Known Issues in Apache Kafka

Learn about the known issues in Kafka, the impact or changes to the functionality, and the workaround.

Known Issues

OPSAPS-59553: SMM's bootstrap server config should be updated based on Kafka's listeners

SMM does not show any metrics for Kafka or Kafka Connect when multiple listeners are set in Kafka.

Workaround: SMM cannot identify multiple listeners and still points to bootstrap server using the default broker port (9093 for SASL_SSL). You would have to override bootstrap server URL (hostname:port as set in the listeners for broker) in the following path:

Cloudera Manager > SMM > Configuration > Streams Messaging Manager Rest Admin Server Advanced Configuration Snippet (Safety Valve) for streams-messaging-manager.yaml > Save Changes > Restart SMM.

Topics created with the kafka-topics tool are only accessible by the user who created them when the deprecated --zookeeper option is used
By default all created topics are secured. However, when topic creation and deletion is done with the kafka-topics tool using the --zookeeper option, the tool talks directly to Zookeeper. Because security is the responsibility of ZooKeeper authorization and authentication, Kafka cannot prevent users from making ZooKeeper changes. As a result, if the --zookeeper option is used, only the user who created the topic will be able to carry out administrative actions on it. In this scenario Kafka will not have permissions to perform tasks on topics created this way.
Use kafka-topics with the --bootstrap-server option that does not require direct access to Zookeeper.
Certain Kafka command line tools require direct access to Zookeeper
The following command line tools talk directly to ZooKeeper and therefore are not secured via Kafka:
  • kafka-reassign-partitions
None
The offsets.topic.replication.factor property must be less than or equal to the number of live brokers
The offsets.topic.replication.factor broker configuration is now enforced upon auto topic creation. Internal auto topic creation will fail with a GROUP_COORDINATOR_NOT_AVAILABLE error until the cluster size meets this replication factor requirement.
None
Requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true
The first few produce requests fail when sending to a nonexistent topic with auto.create.topics.enable set to true.
Increase the number of retries in the producer configuration setting retries.
Custom Kerberos principal names cannot be used for kerberized ZooKeeper and Kafka instances
When using ZooKeeper authentication and a custom Kerberos principal, Kerberos-enabled Kafka does not start. You must disable ZooKeeper authentication for Kafka or use the default Kerberos principals for ZooKeeper and Kafka.
None
KAFKA-2561: Performance degradation when SSL Is enabled
In some configuration scenarios, significant performance degradation can occur when SSL is enabled. The impact varies depending on your CPU, JVM version, Kafka configuration, and message size. Consumers are typically more affected than producers.
Configure brokers and clients with ssl.secure.random.implementation = SHA1PRNG. It often reduces this degradation drastically, but its effect is CPU and JVM dependent.
OPSAPS-43236: Kafka garbage collection logs are written to the process directory
By default Kafka garbage collection logs are written to the agent process directory. Changing the default path for these log files is currently unsupported.
None
OPSAPS-59031: Kafka cannot start if configuration is added to the Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties
The Kafka Broker Advanced Configuration Snippet (Safety Valve) for ssl.properties configuration snippet does not correctly override configuration. As a result, Kafka may not start if TLS/SSL related configuration overrides are added to the this configuration snippet.
Use the Kafka Broker Advanced Configuration Snippet (Safety Valve) for kafka.properties configuration snippet instead to override SSL related properties.
OPSAPS-59032: Obsolete TLS protocols are enabled by default
TLS v1.0 and v1.1 are considered insecure and obsolete. Therefore, these protocols are disabled by default in Kafka 2.5. However for Cloudera Manager managed Kafka, these protocols are still enabled by default.
Add the following configuration to Kafka Broker Advanced Configuration Snippet (Safety Valve) for kafka.properties. This overrides the default and forces TLS v1.2 to be used.
ssl.protocol=TLSv1.2
sl.enabled.protocols=TLSv1.2
OPSAPS-59124: Kafka, SMM, and SRM fail to start when there are multiple Ranger Admin roles running
If there are multiple Ranger Admin roles configured in a cluster, Kafka cannot create the Kafka resource based services in Ranger, which are required for authorization. If the resource based services are missing, the Kafka, SMM, and SRM services will fail to start.
  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Find the Kafka Broker Environment Advanced Configuration Snippet (Safety Valve) property and add the following:
    RANGER_REST_URL=[***RANGER ADMIN HOST***]:[***RANGER ADMIN PORT***]
    • Replace [***RANGER ADMIN HOST***] with the hostname where a Ranger Admin service role is deployed. You can find the hostname by going to Ranger > Instances. The hostname is displayed in the Hostname column next to Ranger Admin. Choose one of the available Ranger Admin instances.
    • Replace [***RANGER ADMIN PORT***] with the port used by the Ranger Admin service role. The port is specified in the Admin HTTP Port or Admin HTTPS port Ranger property. Which port is used depends on whether SSL is enabled for Ranger Admin.
  4. Click Save Changes.
  5. Restart Kafka.
  6. Restart SMM and SRM.

Unsupported Features

The following Kafka features are not supported in Cloudera Data Platform:
  • Only Java and .Net based clients are supported. Clients developed with C, C++, Python, and other languages are currently not supported.
  • While Kafka Connect is available as part of Runtime, it is currently not supported in CDP Public Cloud. NiFi is a proven solution for batch and real time data loading that complement Kafka's message broker capability. For more information, see Creating your first Flow Management cluster.
  • The Kafka default authorizer is not supported. This includes setting ACLs and all related APIs, broker functionality, and command-line tools.

Limitations

Collection of Partition Level Metrics May Cause Cloudera Manager’s Performance to Degrade

If the Kafka service operates with a large number of partitions, collection of partition level metrics may cause Cloudera Manager's performance to degrade.

If you are observing performance degradation and your cluster is operating with a high number of partitions, you can choose to disable the collection of partition level metrics.
Complete the following steps to turn off the collection of partition level metrics:
  1. Obtain the Kafka service name:
    1. In Cloudera Manager, Select the Kafka service.
    2. Select any available chart, and select Open in Chart Builder from the configuration icon drop-down.
    3. Find $SERVICENAME= near the top of the display.
      The Kafka service name is the value of $SERVICENAME.
  2. Turn off the collection of partition level metrics:
    1. Go to Hosts > Hosts Configuration.
    2. Find and configure the Cloudera Manager Agent Monitoring Advanced Configuration Snippet (Safety Valve) configuration property.
      Enter the following to turn off the collection of partition level metrics:
      [KAFKA_SERVICE_NAME]_feature_send_broker_topic_partition_entity_update_enabled=false
      
      Replace [KAFKA_SERVICE_NAME] with the service name of Kafka obtained in step 1. The service name should always be in lower case.
    3. Click Save Changes.