merge upstream 2022 04 08 (#17)

* Fix memory leak in admin requests

Fix a memory leak introduces in ca1b30e in which the arguments to an
admin request were not being freed. Discovered by the test suite for
rust-rdkafka [0].

[0]: https://github.com/fede1024/rust-rdkafka/pull/397/checks?check_run_id=3914902373

* Fix MinGW Travis build issues by breaking test execution into a separate script

* ACL Admin Apis: CreateAcls, DescribeAcls, DeleteAcls

* Minor ACL API adjustments and some small code tweaks

* Add ACL support to CHANGELOG

* Retrieve jwt token from token provider (@jliunyu, confluentinc#3560)

* Fixed typo

* MsgSets with just aborted msgs raised a MSG_SIZE error, and fix backoff (confluentinc#2993)

This also removes fetch backoffs on underflows (truncated responses).

* test 0129: style fix

* test 0105: Fix race condition

* Idempotent producer: save state for removed partitions

.. in case they come back. To avoid silent message loss.

* Remove incorrect comment on mock API

* Fix rkbuf_rkb assert on malformed JoinGroupResponse.metadata

* clusterid() would fail if there were no topics in metadata (confluentinc#3620)

* sasl.oauthbearer.extensions should be optional

Fixes confluentinc/confluent-kafka-python#1269.

* Added AK 3.1.0 to test versions

* Changelog updates

* Bump version to v1.9.0

* sasl.oauthbearer.scope should be optional

According to the section 4.4.2 of RFC 6749, the scope is optional
in the access token request in client credentials flow.

And indeed, for OIDC providers that I find in the wild such as
Amazon Cognito, the scope _is_ optional. If the scope is omitted
from the request, then the returned access token will contain any
and all scope(s) that are configured for the client.

See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

* Fix hang in list_groups() when cluster is unavailable (confluentinc#3705)

This was caused by holding on to an old broker state version that got outdated
and caused an infinite loop, rather than a timeout.

* Style fixes

* Integration test for OIDC (confluentinc#3646)

* Test for trivup

* integration test

* Update code style for existing code at rdkafka_sasl_oauthbearer_oidc.c

* Handle review comment

* tiny fix

* Handle review comments

* misc.c style fix

* Test fixes: OIDC requires AK 3.1, not 3.0

* Test 0113: reset security.protocol when using mock cluster

* Travis: use Py 3.8 (not 3.5) on Xenial builder

* Travis: bump integration test from AK 2.7.0 to 2.8.1

* Fix README release wording

* Improve subscribe() error documentation

* Fix linger.ms/message.timeout.ms config checking (confluentinc#3709)

* Replace deprecated zookeeper flag with bootstrap (@ladislavmacoun, confluentinc#3700)

* Replace deprecated zookeeper flag with bootstrap

Fixes: confluentinc#3699

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Add backwards compatibility

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Add assertion for cmd fitting inside buffer

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Increase command buffer

Signed-off-by: Ladislav Macoun <ladislavmacoun@gmail.com>

* Save one superfluous message timeout toppar scan

* Update to fedora:35 to fix the CentOS 8 build

mock epel-8-x86_64 is now broken in fedora:33:
https://bugzilla.redhat.com/show_bug.cgi?id=2049024

Update to fedora:35 with mock configs:
centos+epel-7-x86_64
centos-stream+epel-8-x86_64

* Add link to tutorial on Confluent Developer

Also fix indenting of bullet list

* Grooming (compilation warnings, potential issues)

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>

* fix: acl binding enum checks (@emasab, confluentinc#3741)

* checking enums values when creating or reading AclBinding and AclBindingFilter

* AclBinding destroy array function

* acl binding unit tests

* warnings and fix for unknown enums, test fixes

* int sizes matching the read size

* pointer to the correct broker

* cmake: Use CMAKE_INSTALL_LIBDIR

this ensures that it is portable across platforms e.g. ppc64/linux
uses lib64 not lib

Signed-off-by: Khem Raj <raj.khem@gmail.com>

* Trigger op callbacks regardless for unhandled types in consume_batch_queue() et.al. (confluentinc#3263)

* AppVeyor: Use Visual Studio 2019 image to build since 2015 has TLS problems

The 2015 image fails to donwload openssl due to TLS 1.2 not being available,
or something along those lines.

