...
The ACLs required for this new API will be the same as the ones required to use a transactional producer for each of the specified transactional IDs. Specifically, this amounts to grants for the Write
and Describe
operations on the TransactionalId
resource, and a grant for the IdempotentWrite
operation on the Cluster
resource.
Note that the IdempotentWrite
ACL has been deprecated as of 2.8 (see KIP-679) and will only be necessary for Connect clusters running on pre-2.8 Kafka clusters.
Limitations
- Distributed mode is required; standalone mode will not be supported (yet) for exactly-once source connectors
- Exactly-once source support can only be enabled for all source connectors or none; it cannot be toggled on a per-connector basis
- In order to be viable for exactly-once delivery, connectors must assign source partitions to at most one task at a time (otherwise duplicate writes may occur)
- In order to be viable for exactly-once delivery, connectors must use the Connect source offset API for tracking progress (otherwise duplicate writes or dropped records may occur)
...
Operation | Resource Type | Resource Name |
|
|
|
|
|
|
|
| Kafka cluster targeted by the Connect cluster |
* - Note that the IdempotentWrite
ACL has been deprecated as of 2.8 (see KIP-679) and will only be necessary for Connect clusters running on pre-2.8 Kafka clusters.
Connector principal permissions
...
Operation | Resource Type | Resource Name |
|
|
|
|
|
|
|
| Kafka cluster targeted by the connector. |
|
| Offsets topic used by the connector, which is either the value of the |
|
| Kafka cluster targeted by the connector. |
* - Note that the IdempotentWrite
ACL has been deprecated as of 2.8 (see KIP-679) and will only be necessary for Connect clusters running on pre-2.8 Kafka clusters.
Consumer
Each source connector’s consumer principal must be given the following permissions on the Kafka cluster it reads offsets from:
...