Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS protocol in kafka-producer-performance #1538

Merged
merged 1 commit into from
Nov 14, 2019
Merged

Support TLS protocol in kafka-producer-performance #1538

merged 1 commit into from
Nov 14, 2019

Conversation

slaunay
Copy link
Contributor

@slaunay slaunay commented Nov 13, 2019

Feature

Support TLS security protocol in the kafka-producer-performance tool.

Changes

  • add security-protocol flag with PLAINTEXT default for backward compatibility
  • add tls-ca-certs, tls-client-cert and tls-client-key flags to configure broker and client mutual authentication
  • add verbose flag to turn on logging
  • use outgoing-byte-rate metric to get real throughput

Testing done

Working scenario:

$ ./kafka-producer-performance \
  -brokers kafka:9093 \
  -security-protocol SSL \
  -tls-ca-certs /path/to/ca-cert.pem \
  -tls-client-cert /path/to/cert.pem \
  -tls-client-key /path/to/key.pem \
  -topic topic \
  -message-load 2000000 \
  -message-size 1000 \
  -version 1.1.0
61164 records sent, 292280.2 records/sec (278.74 MiB/sec ingress, 0.00 MiB/sec egress), 74.3 ms avg latency, 3.4 ms stddev, 74.0 ms 50th, 77.8 ms 75th, 80.0 ms 95th, 80.0 ms 99th, 80.0 ms 99.9th
1124754 records sent, 215897.9 records/sec (205.90 MiB/sec ingress, 54.60 MiB/sec egress), 205.4 ms avg latency, 139.6 ms stddev, 187.0 ms 50th, 228.5 ms 75th, 408.7 ms 95th, 841.8 ms 99th, 844.0 ms 99.9th
2000000 records sent, 204220.0 records/sec (194.76 MiB/sec ingress, 79.11 MiB/sec egress), 187.3 ms avg latency, 112.3 ms stddev, 181.5 ms 50th, 232.0 ms 75th, 318.4 ms 95th, 822.1 ms 99th, 844.0 ms 99.9th

Invalid security protocol:

$ ./kafka-producer-performance \
  -brokers kafka:9092 \
  -security-protocol UNKNOWN \
  -topic topic \
  -message-load 10 \
  -message-size 1000
ERROR: -security-protocol "UNKNOWN" is not supported

Available command line options:
  -brokers string
...

Failed authentication of broker because the broker certificate is signed by a private CA (not found in host's root CA set):

$ ./kafka-producer-performance \
  -brokers kafka:9093 \
  -security-protocol SSL \
  -topic topic \
  -message-load 10 \
  -message-size 1000 \
  -verbose
2019/11/13 22:54:33 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:54:33 Initializing new client
2019/11/13 22:54:33 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:54:33 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:54:33 client/metadata fetching metadata for all topics from broker broker:9093
2019/11/13 22:54:33 Failed to connect to broker broker:9093: x509: certificate signed by unknown authority
2019/11/13 22:54:33 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
2019/11/13 22:54:33 client/metadata no available broker to send metadata request to
2019/11/13 22:54:33 client/brokers resurrecting 1 dead seed brokers
2019/11/13 22:54:33 client/metadata retrying after 250ms... (3 attempts remaining)
2019/11/13 22:54:34 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:54:34 client/metadata fetching metadata for all topics from broker broker:9093
2019/11/13 22:54:34 Failed to connect to broker broker:9093: x509: certificate signed by unknown authority
2019/11/13 22:54:34 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
2019/11/13 22:54:34 client/metadata no available broker to send metadata request to
2019/11/13 22:54:34 client/brokers resurrecting 1 dead seed brokers
2019/11/13 22:54:34 client/metadata retrying after 250ms... (2 attempts remaining)
2019/11/13 22:54:34 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:54:34 client/metadata fetching metadata for all topics from broker broker:9093
2019/11/13 22:54:34 Failed to connect to broker broker:9093: x509: certificate signed by unknown authority
2019/11/13 22:54:34 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
2019/11/13 22:54:34 client/metadata no available broker to send metadata request to
2019/11/13 22:54:34 client/brokers resurrecting 1 dead seed brokers
2019/11/13 22:54:34 client/metadata retrying after 250ms... (1 attempts remaining)
2019/11/13 22:54:34 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:54:34 client/metadata fetching metadata for all topics from broker broker:9093
2019/11/13 22:54:35 Failed to connect to broker broker:9093: x509: certificate signed by unknown authority
2019/11/13 22:54:35 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
2019/11/13 22:54:35 client/metadata no available broker to send metadata request to
2019/11/13 22:54:35 client/brokers resurrecting 1 dead seed brokers
2019/11/13 22:54:35 Closing Client
ERROR: Failed to create producer: kafka: client has run out of available brokers to talk to (Is your cluster reachable?)

Failed authentication of the client because the client certificate is required and was not provided:

$ ./kafka-producer-performance \
  -brokers broker-01:9093 \
  -security-protocol SSL \
  -tls-ca-certs /path/to/ca-cert.pem \
  -topic topic \
  -message-load 10 \
  -message-size 1000 \
  -verbose
2019/11/13 22:58:29 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:58:29 Initializing new client
2019/11/13 22:58:29 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:58:29 ClientID is the default of 'sarama', you should consider setting it to something application-specific.
2019/11/13 22:58:29 client/metadata fetching metadata for all topics from broker broker-01:9093
2019/11/13 22:58:29 Connected to broker at broker-01:9093 (unregistered)
2019/11/13 22:58:29 client/brokers registered new broker #1001 at broker-01:9093
2019/11/13 22:58:29 client/brokers registered new broker #1004 at broker-04:9093
2019/11/13 22:58:29 client/brokers registered new broker #1003 at broker-03:9093
2019/11/13 22:58:29 client/brokers registered new broker #1005 at broker-05:9093
2019/11/13 22:58:29 client/brokers registered new broker #1002 at broker-02:9093
2019/11/13 22:58:29 Successfully initialized new client
2019/11/13 22:58:29 client/metadata fetching metadata for [topic] from broker broker-01:9093
2019/11/13 22:58:29 client/metadata fetching metadata for [topic] from broker broker-01:9093
ERROR: kafka: Failed to produce message to topic topic: kafka server: The client is not authorized to access this topic.

@slaunay
Support TLS protocol in kafka-producer-performance
3e595ba 
- add security-protocol flag with PLAINTEXT default
- add tls-ca-certs, tls-client-cert and tls-client-key flags to
  configure broker and client mutual authentication
- add verbose flag to turn on logging
- use outgoing-byte-rate metric to get real throughput
@bai
Copy link
Contributor

bai commented Nov 14, 2019

Many thanks.

@bai bai merged commit bb74e49 into IBM:master Nov 14, 2019
@slaunay
Copy link
Contributor Author

slaunay commented Nov 14, 2019

Thanks for the very quick review @bai!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@slaunay @bai