* mklove: add LD_LIBRARY_PATH to libcurl builder so that runtime checks pass

* Travis: build alpine & manylinux builds with --source-deps-only

This avoids relying on distro installed packages, which isn't very robust.

* Nuget Debian build: use --source-deps-only to avoid external dependencies

* RPM test: Use ubi8 image instead of centos:8

.. since centos is no more

* Curl 7.82.0

* mklove: curl now requires CoreFoundation and SystemConfiguration frameworks on osx

* Test 0128: skip if there's no oauthbearer support

* Test 0128: make thread-safe

* Test 0077: reduce flakyness by expediting compaction

* Update to zlib 1.2.12 and OpenSSL 1.1.1n

* vcpkg: revoke to zlib 1.2.11 since 1.2.12 is not yet available (as vcpkg)

* Travis: Disable mingw dynamic build for now (gcc breakage)

GCC 11 adds a new symbol that is not available in the mingw/msys2 libstdc++,
which makes it impossible to run applications that were built.

Until that's fixed we disable this worker since it will fail anyway.

* mklove: fix formatting of skipped pkg-config checks

* Fix lock order for rk_init_lock to avoid deadlock (non-released regression)

* vcpkg version bumps

* Update release instructions

* Make dynamic MinGW build copy DLLs instead of trying to manipulate PATH (@neptoess, confluentinc#3787)

* Make dynamic MinGW build copy DLLs instead of trying to manipulate PATH

* Remove tag requirement on MinGW dynamic build

Co-authored-by: Bill Rose <neptoess@gmail.com>

* Fix regression from last PR: curl_ldflags

* Reset stored offset on assign() and prevent offsets_store() for unassigned partitions

* Include broker_id in offset reset logs and corresponding consumer errors (confluentinc#3785)

* Txn: properly handle PRODUCER_FENCED in InitPid reply

* Provide reason to broker thread wakeups in debug logs

This will make troubleshooting easier

* rdkafka_performance: include broker in DR printouts

* Make SUBTESTS=.. match all of the subtest format string

* Added file io abstraction

* rdkafka_performance: cut down on the number of poll calls in full-rate mode

* Added test.mock.broker.rtt

* Log mock broker bootstrap.servers addresses when test.mock.num.brokers is set

* Mock brokers now allow compressed ProduceRequests

No decompression or validation is performed.

* Made rd_buf_read|peek_iXX() type safe

* SUB_TEST_SKIP() format verification

* Statistics: let broker.wakeups metric cover all broker wakeups, both IO and cnds

* Improved producer queue wakeups

* Broker thread: don't block on IO if there are ops available

* vcpkg: Update to zlib 1.2.12

* Fix some win32 compilation warnings

* Proper use of rd_socket_close() on Win32

Regression during v1.9.0 development

* Test 0101: missing return after Test::Skip()

* seek() doc clarification (confluentinc#3004)

* Documentation updates

* style-check* now fails on style warnings

* Automatic style fixes

* Some OIDC documentation fixes

* Fix for AWS_MSK_IAM

* Update for new method signature

Co-authored-by: Nikhil Benesch <nikhil.benesch@gmail.com>
Co-authored-by: Bill Rose <neptoess@gmail.com>
Co-authored-by: Emanuele Sabellico <emasab@gmail.com>
Co-authored-by: Magnus Edenhill <magnus@edenhill.se>
Co-authored-by: Jing Liu <jl5311@nyu.edu>
Co-authored-by: Matt Clarke <matt.clarke@ess.eu>
Co-authored-by: Leo Singer <leo.singer@ligo.org>
Co-authored-by: Ladislav <ladislavmacoun@gmail.com>
Co-authored-by: Ladislav Snizek <ladislav.snizek@cdn77.com>
Co-authored-by: Lance Shelton <lance.shelton@hammerspace.com>
Co-authored-by: Robin Moffatt <robin@rmoff.net>
Co-authored-by: Sergio Arroutbi <sarroutb@redhat.com>
Co-authored-by: Khem Raj <raj.khem@gmail.com>
Co-authored-by: Bill Rose <wwriv1991@gmail.com>

.appveyor.yml

@@ -1,10 +1,10 @@
-version: 1.8.0-R-post{build}
+version: 1.9.0-R-post{build}
 pull_requests:
   do_not_increment_build_number: true
-image: Visual Studio 2015
+image: Visual Studio 2019
 configuration: Release
 environment:
-  runtime: v140
+  runtime: v142
   matrix:
   - platform: x64
     arch: x64

