Known Issues in Apache Kafka

Learn about the known issues in Apache Kafka, the impact or changes to the functionality, and the workaround.

Known Issues

OPSAPS-59553: SMM's bootstrap server config should be updated based on Kafka's listeners: SMM does not show any metrics for Kafka or Kafka Connect when multiple listeners are set in Kafka.; Workaround: SMM cannot identify multiple listeners and still points to bootstrap server using the default broker port (9093 for SASL_SSL). You would have to override bootstrap server URL (hostname:port as set in the listeners for broker) in the following path:
Cloudera Manager > SMM > Configuration > Streams Messaging Manager Rest Admin Server Advanced Configuration Snippet (Safety Valve) for streams-messaging-manager.yaml > Save Changes > Restart SMM.
Topics created with the kafka-topics tool are only accessible by the user who created them when the deprecated --zookeeper option is used: By default all created topics are secured. However, when topic creation and deletion is done with the kafka-topics tool using the --zookeeperoption, the tool talks directly to Zookeeper. Because security is the responsibility of ZooKeeper authorization and authentication, Kafka cannot prevent users from making ZooKeeper changes. As a result, if the --zookeeper option is used, only the user who created the topic will be able to carry out administrative actions on it. In this scenario Kafka will not have permissions to perform tasks on topics created this way.; Use kafka-topics with the --bootstrap-server option that does not require direct access to Zookeeper.
Certain Kafka command line tools require direct access to Zookeeper: The following command line tools talk directly to ZooKeeper and therefore are not secured via Kafka:

kafka-reassign-partitions; None
The offsets.topic.replication.factor property must be less than or equal to the number of live brokers: The offsets.topic.replication.factor broker configuration is now enforced upon auto topic creation. Internal auto topic creation will fail with a GROUP_COORDINATOR_NOT_AVAILABLE error until the cluster size meets this replication factor requirement.; None
Requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true: The first few produce requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true.; Increase the number of retries in the producer configuration setting retries.
KAFKA-2561: Performance degradation when SSL Is enabled: In some configuration scenarios, significant performance degradation can occur when SSL is enabled. The impact varies depending on your CPU, JVM version, Kafka configuration, and message size. Consumers are typically more affected than producers.; Configure brokers and clients with ssl.secure.random.implementation = SHA1PRNG. It often reduces this degradation drastically, but its effect is CPU and JVM dependent.
OPSAPS-43236: Kafka garbage collection logs are written to the process directory: By default Kafka garbage collection logs are written to the agent process directory. Changing the default path for these log files is currently unsupported.; None
OPSAPS-63640: Monitoring a high number of Kafka producers might cause Cloudera Manager to slow down and run out of memory: This issue has two workarounds. You can either configure a Kafka producer metric allow list or completely disable producer metrics.

Configure a Kafka producer metric allow list:
A producer metric allow list can be configured by adding the following properties to Kafka Broker Advanced Configuration Snippet (Safety Valve) for kafka.properties.
producer.metrics.whitelist.enabled=true producer.metrics.whitelist=[***ALLOW LIST REGEX***]
Replace [***ALLOW LIST REGEX***] with a regular expression matching the client.id of the producers that you want to add to the allow list. This regular expression uses the java.util.regex.Pattern class to compile the regular expression, and uses the match() method on the client.id to determine whether it fits the regular expression.
Once configured, the metrics of producers whose client.id does not match the regular expression provided in producer.metrics.whitelist are filtered.Kafka no longer reports these metrics through the HTTP metrics endpoint. Additionally, existing metrics of the producers whose client.id does not match the regular expression are deleted.
Because the allow list filters metrics based on the client.id of the producers, you must ensure that the client.id property is specified in each producer's configuration. Automatically generated client IDs might cause the number of unnecessary metrics to increase even if an allow list is configured.

