Table of Contents |
---|
Status
Current state: Under Discussion Accepted
Discussion thread: here
JIRA: KAFKA-9091
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
When Kafka is configured to use SSL, the broker will typically support multiple cipher suites. During the SSL handshake, the client and the server negotiate which cipher suite gets used by the connection.
...
However, currently, it is difficult to know what cipher suite is actually in use. There are log messages that describe it, but they are logged at DEBUG or TRACE level, and the information is not aggregated anywhere. We would like to create a metric to address this gap.
Public Interfaces
We will add a new metric in the Selector to surface information about what cipher suites are in use. The mbean will be:
Code Block |
---|
kafka.server:listener=(listener),networkProcessor=(processor-index),type=(type),ssl-cipher=(ssl-cipher-name),ssl-protocol=(ssl-protocol-name) |
It will contain a single value named "connections." This will contain the number of currently open connections using the given SSL cipher type and protocol. If the number of connections drops to 0, the mbean will be removed.
...
Code Block |
---|
kafka.server:listener=SSL,networkProcessor=0,type=socket-server-metrics,ssl-cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,ssl-protocol=TLSv1.2 |
Note that listeners that don't use SSL will not get any additional metrics.
...