.travis.yml

@@ -22,7 +22,10 @@ matrix:
    if: tag IS present
    os: linux
    compiler: gcc
-   env: ADDITIONAL_BUILDS="debian" LINKAGE=std
+   env:
+     - ADDITIONAL_BUILDS="debian"
+     - ADDITIONAL_BUILD_FLAGS="--source-deps-only"
+     - LINKAGE=std
    before_script:
     - ./configure --install-deps --disable-lz4-ext --disable-regex-ext --prefix="$PWD/dest" --enable-strip
 
@@ -35,7 +38,7 @@ matrix:
  - name: "Linux clang: +alpine +manylinux +werror"
    os: linux
    compiler: clang
-   env: ADDITIONAL_BUILDS="alpine manylinux2010_x86_64" LINKAGE=std
+   env: ADDITIONAL_BUILDS="alpine manylinux2010_x86_64" ADDITIONAL_BUILD_FLAGS="--source-deps-only" LINKAGE=std
    before_script:
     - ./configure --install-deps --disable-lz4-ext --prefix="$PWD/dest" --enable-werror --enable-strip
 
@@ -83,16 +86,21 @@ matrix:
     - source ./packaging/mingw-w64/travis-before-install.sh
    before_script:
     - ./packaging/mingw-w64/configure-build-msys2-mingw-static.sh
+    - ./packaging/mingw-w64/run-tests.sh
 
  - name: "Linux GCC: +integration-tests +copyright-check +doc-check +devel +code-cov +c99 +c++98"
    os: linux
    dist: xenial
+   language: python
+   python: 3.8
    compiler: gcc
    env: NO_ARTIFACTS=y RUN_INTEGRATION_TESTS=y COPYRIGHT_CHECK=y DOC_CHECK=y
    before_script:
     - wget -O rapidjson-dev.deb https://launchpad.net/ubuntu/+archive/primary/+files/rapidjson-dev_1.1.0+dfsg2-3_all.deb
     - sudo dpkg -i rapidjson-dev.deb
-    - sudo pip3 install -r tests/requirements.txt
+    - python -m pip install -U pip
+    - python -m pip -V
+    - python -m pip install -r tests/requirements.txt
     - sudo apt update
     - sudo apt install -y doxygen graphviz gdb
     - ./configure --CFLAGS="-std=c99" --CXXFLAGS="-std=c++98" --install-deps --enable-devel --disable-lz4-ext --prefix="$PWD/dest"
@@ -137,10 +145,10 @@ script:
 - if [[ $SKIP_MAKE != y && $RUN_INTEGRATION_TESTS != y ]]; then if [[ -n $TRAVIS_TAG ]]; then make -C tests run_local_quick; else make -C tests unit ; fi ; fi
 - if [[ $SKIP_MAKE != y ]]; then make install || travis_terminate 1 ; fi
 - if [[ -z $NO_ARTIFACTS ]]; then (cd dest && tar cvzf ../artifacts/librdkafka-${CC}.tar.gz .) ; fi
-- if [[ -n $TRAVIS_TAG ]]; then for distro in $ADDITIONAL_BUILDS ; do packaging/tools/distro-build.sh $distro --enable-strip || travis_terminate 1 ; done ; fi
+- if [[ -n $TRAVIS_TAG ]]; then for distro in $ADDITIONAL_BUILDS ; do packaging/tools/distro-build.sh $distro $ADDITIONAL_BUILD_FLAGS --enable-strip || travis_terminate 1 ; done ; fi
 - if [[ $COPYRIGHT_CHECK == y ]]; then make copyright-check || travis_terminate 1; fi
 - if [[ $DOC_CHECK == y ]]; then make docs || travis_terminate 1 ; fi
-- if [[ -z $TRAVIS_TAG && $RUN_INTEGRATION_TESTS == y ]]; then (cd tests && travis_retry ./interactive_broker_version.py -c "make quick" 2.7.0) || travis_terminate 1 ; fi
+- if [[ -z $TRAVIS_TAG && $RUN_INTEGRATION_TESTS == y ]]; then (cd tests && travis_retry ./interactive_broker_version.py -c "make quick" 2.8.1) || travis_terminate 1 ; fi
 - if [[ -f tests/core ]] && (which gdb >/dev/null); then (cd tests && LD_LIBRARY_PATH=../src:../src-cpp gdb ./test-runner core < backtrace.gdb) ; fi
 - sha256sum artifacts/* || true
 

