Known Issues in Apache Kafka

Known Issues

OPSAPS-59553: SMM's bootstrap server config should be updated based on Kafka's listeners

SMM does not show any metrics for Kafka or Kafka Connect when multiple listeners are set in Kafka.

Workaround: SMM cannot identify multiple listeners and still points to bootstrap server using the default broker port (9093 for SASL_SSL). You would have to override bootstrap server URL (hostname:port as set in the listeners for broker) in the following path:

Cloudera Manager > SMM > Configuration > Streams Messaging Manager Rest Admin Server Advanced Configuration Snippet (Safety Valve) for streams-messaging-manager.yaml > Save Changes > Restart SMM.

Topics created with the kafka-topics tool are only accessible by the user who created them when the deprecated --zookeeper option is used

By default all created topics are secured. However, when topic creation and deletion is done with the kafka-topics tool using the --zookeeper option, the tool talks directly to Zookeeper. Because security is the responsibility of ZooKeeper authorization and authentication, Kafka cannot prevent users from making ZooKeeper changes. As a result, if the --zookeeper option is used, only the user who created the topic will be able to carry out administrative actions on it. In this scenario Kafka will not have permissions to perform tasks on topics created this way.

Workaround: Use kafka-topics with the --bootstrap-server option that does not require direct access to Zookeeper.

Certain Kafka command line tools require direct access to Zookeeper

The following command line tools talk directly to ZooKeeper and therefore are not secured via Kafka:

• kafka-configs
• kafka-reassign-partitions

Workaround:None.

The offsets.topic.replication.factor property must be less than or equal to the number of live brokers

The offsets.topic.replication.factor broker configuration is now enforced upon auto topic creation. Internal auto topic creation will fail with a GROUP_COORDINATOR_NOT_AVAILABLE error until the cluster size meets this replication factor requirement.

Workaround: None.

Requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true

The first few produce requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true.

Workaround: Increase the number of retries in the producer configuration setting retries.

Custom Kerberos principal names cannot be used for kerberized ZooKeeper and Kafka instances

When using ZooKeeper authentication and a custom Kerberos principal, Kerberos-enabled Kafka does not start. You must disable ZooKeeper authentication for Kafka or use the default Kerberos principals for ZooKeeper and Kafka.

Workaround: None.

Performance degradation when SSL Is enabled

In some configuration scenarios, significant performance degradation can occur when SSL is enabled. The impact varies depending on your CPU, JVM version, Kafka configuration, and message size. Consumers are typically more affected than producers.

Workaround: Configure brokers and clients with ssl.secure.random.implementation = SHA1PRNG. It often reduces this degradation drastically, but its effect is CPU and JVM dependent.

Apache JIRA: KAFKA-2561

OPSAPS-43236: Kafka garbage collection logs are written to the process directory

By default Kafka garbage collection logs are written to the agent process directory. Changing the default path for these log files is currently unsupported.

Workaround: None.

OPSAPS-57113: The Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties does not propagate configurations correctly

If the Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties property contains configuration that has dollar signs, the configuration is not propagated to Kafka brokers correctly.

Workaround: None.

OPSAPS-59031: Kafka cannot start if configuration is added to the Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties

The Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties configuration snippet does not correctly override configuration. As a result, Kafka may not start if TLS/SSL related configuration overrides are added to the this configuration snippet.

Workaround:Use the Kafka Broker Advanced Configuration Snippet (Safety Valve) for kafka.properties configuration snippet instead to override SSL related properties.

OPSAPS-57907: The Kafka metric collector adapter generates high CPU load

If a large number of topic partitions are created on a cluster, the Cloudera Manager Agent can generate a high CPU load. This is caused by the Kafka metric collector adapter carrying out excessive regex matching.

Workaround: None.

CDPD-11775: Kafka Connect does not start due to occupied ports

By default the Kafka Connect role binds to ports that are in the ephemeral range. As many other services can use port 0 and can bind to any port in the ephemeral range, it can happen that the default Kafka Connect ports become occupied. In a case like this, the Kafka Connect role will not start.

Workaround: Configure the Kafka Connect rest port, Kafka Connect secure rest port, and Jetty Metrics port to expose JMX Json Kafka properties in Cloudera Manager. Cloudera recommends that you use the following ports:

• Kafka Connect rest port: 28083
• Kafka Connect secure rest port: 28085
• Jetty Metrics port to expose JMX Json: 28084

Additionally, if you are using SMM to monitor Kafka Connect, you must also configure the Kafka Connect Rest Port Streams Messaging Manager property. The port configured in this property must match the port configured for the Kafka Connect role.

Kafka Connect fails to communicate with secured Schema Registry

Kafka Connect connectors establish a connection with a Schema Registry server if they are configured to use the AvroConverter. If the Schema Registry server is Kerberos enabled, a valid JAAS configuration is required to establish a connection with the server. The JAAS configuration is specified with the *.converter.sasl.jaas.config connector property. However, due to an underlying issue in Schema Registry, this is not possible. As a result, connectors might fail to connect to Kerberos enabled Schema Registry servers.

Workaround: Manually create a JAAS configuration that includes a valid RegistryClient entry and add it to the KAFKA_OPTS environment variable.

1. Create a copy of the Kafka Connect principal keytab and deploy it on the host. For example:

   /etc/kafka/conf/kafka-connect.keytab

2. Create a JAAS configuration file containing a RegistryClient entry. For example:

   RegistryClient {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    useKeyTab=true
    useTicketCache=false
    storeKey=true
    keyTab="/etc/kafka/conf/kafka-connect.keytab"
    principal="kafka/host1.cloudera.example.com@CLOUDERA.EXAMPLE.COM";
   };

   Ensure that you replace the value of keyTab with the full path to the copy of the keytab file you created in Step 1.
3. Ensure that both the keytab and the JAAS file are accessible by the Kafka Connect process user.
4. In Cloudera Manager, go to Kafka > Configuration and find the Kafka Connect Environment Advanced Configuration Snippet (Safety Valve) property.
5. Add the following property to the advanced configuration snippet.

   Key: KAFKA_OPTS
   Value: -Djava.security.auth.login.config=/etc/kafka/conf/kafka-connect-jaas.conf
   

   Ensure that you replace the value of -Djava.security.auth.login.config with the full path to the JAAS file you created in Step 2. In this example, the JAAS file is called kafka-connect-jaas.conf and is located in /etc/kafka/conf/.

6. Click Save Changes.
7. Restart the Kafka Connect roles.

Unsupported Features

The following Kafka features are not supported in Cloudera Data Platform:

• Only Java based clients are supported. Clients developed with C, C++, Python, .NET and other languages are currently not supported.
• The Kafka default authorizer is not supported. This includes setting ACLs and all related APIs, broker functionality, and command-line tools.

Limitations