- 12月 17, 2022
-
-
由 Zhongyin Zhang 创作于
### About The ConfluentTrustManager currently only support client cert validation. In order to support inter-broker ssl, we need to add the ability for it to validate server certs, and make the behavior configurable so that it can be used as needed depending on the use case. ### Major changes in this PR Add server verification in ConfluentTrustManager Make Confluent Host Suffix configurable The [engineer One Page ](https://confluentinc.atlassian.net/wiki/spaces/K/pages/2936971376/Using+a+Custom+TrustManager+for+Internal+TLS) describes the detail about this change. [Jira](https://confluentinc.atlassian.net/browse/KCFUN-689) ### Testing - The Confluent domain suffix is configurable - The Host name validation is disabled under client mode - Validate the inter broker ssl handshake ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) ### Merge requirements **Branch protections have been put into place which will prevent PRs from being merged to master when the build is failing.** Please review the build in jenkins. If your own change is to blame, please fix as required. Be careful to not simply retry the build if you suspect your change has made tests flakier or added flaky tests. If you suspect another change is the cause of failures or you're unclear about the cause, please read https://confluentinc.atlassian.net/wiki/spaces/KAFKA/pages/2719875296/ce-kafka+build+stability+unblocking+PR+merges.
-
由 Sanjana Kaundinya 创作于
KGLOBAL-2442: Disallow cluster link deletion when mirror topics are in PENDING_STOPPED state (#8264)
-
由 Kowshik Prakasam 创作于
Modified the `DumpTierPartitionState` to be able to print (to standard out) the headers (in JSON format) of all checkpointed tier state files under a provided root log directory. **Test:** Built the tool and ran it to test 2 cases: 1. Ran the tool against all tier state files from one of the Kafka brokers in tier soak. Tool worked fine, and `jq` command was able to prettify its output meaning that the JSON was valid. Also tried introducing few errors and the tool still worked fine printing the errors correctly to stderr while still printing the JSON output for the remaining valid partitions. 2. As a regression test, ran the tool against a single user partition's log directory. The tool behaved just like it was prior to this PR and printed all contents of the tier state file.
-
由 chern 创作于
…ticated listener Customers can set cluster link bootstrap server to an unauthenticated listener of the source cluster. There are network connectivity if the source and destination cluster are in the same network. This is bad because through cluster link, customers can access another cluster without authentication on Confluent Cloud. To mitigate this, we disallow bootstrap server that has localhost or site local address + list of unauthenticated ports. The downside is we have to update new IP address ranges and unauthenticated ports used for Confluent Cloud. To solve this problem permanently, Confluent Cloud brokers should reject cluster linking requests on unauthenticated listener. The code is stricter as it only allows SASL_SSL, which is the only option for cloud currently. The change introduces ConfluentCloudBrokerInterceptor which will be used by unauthenticated listeners on Confluent Cloud. After destination cluster detecting such scenario, destination cluster will fail the cluster link.
- 12月 16, 2022
-
-
由 Ashish Malgawa 创作于
For Catalog RBAC DS and DD needs Describe Permission on the topic, also they need to permission to see the lineage.
-
由 Confluent Jenkins Bot 创作于
-
由 Confluent Jenkins Bot 创作于
-
由 yuyli 创作于
Today, we log PRODUCE/FETCH and FOLLOWER FETCH requests with latencies slower than P99. On clusters with very high request rate (3-4k) this results in a significant number of logs/events per second. Instead we can add sampling to slow logs which can ensure that we log a fixed number(in our case 48) of slow log requests per minute. We also update the way of calculating slowLog threshold in this PR. More details can be found in [this wiki page](https://confluentinc.atlassian.net/wiki/spaces/CNKAF/pages/2890301648/Slow+log+sampling) **Here are the manual test result when log into the broker to update dynamic config** 1. update the `SLOW_LOG_THRESHOLD_OVERRIDE` (updated succesfully) <img width="1035" alt="Screen Shot 2022-12-02 at 1 11 44 PM" src="https://user-images.githubusercontent.com/112504334/205387000-7c2d2a6d-1c01-480d-a80b-3ce02635cad9.png"> 2. update the `MIN_P99_SLOW_LOG_THRESHOLD ` (updated succesfully) <img width="1008" alt="Screen Shot 2022-12-02 at 1 11 58 PM" src="https://user-images.githubusercontent.com/112504334/205387130-871cf394-2048-4868-9814-9d5ef958f397.png"> ### Committer Checklist (excluded from commit message) - [x] Verify design and implementation - [x] Verify test coverage and CI build status - [x] Verify documentation (including upgrade notes) ### Merge requirements **Branch protections have been put into place which will prevent PRs from being merged to master when the build is failing.** Please review the build in jenkins. If your own change is to blame, please fix as required. Be careful to not simply retry the build if you suspect your change has made tests flakier or added flaky tests. If you suspect another change is the cause of failures or you're unclear about the cause, please read https://confluentinc.atlassian.net/wiki/spaces/KAFKA/pages/2719875296/ce-kafka+build+stability+unblocking+PR+merges.
-
- 12月 15, 2022
-
-
由 Stanislav Kozlovski 创作于
MINOR: Cherry-pick "Increase timeout, correct error message returned for addBroker test" (#7320) (#8306) This patch cherry-picks 86b5fe7, originally committed only to the 7.3.x branch. The commit increases the allowed timeout for the addBroker system test and conditionally gives it a greater timeout if the test is doing a rolling restart of every broker. At the time, through inspecting the tests, it was found out that the given 300s timeout was insufficient. The timeout is now respectively bumped to 900s and 450s depending on whether the brokers are being restarted or not. Additionally, a minor bug is fixed in the error message log which previously wouldn't log the last addition status seen Co-authored-by: Aishwarya Gune <aishwarya@confluent.io>
-
由 Daniel Gospodinow 创作于
SBC event queue size metric
-
由 Rajini Sivaram 创作于
We were returning the link coordinator endpoint corresponding to the inter-broker listener when describing cluster links. This PR returns the endpoint based on the request listener so that internal endpoints are never exposed to external clients. Reviewers: Sanjana Kaundinya
-
由 Yang Yu 创作于
We recently added a new internal config to restrict log roll times. We should by default not enforce this config and only enforce it in CCloud using a flag. Reviewers: Ismael Juma <ismael@juma.me.uk>, Alok Thatikunta <alok123thatikunta@gmail.com>
-
由 Rittika Adhikari 创作于
Creating a PR to add back the old Admin APIs for the Leadership Priority API for compatibility
-
由 Rittika Adhikari 创作于
This PR propagates changes to broker health using the UpdateMetadataRequest, and stores changes in the ZkMetadataCache.
-
由 gbadoni 创作于
-
由 andymg3 创作于
-
由 Crispin Bernier 创作于
Enable creating netty client SSL engine
- 12月 14, 2022
-
-
由 Rajini Sivaram 创作于
Connections created by the source cluster of source initiated cluster links to Cloud destination brokers are added to tenant connection metrics, but they are not removed when the connection is reversed. This looks like a connection leak (RCCA-9890), even though connections are tracked and closed properly. This PR ensures connections are added and removed from tenant connection metrics on both source and destination sides and adds tests for connection metrics. Also improves handling of connection close during reconfiguration on the source-side to simplify testing. Reviewers: Chern Cheah
-
由 Confluent Jenkins Bot 创作于
-
由 Confluent Jenkins Bot 创作于
-
由 Daniel Gospodinow 创作于