CHANGELOG.md

@@ -2,9 +2,37 @@
 
 librdkafka v1.9.0 is a feature release:
 
+ * Added KIP-768 OUATHBEARER OIDC support (by @jliunyu, #3560)
+ * Added KIP-140 Admin API ACL support (by @emasab, #2676)
+
+
+## Upgrade considerations
+
+ * Consumer:
+   `rd_kafka_offsets_store()` (et.al) will now return an error for any
+   partition that is not currently assigned (through `rd_kafka_*assign()`).
+   This prevents a race condition where an application would store offsets
+   after the assigned partitions had been revoked (which resets the stored
+   offset), that could cause these old stored offsets to be committed later
+   when the same partitions were assigned to this consumer again - effectively
+   overwriting any committed offsets by any consumers that were assigned the
+   same partitions previously. This would typically result in the offsets
+   rewinding and messages to be reprocessed.
+   As an extra effort to avoid this situation the stored offset is now
+   also reset when partitions are assigned (through `rd_kafka_*assign()`).
+   Applications that explicitly call `..offset*_store()` will now need
+   to handle the case where `RD_KAFKA_RESP_ERR__STATE` is returned
+   in the per-partition `.err` field - meaning the partition is no longer
+   assigned to this consumer and the offset could not be stored for commit.
+
 
 ## Enhancements
 
+ * Improved producer queue scheduling. Fixes the performance regression
+   introduced in v1.7.0 for some produce patterns. (#3538, #2912)
+ * Windows: Added native Win32 IO/Queue scheduling. This removes the
+   internal TCP loopback connections that were previously used for timely
+   queue wakeups.
  * SASL OAUTHBEARER refresh callbacks can now be scheduled for execution
    on librdkafka's background thread. This solves the problem where an
    application has a custom SASL OAUTHBEARER refresh callback and thus needs to
@@ -15,18 +43,99 @@ librdkafka v1.9.0 is a feature release:
    can now be triggered automatically on the librdkafka background thread.
  * `rd_kafka_queue_get_background()` now creates the background thread
    if not already created.
+ * Bundled zlib upgraded to version 1.2.12.
+ * Bundled OpenSSL upgraded to 1.1.1n.
+ * Added `test.mock.broker.rtt` to simulate RTT/latency for mock brokers.
 
 
 ## Fixes
 
 ### General fixes
 
+ * Fix various 1 second delays due to internal broker threads blocking on IO
+   even though there are events to handle.
+   These delays could be seen randomly in any of the non produce/consume
+   request APIs, such as `commit_transaction()`, `list_groups()`, etc.
  * Windows: some applications would crash with an error message like
    `no OPENSSL_Applink()` written to the console if `ssl.keystore.location`
    was configured.
    This regression was introduced in v1.8.0 due to use of vcpkgs and how
    keystore file was read. #3554.
+ * `rd_kafka_clusterid()` would previously fail with timeout if
+   called on cluster with no visible topics (#3620).
+   The clusterid is now returned as soon as metadata has been retrieved.
+ * Fix hang in `rd_kafka_list_groups()` if there are no available brokers
+   to connect to (#3705).
+
+
+### Consumer fixes
+
+ * `rd_kafka_offsets_store()` (et.al) will now return an error for any
+   partition that is not currently assigned (through `rd_kafka_*assign()`).
+   See **Upgrade considerations** above for more information.
+ * `rd_kafka_*assign()` will now reset/clear the stored offset.
+   See **Upgrade considerations** above for more information.
+ * A `ERR_MSG_SIZE_TOO_LARGE` consumer error would previously be raised
+   if the consumer received a maximum sized FetchResponse only containing
+   (transaction) aborted messages with no control messages. The fetching did
+   not stop, but some applications would terminate upon receiving this error.
+   No error is now raised in this case. (#2993)
+   Thanks to @jacobmikesell for providing an application to reproduce the
+   issue.
+ * The consumer no longer backs off the next fetch request (default 500ms) when
+   the parsed fetch response is truncated (which is a valid case).
+   This should speed up the message fetch rate in case of maximum sized
+   fetch responses.
+ * Fix consumer crash (`assert: rkbuf->rkbuf_rkb`) when parsing
+   malformed JoinGroupResponse consumer group metadata state.
+ * Fix crash (`cant handle op type`) when using `consume_batch_queue()` (et.al)
+   and an OAUTHBEARER refresh callback was set.
+   The callback is now triggered by the consume call. (#3263)
+
+
+### Producer fixes
 
