Confluent Kafka Golang Client v1.1.0 Release Notes

Release Date: 2019-07-15 // over 3 years ago
  • confluent-kafka-go v1.1.0

    • โœ… OAUTHBEARER SASL authentication (KIP-255) by Ron Dagostini (@rondagostino) at StateStreet.
    • ๐Ÿ“‡ Offset commit metadata (@damour, #353)
    • Requires librdkafka v1.1.0 or later

    Noteworthy librdkafka v1.1.0 changes

    ๐Ÿš€ Full librdkafka v1.1.0 release notes.

    • โœ… SASL OAUTHBEARER support (by @rondagostino at StateStreet)
    • ๐Ÿ‘ In-memory SSL certificates (PEM, DER, PKCS#12) support (by @noahdav at Microsoft)
    • ๐Ÿ”Œ Pluggable broker SSL certificate verification callback (by @noahdav at Microsoft)
    • ๐Ÿ Use Windows Root/CA SSL Certificate Store (by @noahdav at Microsoft)
    • 0๏ธโƒฃ ssl.endpoint.identification.algorithm=https (off by default) to validate the broker hostname matches the certificate. Requires OpenSSL >= 1.0.2.
    • ๐Ÿ‘Œ Improved GSSAPI/Kerberos ticket refresh

    โฌ†๏ธ Upgrade considerations

    • ๐Ÿ Windows SSL users will no longer need to specify a CA certificate file/directory (ssl.ca.location), librdkafka will load the CA certs by default from the Windows Root Certificate Store.
    • 0๏ธโƒฃ SSL peer (broker) certificate verification is now enabled by default (disable with enable.ssl.certificate.verification=false)
    • ๐Ÿ‘ %{broker.name} is no longer supported in sasl.kerberos.kinit.cmd since kinit refresh is no longer executed per broker, but per client instance.

    SSL

    ๐Ÿ†• New configuration properties:

    • ssl.key.pem - client's private key as a string in PEM format
    • ssl.certificate.pem - client's public key as a string in PEM format
    • 0๏ธโƒฃ enable.ssl.certificate.verification - enable(default)/disable OpenSSL's builtin broker certificate verification.
    • 0๏ธโƒฃ enable.ssl.endpoint.identification.algorithm - to verify the broker's hostname with its certificate (disabled by default).
    • The private key data is now securely cleared from memory after last use.

    โœจ Enhancements

    • โฌ†๏ธ Bump message.timeout.ms max value from 15 minutes to 24 days (@sarkanyi)

    ๐Ÿ›  Fixes

    • SASL GSSAPI/Kerberos: Don't run kinit refresh for each broker, just per client instance.
    • SASL GSSAPI/Kerberos: Changed sasl.kerberos.kinit.cmd to first attempt ticket refresh, then acquire.
    • SASL: Proper locking on broker name acquisition.
    • ๐Ÿ“Š Consumer: max.poll.interval.ms now correctly handles blocking poll calls, allowing a longer poll timeout than the max poll interval.