Completely disable producer metrics:
Producer metrics can be completely disabled by unchecking the Enable Producer Metrics Kafka service property.
CDPD-39354: Kafka Connect connectors and tasks fail to start: Kafka Connect initializes the Secrets Storage late, causing some connectors and tasks to fail at startup. This is a timing issue, and does not occur deterministically.; Restart the failed connectors and tasks manually, or do not use the Secrets Storage feature in the configurations.
CDPD-45183: Kafka Connect active topics might be visible to unauthorised users: The Kafka Connect active topics endpoint (/connectors/[***CONNECTOR NAME***]/topics) and the Connect Cluster page on the SMM UI disregard the user permissions configured for the Kafka service in Ranger. As a result, all active topics of connectors might become visible to users who do not have permissions to view them. Note that user permission configured for Kafka Connect in Ranger are not affected by this issue and are correctly applied.; None.
CDPD-29307: Kafka producer entity stays in incomplete state in Atlas: Atlas creates incomplete Kafka client entities that are postfixed with the metadata namespace.; None
CDPD-45958: Kafka client JAAS override policy validation is incorrect: The JAAS override filter policy refuses configurations if the configuration contains an unknown field instead of only refusing based on known fields with invalid values.; None
CDPD-48822: AvroConverter ignores default values when converting from Avro to Connect schema: AvroConverter does not propagate field default values when converting Avro schemas to Connect schemas.; None

Unsupported Features

The following Kafka features are not supported in Cloudera Data Platform:

Only Java and .Net based clients are supported. Clients developed with C, C++, Python, and other languages are currently not supported.
The Kafka default authorizer is not supported. This includes setting ACLs and all related APIs, broker functionality, and command-line tools.
SASL/SCRAM is only supported for delegation token based authentication. It is not supported as a standalone authentication mechanism.
The Cloudera AvroConverter (com.cloudera.dim.kafka.connect.converts.AvroConverter) is not supported with the Debezium Kafka Connect connectors shipped in Cloudera Runtime.

Limitations

Collection of Partition Level Metrics May Cause Cloudera Manager’s Performance to Degrade: If the Kafka service operates with a large number of partitions, collection of partition level metrics may cause Cloudera Manager's performance to degrade.

If you are observing performance degradation and your cluster is operating with a high number of partitions, you can choose to disable the collection of partition level metrics.
important
If you are using SMM to monitor Kafka or Cruise Control for rebalancing Kafka partitions, be aware that both SMM and Cruise Control rely on partition level metrics. If partition level metric collection is disabled, SMM will not be able to display information about partitions. In addition, Cruise Control will not operate properly.

Complete the following steps to turn off the collection of partition level metrics:

Obtain the Kafka service name:

In Cloudera Manager, Select the Kafka service.

Select any available chart, and select Open in Chart Builder from the configuration icon drop-down.

Find $SERVICENAME= near the top of the display.
The Kafka service name is the value of $SERVICENAME.

Turn off the collection of partition level metrics:

Go to Hosts > Hosts Configuration.

Find and configure the Cloudera Manager Agent Monitoring Advanced Configuration Snippet (Safety Valve) configuration property.
Enter the following to turn off the collection of partition level metrics:
[KAFKA_SERVICE_NAME]_feature_send_broker_topic_partition_entity_update_enabled=false
Replace [KAFKA_SERVICE_NAME] with the service name of Kafka obtained in step 1. The service name should always be in lower case.

Click Save Changes.

Technical Service Bulletins

TSB 2022-614: Kafka policy "user auto-creation" does not work in Ranger in CDP Public Cloud 7.2.15

Creating a completely new Cloudera Data Platform (CDP) Public Cloud 7.2.15 Streams Messaging Light Duty Data Hub cluster fails after the Data Lake upgrade to 7.2.15. Note that the Data Hub cluster is created, but it looks unusable because of the lack of permissions.

New user principals are added to Apache Kafka (Kafka) policies (cc_metric_reporter and kafka_mirror_maker) in CDP Public Cloud version 7.2.14 as part of new features. Whenever a new Data Hub cluster is installed, its Kafka service is started for the first time, it will try to create all the default Kafka related policies automatically. If any of the users referred to in the policies does not exist in Apache Ranger (Ranger), it will refuse creating any of the policies in CDP Public Cloud version 7.2.15 for the new Data Hub cluster and the cluster will look unusable.

This is because from CDP Public Cloud 7.2.15 onwards, Ranger only lets administrators create new users. Automatic user creation works in CDP Public Cloud 7.2.14, so the affected customers will depend on which versions of Streams Messaging Data Hub clusters and Data Lakes they used earlier and how they used them.

Knowledge article

For the latest update on this issue see the corresponding Knowledge article: TSB 2022-614: Kafka policy "user auto-creation" does not work in Ranger in CDP Public Cloud 7.2.15