v1.1.0
版本发布时间: 2019-07-15 21:38:41
confluentinc/confluent-kafka-go最新发布版本:v2.3.0(2023-10-25 23:55:38)
confluent-kafka-go v1.1.0
- OAUTHBEARER SASL authentication (KIP-255) by Ron Dagostini (@rondagostino) at StateStreet.
- Offset commit metadata (@damour, #353)
- Requires librdkafka v1.1.0 or later
Noteworthy librdkafka v1.1.0 changes
Full librdkafka v1.1.0 release notes.
- SASL OAUTHBEARER support (by @rondagostino at StateStreet)
- In-memory SSL certificates (PEM, DER, PKCS#12) support (by @noahdav at Microsoft)
- Pluggable broker SSL certificate verification callback (by @noahdav at Microsoft)
- Use Windows Root/CA SSL Certificate Store (by @noahdav at Microsoft)
-
ssl.endpoint.identification.algorithm=https(off by default) to validate the broker hostname matches the certificate. Requires OpenSSL >= 1.0.2. - Improved GSSAPI/Kerberos ticket refresh
Upgrade considerations
- Windows SSL users will no longer need to specify a CA certificate file/directory (
ssl.ca.location), librdkafka will load the CA certs by default from the Windows Root Certificate Store. - SSL peer (broker) certificate verification is now enabled by default (disable with
enable.ssl.certificate.verification=false) -
%{broker.name}is no longer supported insasl.kerberos.kinit.cmdsince kinit refresh is no longer executed per broker, but per client instance.
SSL
New configuration properties:
-
ssl.key.pem- client's private key as a string in PEM format -
ssl.certificate.pem- client's public key as a string in PEM format -
enable.ssl.certificate.verification- enable(default)/disable OpenSSL's builtin broker certificate verification. -
enable.ssl.endpoint.identification.algorithm- to verify the broker's hostname with its certificate (disabled by default). - The private key data is now securely cleared from memory after last use.
Enhancements
- Bump
message.timeout.msmax value from 15 minutes to 24 days (@sarkanyi)
Fixes
- SASL GSSAPI/Kerberos: Don't run kinit refresh for each broker, just per client instance.
- SASL GSSAPI/Kerberos: Changed
sasl.kerberos.kinit.cmdto first attempt ticket refresh, then acquire. - SASL: Proper locking on broker name acquisition.
- Consumer:
max.poll.interval.msnow correctly handles blocking poll calls, allowing a longer poll timeout than the max poll interval.