Versions Compared

Old Version 5

changes.mady.by.user Dongjin Lee

Saved on

compared with

New Version 6

changes.mady.by.user Dongjin Lee

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The problem caused by the obsolete log4j version is not limited to security problems like CVE-2019-17571. Most users are now familiar with log4j2 configurations(2.x) syntax, not log4j. But 1.x. For this reason, when they want are trying to customize the logging configuration of Apache Kafka , or Kafka Connect, and Kafka Streams application, they have to work with outdated, dismissed old configuration format.

This KIP proposes to upgrade the log4j 1.x dependencies into log4j2 from the Server-side of Kafka. (For the exact definition of 'server-side', please refer to the 'Which modules will be influenced?' subsection.)

Public Interfaces

This KIP proposes the following:

  1. Replace log4j 1.x dependency into 2.x, with converting all 1.x API calls with 2.x equivalents.
  2. Provide a way to use log4j2 configuration, with backward compatibility to log4j.

...

  1. server-side dependency from log4j into log4j2, along with their slf4j bindings.
  2. User-interfacing configurations (like broker logging config), provide additional log4j2-equivalent configuration with backward compatibility.
  3. For non-user interfacing configurations (like test config), all of them will be migrated into log4j2.

Proposed Changes

Which modules will be influenced?

The following modules will be updated:

  • clients: core, metadata, raft, server-common, and storage modules are directly dependent on clients module. So, We should include it.
  • connect
  • core
  • metadata
  • raft
  • storage
  • streams: this module directly depends on clients.

The following modules are not the scope of this proposal with some reasons:

  • log4j-appender: This module should not be touched for the users, and its log4j2 equivalent should be provided independently. However, it is above the scope of this proposal.
  • tools: VerifiableLog4jAppender depends on log4j-appender. So, we can't migrate them until log4j2-appender is ready.
  • trogdor: As of this KIP was passed, trogdor was a part of tools. So, it was excluded.

1. Core

For backward compatibility, Kafka broker will use the log4j configuration file by default. But for informational purpose, the following message will be shown in default mode:

...