[ https://issues.apache.org/jira/browse/KAFKA-15372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17757542#comment-17757542 ]
Greg Harris commented on KAFKA-15372: ------------------------------------- Reading through the KIP-710 thread, it appears that the public API was intentionally left out of the implementation to avoid security problems. In particular, the connector config endpoint security is typically managed by a rest extension and by default is unsecured, while the internal endpoints are already secured by default. If we were to keep the current security posture of KIP-710 (all endpoints secured) and add a new endpoint, we would need to secure it by default. This would be a divergence between MM2 dedicated mode and normal Connect Distributed mode that the KIP discussion wanted to avoid. Because of that, I don't think we can implement connector config forwarding in a bugfix, it's going to at least need a slightly longer discussion about securing the original endpoint vs duplicating the endpoint. I think that means that we'll need to implement the alternative solution, which delays applying the configuration until the worker becomes the leader. > MM2 rolling restart can drop configuration changes silently > ----------------------------------------------------------- > > Key: KAFKA-15372 > URL: https://issues.apache.org/jira/browse/KAFKA-15372 > Project: Kafka > Issue Type: Bug > Components: mirrormaker > Reporter: Daniel Urban > Priority: Major > Fix For: 3.6.0 > > > When MM2 is restarted, it tries to update the Connector configuration in all > flows. This is a one-time trial, and fails if the Connect worker is not the > leader of the group. > In a distributed setup and with a rolling restart, it is possible that for a > specific flow, the Connect worker of the just restarted MM2 instance is not > the leader, meaning that Connector configurations can get dropped. > For example, assuming 2 MM2 instances, and one flow A->B: > # MM2 instance 1 is restarted, the worker inside MM2 instance 2 becomes the > leader of A->B Connect group. > # MM2 instance 1 tries to update the Connector configurations, but fails > (instance 2 has the leader, not instance 1) > # MM2 instance 2 is restarted, leadership moves to worker in MM2 instance 1 > # MM2 instance 2 tries to update the Connector configurations, but fails > At this point, the configuration changes before the restart are never > applied. Many times, this can also happen silently, without any indication. -- This message was sent by Atlassian Jira (v8.20.10#820010)