+ * Fix message loss in idempotent/transactional producer.
+   A corner case has been identified that may cause idempotent/transactional
+   messages to be lost despite being reported as successfully delivered:
+   During cluster instability a restarting broker may report existing topics
+   as non-existent for some time before it is able to acquire up to date
+   cluster and topic metadata.
+   If an idempotent/transactional producer updates its topic metadata cache
+   from such a broker the producer will consider the topic to be removed from
+   the cluster and thus remove its local partition objects for the given topic.
+   This also removes the internal message sequence number counter for the given
+   partitions.
+   If the producer later receives proper topic metadata for the cluster the
+   previously "removed" topics will be rediscovered and new partition objects
+   will be created in the producer. These new partition objects, with no
+   knowledge of previous incarnations, would start counting partition messages
+   at zero again.
+   If new messages were produced for these partitions by the same producer
+   instance, the same message sequence numbers would be sent to the broker.
+   If the broker still maintains state for the producer's PID and Epoch it could
+   deem that these messages with reused sequence numbers had already been
+   written to the log and treat them as legit duplicates.
+   This would seem to the producer that these new messages were successfully
+   written to the partition log by the broker when they were in fact discarded
+   as duplicates, leading to silent message loss.
+   The fix included in this release is to save the per-partition idempotency
+   state when a partition is removed, and then recover and use that saved
+   state if the partition comes back at a later time.
+ * The transactional producer would retry (re)initializing its PID if a
+   `PRODUCER_FENCED` error was returned from the
+   broker (added in Apache Kafka 2.8), which could cause the producer to
+   seemingly hang.
+   This error code is now correctly handled by raising a fatal error.
+ * Improved producer queue wakeup scheduling. This should significantly
+   decrease the number of wakeups and thus syscalls for high message rate
+   producers. (#3538, #2912)
+ * The logic for enforcing that `message.timeout.ms` is greather than
+   an explicitly configured `linger.ms` was incorrect and instead of
+   erroring out early the lingering time was automatically adjusted to the
+   message timeout, ignoring the configured `linger.ms`.
+   This has now been fixed so that an error is returned when instantiating the
+   producer. Thanks to @larry-cdn77 for analysis and test-cases. (#3709)
 
 
 # librdkafka v1.8.2

CMakeLists.txt

@@ -219,7 +219,7 @@ configure_file("packaging/cmake/config.h.in" "${GENERATED_DIR}/config.h")
 
 include(GNUInstallDirs)
 
-set(config_install_dir "lib/cmake/${PROJECT_NAME}")
+set(config_install_dir "${CMAKE_INSTALL_LIBDIR}/cmake/${PROJECT_NAME}")
 
 set(generated_dir "${CMAKE_CURRENT_BINARY_DIR}/generated")
 

