librdkafka v2.0.0 is a feature release:
- KIP-88
OffsetFetch Protocol Update (#3995). - KIP-222
Add Consumer Group operations to Admin API (started by @lesterfan, #3995). - KIP-518
Allow listing consumer groups per state (#3995). - KIP-396
Partially implemented: support for AlterConsumerGroupOffsets
(started by @lesterfan, #3995). - OpenSSL 3.0.x support - the maximum bundled OpenSSL version is now 3.0.7 (previously 1.1.1q).
- Fixes to the transactional and idempotent producer.
Upgrade considerations
OpenSSL 3.0.x
OpenSSL default ciphers
The introduction of OpenSSL 3.0.x in the self-contained librdkafka bundles
changes the default set of available ciphers, in particular all obsolete
or insecure ciphers and algorithms as listed in the
OpenSSL legacy
manual page are now disabled by default.
WARNING: These ciphers are disabled for security reasons and it is
highly recommended NOT to use them.
Should you need to use any of these old ciphers you'll need to explicitly
enable the legacy
provider by configuring ssl.providers=default,legacy
on the librdkafka client.
OpenSSL engines and providers
OpenSSL 3.0.x deprecates the use of engines, which is being replaced by
providers. As such librdkafka will emit a deprecation warning if
ssl.engine.location
is configured.
OpenSSL providers may be configured with the new ssl.providers
configuration property.
Broker TLS certificate hostname verification
The default value for ssl.endpoint.identification.algorithm
has been
changed from none
(no hostname verification) to https
, which enables
broker hostname verification (to counter man-in-the-middle
impersonation attacks) by default.
To restore the previous behaviour, set ssl.endpoint.identification.algorithm
to none
.
Known Issues
Poor Consumer batch API messaging guarantees
The Consumer Batch APIs rd_kafka_consume_batch()
and rd_kafka_consume_batch_queue()
are not thread safe if rkmessages_size
is greater than 1 and any of the seek,
pause, resume or rebalancing operation is performed in parallel with any of
the above APIs. Some of the messages might be lost, or erroneously returned to the
application, in the above scenario.
It is strongly recommended to use the Consumer Batch APIs and the mentioned
operations in sequential order in order to get consistent result.
For rebalancing operation to work in sequencial manner, please set rebalance_cb
configuration property (refer [examples/rdkafka_complex_consumer_example.c]
(examples/rdkafka_complex_consumer_example.c) for the help with the usage) for the consumer.
Enhancements
- Self-contained static libraries can now be built on Linux arm64 (#4005).
- Updated to zlib 1.2.13, zstd 1.5.2, and curl 7.86.0 in self-contained
librdkafka bundles. - Added
on_broker_state_change()
interceptor - The C++ API no longer returns strings by const value, which enables better move optimization in callers.
- Added
rd_kafka_sasl_set_credentials()
API to update SASL credentials. - Setting
allow.auto.create.topics
will no longer give a warning if used by a producer, since that is an expected use case.
Improvement in documentation for this property. - Added a
resolve_cb
configuration setting that permits using custom DNS resolution logic. - Added
rd_kafka_mock_broker_error_stack_cnt()
. - The librdkafka.redist NuGet package has been updated to have fewer external
dependencies for its bundled librdkafka builds, as everything but cyrus-sasl
is now built-in. There are bundled builds with and without linking to
cyrus-sasl for maximum compatibility. - Admin API DescribeGroups() now provides the group instance id
for static members KIP-345 (#3995).
Fixes
General fixes
- Windows: couldn't read a PKCS#12 keystore correctly because binary mode
wasn't explicitly set and Windows defaults to text mode. - Fixed memory leak when loading SSL certificates (@Mekk, #3930)
- Load all CA certificates from
ssl.ca.pem
, not just the first one. - Each HTTP request made when using OAUTHBEARER OIDC would leak a small
amount of memory.
Transactional producer fixes
- When a PID epoch bump is requested and the producer is waiting
to reconnect to the transaction coordinator, a failure in a find coordinator
request could cause an assert to fail. This is fixed by retrying when the
coordinator is known (#4020). - Transactional APIs (except
send_offsets_for_transaction()
) that
timeout due to low timeout_ms may now be resumed by calling the same API
again, as the operation continues in the background. - For fatal idempotent producer errors that may be recovered by bumping the
epoch the current transaction must first be aborted prior to the epoch bump.
This is now handled correctly, which fixes issues seen with fenced
transactional producers on fatal idempotency errors. - Timeouts for EndTxn requests (transaction commits and aborts) are now
automatically retried and the error raised to the application is also
a retriable error. - TxnOffsetCommitRequests were retried immediately upon temporary errors in
send_offsets_to_transactions()
, causing excessive network requests.
These retries are now delayed 500ms. - If
init_transactions()
is called with an infinite timeout (-1),
the timeout will be limited to 2 *transaction.timeout.ms
.
The application may retry and resume the call if a retriable error is
returned.
Consumer fixes
- Back-off and retry JoinGroup request if coordinator load is in progress.
- Fix
rd_kafka_consume_batch()
andrd_kafka_consume_batch_queue()
skipping
other partitions' offsets intermittently when seek, pause, resume
or rebalancing is used for a partition. - Fix
rd_kafka_consume_batch()
andrd_kafka_consume_batch_queue()
intermittently returing incorrect partitions' messages if rebalancing
happens during these operations.
Checksums
Release asset checksums:
- v2.0.0.zip SHA256
9d8a8be30ed09daf6c560f402e91db22fcaea11cac18a0d3c0afdbf884df1d4e
- v2.0.0.tar.gz SHA256
f75de3545b3c6cc027306e2df0371aefe1bb8f86d4ec612ed4ebf7bfb2f817cd