Status
Current state: [One of "Under Discussion", "Accepted", "Rejected"]
Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]
JIRA: KAFKA-3492
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
KIP-13 introduced client quotas in Kafka 0.9.0.0. Rate limits on producers and consumers are enforced to prevent clients saturating the network or monopolizing broker resources. The current implementation allocates quotas to client-ids. This works well in single user clusters or clusters that use PLAINTEXT where all users have the same identity. But since client-id is unauthenticated and can be set to any value by the client, multi-user secure installations require quotas to be enforced for authenticated principals to guarantee fair allocation of resources and prevent denial-of-service.
This KIP addresses the following extensions to the existing implementation:
- The option to apply quotas based on authenticated principal instead of client-id. This prevents users generating heavy traffic from monopolizing resources and impacting the performance of other users in a multi-user cluster.
- Sub-quotas for clients of an authenticated user. Like the current client-id implementation, this enables a user to rate-limit some producers or consumers to ensure that they don’t impact other more critical clients. For instance, users may be able to rate-limit an auditing client running in the background, leaving resources always available for a critical event processing client.
Public Interfaces
Configuration Options
A configuration option quota.secure
will be added to choose between the existing client-id based implementation and the new authenticated-principal based implementation. The default value will be false
to be consistent with Kafka 0.9.0.x.
The default quota configs will apply to authenticated user principals if quota.secure=true.
quota.producer.default
: Ifquota.secure=false
, this is the default producer quota for each unique client- id. Otherwise, this is the default quota for each authenticated principal.quota.consumer.default
: Ifquota.secure=false
, this is the default consumer quota for each client-id. Otherwise, this is the default quota for each authenticated principal.
Metrics
When quota.secure=true
, quota related metrics will be generated for authenticated principals rather than client-ids.
Tools
kafka-configs.sh
will be extended to support authenticated user quotas and sub-quotas for clients of a user. A new entity type “users
” will be added. The key-value pairs supported for users
will be:
producer_byte_rate=p
: The total rate limit for the user’s producers set top
MB/secconsumer_byte_rate=c
: The total rate limit for the user’s consumers set toc
MB/secclient_producer_byte_rates=clientA:pA,clientB:pB
: The rate limit for the user’s producers with client-idclientA
is set to pA MB/sec. Similarly for clientB. Other clients sharep-pA-pB
MB/sec.client_consumer_byte_rates=clientA:cA,clientB:cB
: The rate limit for the user’s consumers with client-idclientA
is set to cA MB/sec. Other clients sharec-cA-cB
MB/sec.
Proposed Changes
Describe the new thing you want to do in appropriate detail. This may be fairly extensive and have large subsections of its own. Or it may be a few sentences. Use judgement based on the scope of the change.
Compatibility, Deprecation, and Migration Plan
quota.secure
is set to false as default to be consistent with Kafka 0.9.0.x. Hence the existing quota configurations will apply if new secure quotas are not defined. If quota.secure
is set to true
and new quotas are configured for users, clients may be throttled based on the new quota configurations. But no client API changes are necessary to work with the new implementation.
Rejected Alternatives
Unified configuration for client-id and authenticated-principal based quotas
This KIP proposes to use a broker configuration option to switch between client-id based quotas and authenticated-principal based quotas for simplicity. An alternative would be to define a unified configuration where client-id based quotas are a special case of a unified quota config with the same username applied to all clients. The internal quota implementation will use common code for both options with only the quota-id being different. But the externally visible configuration and defaults are much simpler to define with separate options that are consistent with 0.9.0.x since it is unlikely that a cluster would support both.