CONFIGURATION.md

@@ -100,12 +100,12 @@ sasl.aws.duration.sec                    |  *  | 900 .. 43200    |           900
 sasl.oauthbearer.config                  |  *  |                 |               | low        | SASL/OAUTHBEARER configuration. The format is implementation-dependent and must be parsed accordingly. The default unsecured token implementation (see https://tools.ietf.org/html/rfc7515#appendix-A.5) recognizes space-separated name=value pairs with valid names including principalClaimName, principal, scopeClaimName, scope, and lifeSeconds. The default value for principalClaimName is "sub", the default value for scopeClaimName is "scope", and the default value for lifeSeconds is 3600. The scope value is CSV format with the default value being no/empty scope. For example: `principalClaimName=azp principal=admin scopeClaimName=roles scope=role1,role2 lifeSeconds=600`. In addition, SASL extensions can be communicated to the broker via `extension_NAME=value`. For example: `principal=admin extension_traceId=123` <br>*Type: string*
 enable.sasl.oauthbearer.unsecure.jwt     |  *  | true, false     |         false | low        | Enable the builtin unsecure JWT OAUTHBEARER token handler if no oauthbearer_refresh_cb has been set. This builtin handler should only be used for development or testing, and not in production. <br>*Type: boolean*
 oauthbearer_token_refresh_cb             |  *  |                 |               | low        | SASL/OAUTHBEARER token refresh callback (set with rd_kafka_conf_set_oauthbearer_token_refresh_cb(), triggered by rd_kafka_poll(), et.al. This callback will be triggered when it is time to refresh the client's OAUTHBEARER token. Also see `rd_kafka_conf_enable_sasl_queue()`. <br>*Type: see dedicated API*
-sasl.oauthbearer.method                  |  *  | default, oidc   |       default | low        | Set to "default" or "oidc" to control which login method is used. If set it to "oidc", OAuth/OIDC login method will be used. sasl.oauthbearer.client.id, sasl.oauthbearer.client.secret, sasl.oauthbearer.scope, sasl.oauthbearer.extensions, and sasl.oauthbearer.token.endpoint.url are needed if sasl.oauthbearer.method is set to "oidc". <br>*Type: enum value*
-sasl.oauthbearer.client.id               |  *  |                 |               | low        | It's a public identifier for the application. It must be unique across all clients that the authorization server handles. This is only used when sasl.oauthbearer.method is set to oidc. <br>*Type: string*
-sasl.oauthbearer.client.secret           |  *  |                 |               | low        | A client secret only known to the application and the authorization server. This should be a sufficiently random string that are not guessable. This is only used when sasl.oauthbearer.method is set to "oidc". <br>*Type: string*
-sasl.oauthbearer.scope                   |  *  |                 |               | low        | Client use this to specify the scope of the access request to the broker. This is only used when sasl.oauthbearer.method is set to "oidc". <br>*Type: string*
-sasl.oauthbearer.extensions              |  *  |                 |               | low        | Allow additional information to be provided to the broker. It's comma-separated list of key=value pairs. The example of the input is "supportFeatureX=true,organizationId=sales-emea". This is only used when sasl.oauthbearer.method is set to "oidc". <br>*Type: string*
-sasl.oauthbearer.token.endpoint.url      |  *  |                 |               | low        | OAUTH issuer token endpoint HTTP(S) URI used to retrieve the token. This is only used when sasl.oauthbearer.method is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.method                  |  *  | default, oidc   |       default | low        | Set to "default" or "oidc" to control which login method to be used. If set to "oidc", the following properties must also be be specified: `sasl.oauthbearer.client.id`, `sasl.oauthbearer.client.secret`, and `sasl.oauthbearer.token.endpoint.url`. <br>*Type: enum value*
+sasl.oauthbearer.client.id               |  *  |                 |               | low        | Public identifier for the application. Must be unique across all clients that the authorization server handles. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.client.secret           |  *  |                 |               | low        | Client secret only known to the application and the authorization server. This should be a sufficiently random string that is not guessable. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.scope                   |  *  |                 |               | low        | Client use this to specify the scope of the access request to the broker. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.extensions              |  *  |                 |               | low        | Allow additional information to be provided to the broker. Comma-separated list of key=value pairs. E.g., "supportFeatureX=true,organizationId=sales-emea".Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.token.endpoint.url      |  *  |                 |               | low        | OAuth/OIDC issuer token endpoint HTTP(S) URI used to retrieve token. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
 plugin.library.paths                     |  *  |                 |               | low        | List of plugin libraries to load (; separated). The library search path is platform dependent (see dlopen(3) for Unix and LoadLibrary() for Windows). If no filename extension is specified the platform-specific extension (such as .dll or .so) will be appended automatically. <br>*Type: string*
 interceptors                             |  *  |                 |               | low        | Interceptors added through rd_kafka_conf_interceptor_add_..() and any configuration handled by interceptors. <br>*Type: see dedicated API*
 group.id                                 |  C  |                 |               | high       | Client group id string. All clients sharing the same group.id belong to the same group. <br>*Type: string*

CONTRIBUTING.md

@@ -36,9 +36,10 @@ likely to happen.
 clang-format is used to check, and fix, the style for C/C++ files,
 while flake8 and autopep8 is used for the Python scripts.
 
-You should check the style before committing by running `make style-check`
+You should check the style before committing by running `make style-check-changed`
 from the top-level directory, and if any style errors are reported you can
-automatically fix them using `make style-fix`.
+automatically fix them using `make style-fix-changed` (or just run
+that command directly).
 
 The Python code may need some manual fixing since autopep8 is unable to fix
 all warnings reported by flake8, in particular it will not split long lines,