Known Issues in Apache Kafka

This topic describes known issues, unsupported features and limitations for using Kafka in this release of Cloudera Runtime.

Known Issues

Topics created with the kafka-topics tool are only accessible by the user who created them when the deprecated --zookeeper option is used

By default all created topics are secured. However, when topic creation and deletion is done with the kafka-topics tool using the --zookeeper option, the tool talks directly to Zookeeper. Because security is the responsibility of ZooKeeper authorization and authentication, Kafka cannot prevent users from making ZooKeeper changes. As a result, if the --zookeeper option is used, only the user who created the topic will be able to carry out administrative actions on it. In this scenario Kafka will not have permissions to perform tasks on topics created this way.

Workaround: Use kafka-topics with the --bootstrap-server option that does not require direct access to Zookeeper.
Certain Kafka command line tools require direct access to Zookeeper
The following command line tools talk directly to ZooKeeper and therefore are not secured via Kafka:
  • kafka-configs
  • kafka-reassign-partitions
Workaround:None.
The offsets.topic.replication.factor property must be less than or equal to the number of live brokers

The offsets.topic.replication.factor broker configuration is now enforced upon auto topic creation. Internal auto topic creation will fail with a GROUP_COORDINATOR_NOT_AVAILABLE error until the cluster size meets this replication factor requirement.

Workaround: None.
Requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true

The first few produce requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true.

Workaround: Increase the number of retries in the producer configuration setting retries.
Custom Kerberos principal names cannot be used for kerberized ZooKeeper and Kafka instances

When using ZooKeeper authentication and a custom Kerberos principal, Kerberos-enabled Kafka does not start. You must disable ZooKeeper authentication for Kafka or use the default Kerberos principals for ZooKeeper and Kafka.

Workaround: None.
Performance degradation when SSL Is enabled

In some configuration scenarios, significant performance degradation can occur when SSL is enabled. The impact varies depending on your CPU, JVM version, Kafka configuration, and message size. Consumers are typically more affected than producers.

Workaround: Configure brokers and clients with ssl.secure.random.implementation = SHA1PRNG. It often reduces this degradation drastically, but its effect is CPU and JVM dependent.
Apache JIRA: KAFKA-2561
OPSAPS-43236: Kafka garbage collection logs are written to the process directory

By default Kafka garbage collection logs are written to the agent process directory. Changing the default path for these log files is currently unsupported.

Workaround: None.
CDPD-8546: Repeated ZooKeeper client log trace in Kafka server logs
If the Enable Secure Connection to ZooKeeper property is set to true and the RANGER Service property is configured, both the Kafka Zookeeper client and Ranger Zookeeper client will be configured to connect to Zookeeper via secure channels. However, the Ranger Zookeeper client will try to establish a TLS/SSL connection to an unsecure port (2181). This results in the client repeatedly trying and failing to connect to Zookeeper, which in turn causes the org.apache.zookeeper.Login: TGT refresh thread started. log message as well as other related log messages to repeatedly appear in the Kafka logs.
Workaround:
  1. In Cloudera Manager, select the Kafka service.
  2. Select Configuration and find the Kafka Broker Advanced Configuration Snippet (Safety Valve) for ranger-kafka-audit.xml property.
  3. Add the following to the property:
    name : xasecure.audit.destination.solr.zookeepers
    value: ZOOKEEPER_HOST:SECURE_PORT/solr
    
    Replace ZOOKEEPER_HOST:SECURE_PORT with the hostname and secure port of the ZooKeeper host that Solr depends on.
  4. Enter a Reason for change, and click Save Changes to commit the changes.
  5. Restart the service.
Result: The Ranger Zookeeper client connects to the correct secure port.
OPSAPS-57113: The Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties does not propagate configurations correctly

If the Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties property contains configuration that has dollar signs, the configuration is not propagated to Kafka brokers correctly.

Workaround:None.

Unsupported Features

The following Kafka features are not supported in Cloudera Data Platform:
  • Only Java based clients are supported. Clients developed with C, C++, Python, .NET and other languages are currently not supported.
  • The Kafka default authorizer is not supported. This includes setting ACLs and all related APIs, broker functionality, and command-line tools.

Limitations

Collection of Partition Level Metrics May Cause Cloudera Manager’s Performance to Degrade

If the Kafka service operates with a large number of partitions, collection of partition level metrics may cause Cloudera Manager's performance to degrade.

If you are observing performance degradation and your cluster is operating with a high number of partitions, you can choose to disable the collection of partition level metrics.
Complete the following steps to turn off the collection of partition level metrics:
  1. Obtain the Kafka service name:
    1. In Cloudera Manager, Select the Kafka service.
    2. Select any available chart, and select Open in Chart Builder from the configuration icon drop-down.
    3. Find $SERVICENAME= near the top of the display.
      The Kafka service name is the value of $SERVICENAME.
  2. Turn off the collection of partition level metrics:
    1. Go to Hosts > Hosts Configuration.
    2. Find and configure the Cloudera Manager Agent Monitoring Advanced Configuration Snippet (Safety Valve) configuration property.
      Enter the following to turn off the collection of partition level metrics:
      [KAFKA_SERVICE_NAME]_feature_send_broker_topic_partition_entity_update_enabled=false
      
      Replace [KAFKA_SERVICE_NAME] with the service name of Kafka obtained in step 1. The service name should always be in lower case.
    3. Click Save Changes.