>>> this burden, as I explained in my previous response to >>> the >>>>>>>> discussion >>>>>>>>>>>>> thread. And we can do some cleanup to the codebase to >>> have >>>>> all >>>>>>>> Admin >>>>>>>>>>>>> interactions in MM2 in a utils class or something like >>> that >>>>> to >>>>>>> make >>>>>>>>>> it >>>>>>>>>>>>> easier to navigate what MM2 needs from the Admin >>> interface. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hi Omnia, >>>>>>>>>>>> >>>>>>>>>>>> Anyone who wants to extend Kafka with proprietary tooling >>>> does >>>>>> need >>>>>>>> to >>>>>>>>>>>> keep up with the Kafka API. We have done everything we >> can >>> to >>>>>> make >>>>>>>> this >>>>>>>>>>>> easier. We rigorously define what the API is through the >>> KIP >>>>>>> process, >>>>>>>>>> and >>>>>>>>>>>> make it possible to extend by making it an interface >> rather >>>>> than >>>>>>>>>> concrete >>>>>>>>>>>> class. We also have a pretty lengthy deprecation process >>> for >>>>>> these >>>>>>>>>> APIs. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Maybe I'm misunderstanding the use-case you're >> describing >>>>> here. >>>>>>> But >>>>>>>>>> it >>>>>>>>>>>>>> seems to me that if you create a proxy that has the >>>> ability >>>>> to >>>>>>> do >>>>>>>>>> any >>>>>>>>>>>> admin >>>>>>>>>>>>>> operation, and give MM2 access to that proxy, the >>> security >>>>>> model >>>>>>>> is >>>>>>>>>> the >>>>>>>>>>>>>> same as just giving MM2 admin access. (Or it may be >>> worse >>>> if >>>>>> the >>>>>>>>>>>> sysadmin >>>>>>>>>>>>>> doesn't know what this proxy is doing, and doesn't >> lock >>> it >>>>>>>> down...) >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> MM2 runs with the assumption that it has >>>>>>>>>>>>> >>>>>>>>>>>>> - "CREATE" ACLs for topics on the source clusters to >>>>> create >>>>>>>>>>>> `heartbeat` >>>>>>>>>>>>> topics. >>>>>>>>>>>>> - "CREATE" and "ALTER" ACLs to create topics, add >>>>>> partitions, >>>>>>>>>> update >>>>>>>>>>>>> topics' config and topics' ACLs (in future, will >> also >>>>>> include >>>>>>>>>> group >>>>>>>>>>>> ACLS as >>>>>>>>>>>>> Mikael mentioned before in the thread) on the >>>> destination >>>>>>>>>> clusters. >>>>>>>>>>>>> >>>>>>>>>>>>> Most organisations have some resource management or >>>> federated >>>>>>>>>> solutions >>>>>>>>>>>>> (some would even have a budget system as part of these >>>>> systems) >>>>>>> to >>>>>>>>>> manage >>>>>>>>>>>>> Kafka resources, and these systems are usually the only >>>>>>> application >>>>>>>>>>>> allowed >>>>>>>>>>>>> to initializing a client with "CREATE" and "ALTER" >> ACLs. >>>> They >>>>>>> don't >>>>>>>>>> grant >>>>>>>>>>>>> these ACLs to any other teams/groups/applications to >>> create >>>>>> such >>>>>>> a >>>>>>>>>> client >>>>>>>>>>>>> outside these systems, so assuming MM2 can bypass these >>>>> systems >>>>>>> and >>>>>>>>>> use >>>>>>>>>>>> the >>>>>>>>>>>>> AdminClient directly to create/update resources isn't >>>> valid. >>>>>> This >>>>>>>> is >>>>>>>>>> the >>>>>>>>>>>>> primary concern here. >>>>>>>>>>>>> >>>>>>>>>>>>> The KIP is trying to give MM2 more flexibility to allow >>>>>>>>>> organisations to >>>>>>>>>>>>> integrate MM2 with their resource management system as >>> they >>>>> see >>>>>>> fit >>>>>>>>>>>> without >>>>>>>>>>>>> forcing them to disable most MM2 features. >>>>>>>>>>>>> >>>>>>>>>>>>> Hope this make sense and clear it up. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> The point I was trying to make is that there is no >>> additional >>>>>>>> security >>>>>>>>>>>> here. If you have some agent that has all the >> permissions, >>>> and >>>>>> MM2 >>>>>>>> can >>>>>>>>>> talk >>>>>>>>>>>> to that agent and tell it what to do, then that is >>> equivalent >>>>> to >>>>>>> just >>>>>>>>>>>> giving MM2 all the permissions. So while there may be >> other >>>>>> reasons >>>>>>>> to >>>>>>>>>> use >>>>>>>>>>>> this kind of agent-based architecture, added security >> isn't >>>>> one. >>>>>>>>>>>> >>>>>>>>>>>> In any case, I think we should close this KIP since we >>>> already >>>>>> have >>>>>>>> an >>>>>>>>>>>> Admin API. There isn't a need to create a public API for >>>> admin >>>>>>>>>> operations. >>>>>>>>>>>> >>>>>>>>>>>> best, >>>>>>>>>>>> Colin >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, May 11, 2022 at 9:09 PM Colin McCabe < >>>>>> [email protected] >>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Omnia Ibrahim, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm sorry, but I am -1 on adding competing Admin >>>> interfaces. >>>>>>> This >>>>>>>>>> would >>>>>>>>>>>>>> create confusion and a heavier maintenance burden for >>> the >>>>>>> project. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Since the org.apache.kafka.clients.admin.Admin >> interface >>>> is >>>>> a >>>>>>> Java >>>>>>>>>>>>>> interface, any third-party software that wants to >> insert >>>> its >>>>>> own >>>>>>>>>>>>>> implementation of the interface can do so already. >>>>>>>>>>>>>> >>>>>>>>>>>>>> A KIP to make the Admin class used pluggable for MM2 >>> would >>>>> be >>>>>>>>>>>> reasonable. >>>>>>>>>>>>>> Adding a competing admin API is not. >>>>>>>>>>>>>> >>>>>>>>>>>>>> It's true that there are many Admin methods, but you >> do >>>> not >>>>>> need >>>>>>>> to >>>>>>>>>>>>>> implement all of them -- just the ones that >> MirrorMaker >>>>> uses. >>>>>>> The >>>>>>>>>> other >>>>>>>>>>>>>> ones can throw a NotImplementedException or similar. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> The current approach also assumes that the user >>> running >>>>> MM2 >>>>>>> has >>>>>>>>>> the >>>>>>>>>>>>>> Admin right to >>>>>>>>>>>>>>> create/update topics, which is only valid if the >> user >>>> who >>>>>> runs >>>>>>>> MM2 >>>>>>>>>>>> also >>>>>>>>>>>>>> manages both >>>>>>>>>>>>>>> source and destination clusters. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Maybe I'm misunderstanding the use-case you're >>> describing >>>>>> here. >>>>>>>> But >>>>>>>>>> it >>>>>>>>>>>>>> seems to me that if you create a proxy that has the >>>> ability >>>>> to >>>>>>> do >>>>>>>>>> any >>>>>>>>>>>> admin >>>>>>>>>>>>>> operation, and give MM2 access to that proxy, the >>> security >>>>>> model >>>>>>>> is >>>>>>>>>> the >>>>>>>>>>>>>> same as just giving MM2 admin access. (Or it may be >>> worse >>>> if >>>>>> the >>>>>>>>>>>> sysadmin >>>>>>>>>>>>>> doesn't know what this proxy is doing, and doesn't >> lock >>> it >>>>>>>> down...) >>>>>>>>>>>>>> >>>>>>>>>>>>>> best, >>>>>>>>>>>>>> Colin >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, May 9, 2022, at 13:21, Omnia Ibrahim wrote: >>>>>>>>>>>>>>> Hi, I gave the KIP another look after talking to >> some >>>>> people >>>>>>> at >>>>>>>>>> the >>>>>>>>>>>> Kafka >>>>>>>>>>>>>>> Summit in London. And I would like to clear up the >>>>>> motivation >>>>>>> of >>>>>>>>>> this >>>>>>>>>>>>>> KIP. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> At the moment, MM2 has some opinionated decisions >> that >>>> are >>>>>>>>>> creating >>>>>>>>>>>>>> issues >>>>>>>>>>>>>>> for teams that use IaC, federated solutions or have >> a >>>>>>>>>> capacity/budget >>>>>>>>>>>>>>> planning system for Kafka destination clusters. To >>>> explain >>>>>> it >>>>>>>>>> better, >>>>>>>>>>>>>> let's >>>>>>>>>>>>>>> assume we have MM2 with the following configurations >>> to >>>>>>>> highlight >>>>>>>>>>>> these >>>>>>>>>>>>>>> problems. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ``` >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> topics = .* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> refresh.topics.enabled = true >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> sync.topic.configs.enabled = true >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> sync.topic.acls.enabled = true >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> // Maybe in futrue we can have >>> sync.group.acls.enabled = >>>>>> true >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ``` >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> These configurations allow us to run MM2 with the >>> value >>>> of >>>>>> its >>>>>>>>>> full >>>>>>>>>>>>>>> features. However, there are two main concerns when >> we >>>> run >>>>>> on >>>>>>> a >>>>>>>>>> scale >>>>>>>>>>>>>> with >>>>>>>>>>>>>>> these configs: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1. *Capacity/Budgeting Planning:* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Functionality or features that impact capacity >>> planning >>>>>> using >>>>>>>> MM2 >>>>>>>>>> are: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1. MM2 automatically creates topics (breaking the >>>> rule >>>>> of >>>>>>>>>>>>>>> `auto.create.topics.enable=false`) and creates >>> topic >>>>>>>>>> partitions on >>>>>>>>>>>>>>> destination clusters if the number of partitions >>>>>> increases >>>>>>> on >>>>>>>>>> the >>>>>>>>>>>>>> source. >>>>>>>>>>>>>>> In the previous example, this functionality will >>>> apply >>>>> to >>>>>>> any >>>>>>>>>> topic >>>>>>>>>>>>>> that >>>>>>>>>>>>>>> matches the regex of the `topics` config. >>>>>>>>>>>>>>> 2. Sync topic configs include configurations that >>>>> impact >>>>>>>>>> capacity >>>>>>>>>>>>>> like ` >>>>>>>>>>>>>>> retention.ms` and `retention.bytes`. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> These 2 points lead to adding new untracked capacity >>> to >>>>>>>>>> destination >>>>>>>>>>>>>>> clusters without a way to count for them up-front or >>>>>> safeguard >>>>>>>> the >>>>>>>>>>>>>> cluster. >>>>>>>>>>>>>>> The team that runs the cluster will only see the >>>> capacity >>>>>>> issue >>>>>>>>>> when >>>>>>>>>>>>>> their >>>>>>>>>>>>>>> disk usage hits the threshold for their alerts. The >>> desk >>>>>>>> capacity >>>>>>>>>>>> issue >>>>>>>>>>>>>> can >>>>>>>>>>>>>>> be avoided if MM2 is flexible enough to >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - have a way for teams that run their ecosystem >> to >>>> have >>>>>> MM2 >>>>>>>>>> behave >>>>>>>>>>>>>>> within their system. >>>>>>>>>>>>>>> - disable the auto-creation and avoid syncing >>> configs >>>>>> that >>>>>>>>>> impact >>>>>>>>>>>>>>> capacity >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2. *Provisioning conflict:* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> In the previous MM2 configurations; we ended up with >>>>>> conflict >>>>>>> as >>>>>>>>>> MM2 >>>>>>>>>>>> used >>>>>>>>>>>>>>> `AdminClient` directly to perform the following >>>>>> functionality >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Create a Kafka topic (no way to disable this >> at >>>> the >>>>>>>> moment) >>>>>>>>>>>>>>> - Add new Kafka partitions (no way to disable >> this >>>> at >>>>>> the >>>>>>>>>> moment) >>>>>>>>>>>>>>> - Sync Kafka Topic configurations (can be >>> disabled, >>>>> but >>>>>>> then >>>>>>>>>> this >>>>>>>>>>>>>>> reduces the value of MM2 potential for users) >>>>>>>>>>>>>>> - Sync Kafka topic's ACLs (can be disabled, but >>> this >>>>>>> reduces >>>>>>>>>> the >>>>>>>>>>>>>> users' >>>>>>>>>>>>>>> value). Disabling this feature also means that >>> users >>>>> must >>>>>>>>>> ensure >>>>>>>>>>>> they >>>>>>>>>>>>>> have >>>>>>>>>>>>>>> the right ACLs to the mirrored topics on the >>>>> destination >>>>>>>>>> cluster >>>>>>>>>>>>>> before >>>>>>>>>>>>>>> switching their consumers, especially when MM2 is >>>> used >>>>>> for >>>>>>>>>> disaster >>>>>>>>>>>>>>> recovery. It may lead to extra downtime for them. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> All these functionalities are using AdminClient; >> which >>>>>> causes >>>>>>> an >>>>>>>>>> issue >>>>>>>>>>>>>> with >>>>>>>>>>>>>>> teams that >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Manage their Kafka resources using tools like >>>>> Strimizi >>>>>> or >>>>>>>>>> custom >>>>>>>>>>>>>>> federated solutions. For example, Strimizi's >>>>> UserOperator >>>>>>>>>> doesn't >>>>>>>>>>>>>> sync the >>>>>>>>>>>>>>> topic ACLs when MM2 is enabled. Strimzi >>> documentation >>>>>>>> mentions >>>>>>>>>> that >>>>>>>>>>>>>> users >>>>>>>>>>>>>>> must to disable MM2 `sync.topic.acls.enabled` if >>> they >>>>> use >>>>>>>>>>>>>> `UserOperator`. >>>>>>>>>>>>>>> On the other hand, Strimizi's TopicOperator >> doesn't >>>>> have >>>>>>> the >>>>>>>>>> same >>>>>>>>>>>>>> issue >>>>>>>>>>>>>>> because it has a bi-directional reconciliation >>>> process >>>>>> that >>>>>>>>>> watches >>>>>>>>>>>>>> the >>>>>>>>>>>>>>> topics state on the Kafka cluster and updates >>>>> KafkaTopic >>>>>>>>>> resources >>>>>>>>>>>> for >>>>>>>>>>>>>>> Strimzi. This design works fine with Kafka MM2 >> for >>>>> Topics >>>>>>> but >>>>>>>>>> not >>>>>>>>>>>> for >>>>>>>>>>>>>>> syncing ACLs. Strimizi TopicOperator also doesn't >>>> have >>>>> a >>>>>>> way >>>>>>>> to >>>>>>>>>>>> stop >>>>>>>>>>>>>>> syncing config that impact capacity for example >>>>> retention >>>>>>>>>> configs. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - Teams that run MM2 but don't own the >> destination >>>>>> cluster. >>>>>>>> In >>>>>>>>>> this >>>>>>>>>>>>>>> case, these teams don't have Admin access, but >> they >>>> may >>>>>>> have >>>>>>>>>> Kafka >>>>>>>>>>>>>>> management solutions, such as yahoo/CMAK or an >>>> in-house >>>>>>>>>> solution. >>>>>>>>>>>> For >>>>>>>>>>>>>> such >>>>>>>>>>>>>>> a tool as CMAK, these teams can update/create >>>> resources >>>>>>> using >>>>>>>>>> CMAK >>>>>>>>>>>>>> REST API. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The Proposed KIP gives users the flexibility to >>>> integrate >>>>>> MM2 >>>>>>>>>> within >>>>>>>>>>>>>> their >>>>>>>>>>>>>>> ecosystem without disabling any MM2 features. We can >>>>> achieve >>>>>>>> this >>>>>>>>>>>>>>> flexibility with one of the following solutions. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1. Introduce a new interface that hides Admin >>>>>> interactions >>>>>>> in >>>>>>>>>> one >>>>>>>>>>>>>> place. >>>>>>>>>>>>>>> Then users can provide their way of resource >>>>> management. >>>>>> As >>>>>>>>>> well as >>>>>>>>>>>>>> clean >>>>>>>>>>>>>>> up the MM2 code by having one place that manages >>> the >>>>>>>>>> resources, as >>>>>>>>>>>> at >>>>>>>>>>>>>> the >>>>>>>>>>>>>>> moment, MM2 usage of AdminClient is all over the >>>> code. >>>>>>>>>>>>>>> 2. The second solution could be to add only a new >>>>> config >>>>>>> that >>>>>>>>>>>> allows >>>>>>>>>>>>>> the >>>>>>>>>>>>>>> users to override AdminClient with another >>>>> implementation >>>>>>> of >>>>>>>>>> the >>>>>>>>>>>>>>> AdminClient interface, as Ryanne suggested >> before. >>>> The >>>>>>>>>> downside is >>>>>>>>>>>>>> that >>>>>>>>>>>>>>> AdminClient is enormous and constantly under >>>>> development, >>>>>>> so >>>>>>>>>> any >>>>>>>>>>>>>> users who >>>>>>>>>>>>>>> opt-in for custom implementation will need to >> carry >>>>> this >>>>>>>>>> burden. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I favour the first solution as it will make it >> either >>>>> later >>>>>> to >>>>>>>>>> add any >>>>>>>>>>>>>> new >>>>>>>>>>>>>>> feature related to resource management. But don't >> mind >>>> if >>>>>>> others >>>>>>>>>> think >>>>>>>>>>>>>> that >>>>>>>>>>>>>>> the second solution is easier for MM2 design. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *Note*: There are two possible future KIPs following >>>> this >>>>>> KIP >>>>>>> to >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1. Add config to disable MM2 from auto creating >> or >>>>> adding >>>>>>> new >>>>>>>>>> topic >>>>>>>>>>>>>>> partitions. >>>>>>>>>>>>>>> 2. Add a way to exclude a specific topic's >>>>> configuration >>>>>>> from >>>>>>>>>> being >>>>>>>>>>>>>>> synced. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I hope this clears up the problem better. Please let >>> me >>>>> know >>>>>>>> what >>>>>>>>>> do >>>>>>>>>>>> you >>>>>>>>>>>>>>> think. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Feb 7, 2022 at 3:26 PM Omnia Ibrahim < >>>>>>>>>> [email protected] >>>>>>>>>>>>> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi Mickael. Thanks for the feedback. I address some >>> of >>>>> your >>>>>>>>>> points >>>>>>>>>>>>>> below. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *> This seems to address a relatively advanced and >>>>> specific >>>>>>> use >>>>>>>>>> case* >>>>>>>>>>>>>>>> The main point of the KIP is that MM2 is making a >>>> massive >>>>>>>>>> assumption >>>>>>>>>>>>>> that >>>>>>>>>>>>>>>> it has the right to alter/create resources. This >>>>> assumption >>>>>>>> isn't >>>>>>>>>>>> valid >>>>>>>>>>>>>> in >>>>>>>>>>>>>>>> the world of Infra-as-Code, federated solutions and >>>>>>> popularity >>>>>>>>>> of OS >>>>>>>>>>>>>> Kafka >>>>>>>>>>>>>>>> Kubernetes operators; these infra/resource >> management >>>>>>> solutions >>>>>>>>>>>> aren't >>>>>>>>>>>>>>>> advanced use-cases anymore nowadays. These concerns >>> had >>>>>> been >>>>>>>>>> raised >>>>>>>>>>>> in >>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> past, especially regarding the assumption that MM2 >>> can >>>>>> create >>>>>>>>>> topics >>>>>>>>>>>> on >>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> destination cluster. For example, >>>>>>>>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-12753 >>> and >>>>>>>>>>>>>>>> >>>>>>>> >> https://www.mail-archive.com/[email protected]/msg119340.html >>>>>>>>>> . >>>>>>>>>>>>>>>> The primary motivation is giving some power to data >>>>>>>>>>>>>>>> platform/infrastructure team to make MM2 part of >>> their >>>>>>> internal >>>>>>>>>> Kafka >>>>>>>>>>>>>>>> ecosystem without dropping the main features that >>> make >>>>> MM2 >>>>>>>>>> valuable, >>>>>>>>>>>>>> like >>>>>>>>>>>>>>>> syncing topic configs. For example, if someone uses >>> any >>>>> OS >>>>>>>> Kafka >>>>>>>>>> k8s >>>>>>>>>>>>>>>> operator, they can implement the class to interact >>> with >>>>> the >>>>>>> k8s >>>>>>>>>>>>>> operator to >>>>>>>>>>>>>>>> create these resources. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *> My initial concern is this may make it hard to >>>> evolve >>>>>>>>>> MirrorMaker >>>>>>>>>>>> as >>>>>>>>>>>>>>>> we'll likely need to update this new interface if >> new >>>>>>> features >>>>>>>>>> are >>>>>>>>>>>>>> added.* >>>>>>>>>>>>>>>> I agree it's a disadvantage to adding a new >> interface >>>>>> however >>>>>>>>>> adding >>>>>>>>>>>>>> more >>>>>>>>>>>>>>>> admin interactions from MM2 to alter/create >> resources >>>> and >>>>>>>> access >>>>>>>>>> will >>>>>>>>>>>>>> feed >>>>>>>>>>>>>>>> the main issue as I mentioned above with the >>> popularity >>>>> of >>>>>>> IaC >>>>>>>>>> and >>>>>>>>>>>>>>>> federated solutions; most data >>> platform/infrastructure >>>>>> teams >>>>>>>> will >>>>>>>>>>>> endup >>>>>>>>>>>>>>>> disabling these new features. >>>>>>>>>>>>>>>> Also, at the moment, most MM2 interactions with the >>>> admin >>>>>>>> client >>>>>>>>>> are >>>>>>>>>>>>>>>> scattered across the codebase so having one place >>> where >>>>> all >>>>>>>> admin >>>>>>>>>>>>>>>> interactions are listed isn't a bad thing. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *> For example if we wanted to sync group ACLs.* >>>>>>>>>>>>>>>> As I mentioned before, altering any resource's >>>>>> configurations >>>>>>>>>> with >>>>>>>>>>>> MM2 >>>>>>>>>>>>>> is >>>>>>>>>>>>>>>> the one main concern for any data >>>> platform/infrastructure >>>>>>> team >>>>>>>>>> that >>>>>>>>>>>>>> wants >>>>>>>>>>>>>>>> to have control over their clusters and use MM2. So >>> the >>>>>> main >>>>>>>>>> question >>>>>>>>>>>>>> with >>>>>>>>>>>>>>>> adding any new altering feature like sync group >> ACLs >>>> will >>>>>>> raise >>>>>>>>>> the >>>>>>>>>>>> same >>>>>>>>>>>>>>>> question of how many teams will actually enable >> this >>>>>> feature. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *>Regarding the proposed API, I have a few >>> suggestions: >>>>>> - >>>>>>> What >>>>>>>>>> about >>>>>>>>>>>>>>>> using configure() instead of the constructor to >> pass >>>> the >>>>>>>>>>>>> configuration, >>>>>>>>>>>>>>>> especially as it's implementing Configurable >- >> It's >>>> not >>>>>>> clear >>>>>>>>>> what >>>>>>>>>>>> all >>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> arguments of createTopicPartitions()>are. What's >> the >>>>>>> difference >>>>>>>>>>>> between >>>>>>>>>>>>>>>> partitionCounts and newPartitions?>Should we have >>>>> separate >>>>>>>>>> methods >>>>>>>>>>>> for >>>>>>>>>>>>>>>> creating topics and partitions? >- Do we really >> need >>>>>>>>>>>>>>>> createCompactedTopic()? >- Instead of >>>>> updateTopicConfigs() >>>>>>> and >>>>>>>>>>>>>> updateAcls() >>>>>>>>>>>>>>>> should we use the >"alter" prefix to stay >> consistent >>>> with >>>>>>>> Admin?* >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> These are good suggestions that will update the KIP >>> to >>>>>>> address >>>>>>>>>> these. >>>>>>>>>>>>>>>> Regarding the `createCompactedTopic` MM2 is using >>> this >>>>>> method >>>>>>>> to >>>>>>>>>>>> create >>>>>>>>>>>>>>>> internal topics. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Wed, Jan 26, 2022 at 1:55 PM Mickael Maison < >>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Omnia, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks for the KIP, sorry for taking so long to >>>> comment. >>>>>>> I've >>>>>>>>>> only >>>>>>>>>>>> had >>>>>>>>>>>>>>>>> time to take a quick look so far. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This seems to address a relatively advanced and >>>> specific >>>>>> use >>>>>>>>>> case. >>>>>>>>>>>> My >>>>>>>>>>>>>>>>> initial concern is this may make it hard to evolve >>>>>>> MirrorMaker >>>>>>>>>> as >>>>>>>>>>>>>>>>> we'll likely need to update this new interface if >>> new >>>>>>> features >>>>>>>>>> are >>>>>>>>>>>>>>>>> added. For example if we wanted to sync group >> ACLs. >>>>>>>>>>>>>>>>> I'm wondering if it's something you've thought >>> about. >>>>> I'm >>>>>>> not >>>>>>>>>> saying >>>>>>>>>>>>>>>>> it's a blocker but we have to weigh the pros and >>> cons >>>>> when >>>>>>>>>>>> introducing >>>>>>>>>>>>>>>>> new features. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Regarding the proposed API, I have a few >>> suggestions: >>>>>>>>>>>>>>>>> - What about using configure() instead of the >>>>> constructor >>>>>> to >>>>>>>>>> pass >>>>>>>>>>>> the >>>>>>>>>>>>>>>>> configuration, especially as it's implementing >>>>>> Configurable >>>>>>>>>>>>>>>>> - It's not clear what all the arguments of >>>>>>>>>> createTopicPartitions() >>>>>>>>>>>>>>>>> are. What's the difference between partitionCounts >>> and >>>>>>>>>>>> newPartitions? >>>>>>>>>>>>>>>>> Should we have separate methods for creating >> topics >>>> and >>>>>>>>>> partitions? >>>>>>>>>>>>>>>>> - Do we really need createCompactedTopic()? >>>>>>>>>>>>>>>>> - Instead of updateTopicConfigs() and updateAcls() >>>>> should >>>>>> we >>>>>>>>>> use the >>>>>>>>>>>>>>>>> "alter" prefix to stay consistent with Admin? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>> Mickael >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Wed, Jan 26, 2022 at 11:26 AM Omnia Ibrahim < >>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>> If there are no more concerns regarding the >>> proposal >>>>>> can I >>>>>>>> get >>>>>>>>>>>> some >>>>>>>>>>>>>>>>> votes on the KIP here >>>>>>>>>>>>>>>>> >>>>>>>>>> >>>> https://lists.apache.org/thread/950lpxjb5kbjm8qdszlpxm9h4j4sfyjx >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Wed, Oct 27, 2021 at 3:54 PM Ryanne Dolan < >>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Well I'm convinced! Thanks for looking into it. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Ryanne >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Wed, Oct 27, 2021, 8:49 AM Omnia Ibrahim < >>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I checked the difference between the number >> of >>>>>> methods >>>>>>> in >>>>>>>>>> the >>>>>>>>>>>>>> Admin >>>>>>>>>>>>>>>>>>>> interface and the number of methods MM2 >> invokes >>>>> from >>>>>>>>>> Admin, and >>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>> diff >>>>>>>>>>>>>>>>>>>> is enormous (it's more than 70 methods). >>>>>>>>>>>>>>>>>>>> As far as I can see, the following methods >> MM2 >>>>>> depends >>>>>>> on >>>>>>>>>> (in >>>>>>>>>>>>>>>>>>>> MirrorSourceConnector, MirrorMaker, >>>>>>> MirrorCheckpointTask >>>>>>>>>> and >>>>>>>>>>>>>>>>>>>> MirrorCheckpointConnector), this will leave >> 73 >>>>>> methods >>>>>>> on >>>>>>>>>> the >>>>>>>>>>>>>> Admin >>>>>>>>>>>>>>>>>>>> interface that customer will need to return >>> dummy >>>>>> data >>>>>>>> for, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 1. create(conf) >>>>>>>>>>>>>>>>>>>> 2. close >>>>>>>>>>>>>>>>>>>> 3. listTopics() >>>>>>>>>>>>>>>>>>>> 4. createTopics(newTopics, >>>> createTopicsOptions) >>>>>>>>>>>>>>>>>>>> 5. createPartitions(newPartitions) >>>>>>>>>>>>>>>>>>>> 6. alterConfigs(configs) // this method >> is >>>>> marked >>>>>>> for >>>>>>>>>>>>>>>>> deprecation in >>>>>>>>>>>>>>>>>>>> Admin and the ConfigResource MM2 use is >> only >>>>> TOPIC >>>>>>>>>>>>>>>>>>>> 7. createAcls(aclBindings) // the list of >>>>> bindings >>>>>>>>>> always >>>>>>>>>>>>>>>>> filtered by >>>>>>>>>>>>>>>>>>>> TOPIC >>>>>>>>>>>>>>>>>>>> 8. describeAcls(aclBindingFilter) // >> filter >>> is >>>>>>> always >>>>>>>>>>>>>>>>> ANY_TOPIC_ACL >>>>>>>>>>>>>>>>>>>> 9. describeConfigs(configResources) // >>> Always >>>>> for >>>>>>>> TOPIC >>>>>>>>>>>>>> resources >>>>>>>>>>>>>>>>>>>> 10. listConsumerGroupOffsets(groupId) >>>>>>>>>>>>>>>>>>>> 11. listConsumerGroups() >>>>>>>>>>>>>>>>>>>> 12. alterConsumerGroupOffsets(groupId, >>>> offsets) >>>>>>>>>>>>>>>>>>>> 13. describeCluster() // this is invoked >>> from >>>>>>>>>>>>>>>>>>>> ConnectUtils.lookupKafkaClusterId(conf), >>>>>>>>>>>>>>>>>>>> but MM2 isn't the one that initialize the >>>>>>> AdminClient >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Going with the Admin interface in practice >> will >>>>> make >>>>>>> any >>>>>>>>>> custom >>>>>>>>>>>>>> Admin >>>>>>>>>>>>>>>>>>>> implementation humongous even for a fringe >> use >>>> case >>>>>>>>>> because of >>>>>>>>>>>> the >>>>>>>>>>>>>>>>> number >>>>>>>>>>>>>>>>>>>> of methods that need to return dummy data, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I am still leaning toward a new interface as >> it >>>>>>> abstract >>>>>>>>>> all >>>>>>>>>>>> MM2's >>>>>>>>>>>>>>>>>>>> interaction with Kafka Resources in one >> place; >>>> this >>>>>>> makes >>>>>>>>>> it >>>>>>>>>>>>>> easier >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>>> maintain and make it easier for the use cases >>>> where >>>>>>>>>> customers >>>>>>>>>>>>>> wish to >>>>>>>>>>>>>>>>>>>> provide a different method to handle >> resources. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Omnia >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Tue, Oct 26, 2021 at 4:10 PM Ryanne Dolan >> < >>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I like the idea of failing-fast whenever a >>>> custom >>>>>>> impl >>>>>>>> is >>>>>>>>>>>>>>>>> provided, but I >>>>>>>>>>>>>>>>>>>>> suppose that that could be done for Admin >> as >>>>> well. >>>>>> I >>>>>>>>>> agree >>>>>>>>>>>> your >>>>>>>>>>>>>>>>> proposal >>>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>>>> more ergonomic, but maybe it's okay to >> have a >>>>>> little >>>>>>>>>>>> friction in >>>>>>>>>>>>>>>>> such >>>>>>>>>>>>>>>>>>>>> fringe use-cases. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Ryanne >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On Tue, Oct 26, 2021, 6:23 AM Omnia >> Ibrahim < >>>>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Hey Ryanne, Thanks fo the quick feedback. >>>>>>>>>>>>>>>>>>>>>> Using the Admin interface would make >>>> everything >>>>>>>>>> easier, as >>>>>>>>>>>> MM2 >>>>>>>>>>>>>>>>> will >>>>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>>>> only to configure the classpath for the >> new >>>>>>>>>> implementation >>>>>>>>>>>> and >>>>>>>>>>>>>>>>> use it >>>>>>>>>>>>>>>>>>>>>> instead of AdminClient. >>>>>>>>>>>>>>>>>>>>>> However, I have two concerns >>>>>>>>>>>>>>>>>>>>>> 1. The Admin interface is enormous, and >> the >>>> MM2 >>>>>>> users >>>>>>>>>> will >>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>> to know >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>> list of methods MM2 depends on and >> override >>>>> these >>>>>>>> only >>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>> implementing the whole Admin interface. >>>>>>>>>>>>>>>>>>>>>> 2. MM2 users will need keep an eye on any >>>>> changes >>>>>>> to >>>>>>>>>> Admin >>>>>>>>>>>>>>>>> interface >>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>> impact MM2 for example deprecating >> methods. >>>>>>>>>>>>>>>>>>>>>> Am not sure if adding these concerns on >> the >>>>> users >>>>>>> is >>>>>>>>>>>>>> acceptable >>>>>>>>>>>>>>>>> or not. >>>>>>>>>>>>>>>>>>>>>> One solution to address these concerns >>> could >>>> be >>>>>>>> adding >>>>>>>>>> some >>>>>>>>>>>>>>>>> checks to >>>>>>>>>>>>>>>>>>>>> make >>>>>>>>>>>>>>>>>>>>>> sure the methods MM2 uses from the Admin >>>>>> interface >>>>>>>>>> exists >>>>>>>>>>>> to >>>>>>>>>>>>>> fail >>>>>>>>>>>>>>>>>>>> faster. >>>>>>>>>>>>>>>>>>>>>> What do you think >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Omnia >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 25, 2021 at 11:24 PM Ryanne >>>> Dolan < >>>>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Thanks Omnia, neat idea. I wonder if we >>>> could >>>>>> use >>>>>>>> the >>>>>>>>>>>>>> existing >>>>>>>>>>>>>>>>> Admin >>>>>>>>>>>>>>>>>>>>>>> interface instead of defining a new >> one? >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Ryanne >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On Mon, Oct 25, 2021, 12:54 PM Omnia >>>> Ibrahim >>>>> < >>>>>>>>>>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Hey everyone, >>>>>>>>>>>>>>>>>>>>>>>> Please take a look at KIP-787 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-787%3A+MM2+Interface+to+manage+Kafka+resources >>>>>>>>>>>>>>>>>>>>>>>> < >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-787%3A+MM2+Interface+to+manage+Kafka+resources >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Thanks for the feedback and support >>>>>>>>>>>>>>>>>>>>>>>> Omnia >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>
