[
https://issues.apache.org/jira/browse/KAFKA-15372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17757542#comment-17757542
]
Greg Harris commented on KAFKA-15372:
-------------------------------------
Reading through the KIP-710 thread, it appears that the public API was
intentionally left out of the implementation to avoid security problems.
In particular, the connector config endpoint security is typically managed by a
rest extension and by default is unsecured, while the internal endpoints are
already secured by default. If we were to keep the current security posture of
KIP-710 (all endpoints secured) and add a new endpoint, we would need to secure
it by default. This would be a divergence between MM2 dedicated mode and normal
Connect Distributed mode that the KIP discussion wanted to avoid.
Because of that, I don't think we can implement connector config forwarding in
a bugfix, it's going to at least need a slightly longer discussion about
securing the original endpoint vs duplicating the endpoint.
I think that means that we'll need to implement the alternative solution, which
delays applying the configuration until the worker becomes the leader.
> MM2 rolling restart can drop configuration changes silently
> -----------------------------------------------------------
>
> Key: KAFKA-15372
> URL: https://issues.apache.org/jira/browse/KAFKA-15372
> Project: Kafka
> Issue Type: Bug
> Components: mirrormaker
> Reporter: Daniel Urban
> Priority: Major
> Fix For: 3.6.0
>
>
> When MM2 is restarted, it tries to update the Connector configuration in all
> flows. This is a one-time trial, and fails if the Connect worker is not the
> leader of the group.
> In a distributed setup and with a rolling restart, it is possible that for a
> specific flow, the Connect worker of the just restarted MM2 instance is not
> the leader, meaning that Connector configurations can get dropped.
> For example, assuming 2 MM2 instances, and one flow A->B:
> # MM2 instance 1 is restarted, the worker inside MM2 instance 2 becomes the
> leader of A->B Connect group.
> # MM2 instance 1 tries to update the Connector configurations, but fails
> (instance 2 has the leader, not instance 1)
> # MM2 instance 2 is restarted, leadership moves to worker in MM2 instance 1
> # MM2 instance 2 tries to update the Connector configurations, but fails
> At this point, the configuration changes before the restart are never
> applied. Many times, this can also happen silently, without any indication.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
