You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Status

Current state[Accepted]

Discussion thread: here

JIRA: here

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

The goal is to eventually support different security mechanisms on different ports. 
Currently brokers are defined as host+port pair, and this definition exists throughout the code-base, therefore some refactoring is needed to support multiple ports for a single broker.

Public Interfaces

  • The following wire protocol APIs will change. We are bumping the protocol version to support backward compatibility:
    • UpdateMetadataRequest - will contain multiple host/port pairs, not just one

  • The following client libraries will change:

    • We are adding org.apache.kafka.common.protocol.SecurityProtocol - an ENUM describing the possible security protocols the broker may support and the client may try to connect to.

  • Quite a few changes from user configuration perspective:
    • Producers and consumers need to specify security.protocol - which protocol they'll use to connect to the server
    • Brokers that wish to support multiple protocols and multiple host/port pairs will need to specify a new configuration parameter: "listeners" and/or "advertised.listeners" - replacing host/port and advertised.host/advertised.port. Listener format is a comma-separated list of "protocol://host: port
    • Brokers need to specify replication.security.protocol - which protocol / port will be used to replicate data between brokers? this must be identical in all brokers.
    • Following an upgrade, brokers need to specify use.new.protocol = true, to start using the new wire protocol and to support new security protocols.

  • Broker registration in Zookeeper will change to include all host/port pairs the broker supports

Proposed Changes

See detailed description here: Multiple Listeners for Kafka Brokers

Compatibility, Deprecation, and Migration Plan

  • What impact (if any) will there be on existing users?

    If a user is not interested in using non-default protocol (i.e they are using PlainText transmission and not TLS/SASL), there is no visible change

  • If we are changing behavior how will we phase out the older behavior?

    The upgrade plan is to do a rolling upgrade on the brokers first, change use.new.protocol to "true" on all brokers (one by one?) when we are done. Clients can be upgraded whenever is convenient. Only "plaintext" protocol is supported until broker upgrade is complete. Also, only upgraded clients will be able to use new security protocols.

  • When will we remove the existing behavior?
    We plan to continue supporting existing behavior (i.e. a single "plaintext" host+port) indefinitely.

Rejected Alternatives

There was considerable discussion of the possibility of supporting all security protocols on the same port simultaneously. This was rejected for the following reasons:

  1. This approach is vulnerable to "downgrade attack"
  2. This requires a protocol-negotiation protocol, which can be rather complex
  3. Most other applications and frameworks support multiple protocols on different ports. Especially SSL.
  4. This approach allows cleanly disabling un-authenticated access (by removing "plaintext" ports after upgrade). This ability is desirable for auditing purposes.

 

  • No labels