Virtual connections in Kafka server #16658
Conversation
mmaslankaprv
force-pushed
the
multiplexing-connections
branch
from
ec87b64
to
6a3ceb8
Compare
There was a problem hiding this comment.
largely looks ok to me.
I had imagined that instead of adding complexity to / generalizing connection_context, we would instead leave connection_context as the logical connection largely untounched (except for pulling out the bits that grab the requests off the wire), and virtualize above it.
| is_first_request() | ||
| && h->client_id == multi_proxy_initial_client_id)) { |
There was a problem hiding this comment.
so what happens if the first request doesn't have this magic client id, and then later the connection starts behaving like its virtualized?
There was a problem hiding this comment.
no, in this case connection is not virtualized
Connection context has a lot of state which is valid only for the physical connection like |
mmaslankaprv
force-pushed
the
multiplexing-connections
branch
from
6a3ceb8
to
d4445b9
Compare
mmaslankaprv
force-pushed
the
multiplexing-connections
branch
from
d4445b9
to
7b7af45
Compare
|
/dt |
Signed-off-by: Michal Maslanka <michal@redpanda.com>
Signed-off-by: Michal Maslanka <michal@redpanda.com>
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45291#018dd530-bf67-46af-ab42-a83347601263 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45296#018dd5c1-3c04-426f-bc06-81d7e8e2e062 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45296#018dd5ea-0df9-4bee-b109-0f26f2b7a3ec ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45347#018de5b0-1e0c-45f7-89bb-ea4d39cca195 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45387#018de9a6-14d0-47cd-8bc6-1775e1961223 |
mmaslankaprv
force-pushed
the
multiplexing-connections
branch
from
7b7af45
to
e5eb0e4
Compare
|
/dt |
mmaslankaprv
force-pushed
the
multiplexing-connections
branch
from
e5eb0e4
to
3ba460d
Compare
|
/dt |
|
/ci-repeat 1 |
| bytes parse_virtual_connection_id(const ss::temporary_buffer<char>& buffer) { | ||
| // TODO: should we use vcluster_id here ? | ||
| return bytes{ | ||
| reinterpret_cast<const uint8_t*>(buffer.begin()), buffer.size()}; | ||
| } |
There was a problem hiding this comment.
question: So once we get the 'magic' mpx value, each subsequent request will have the virtual connection ID in the client_id. Is there any format to that value? Does it need any additional validation or once we know we're a virtual connection, any value for client ID is accepted?
There was a problem hiding this comment.
we haven't yet agreed with the team about the format, i made it to accept any string for now, a plan is to add schema to it in future PR
| auto v_connection_id = parse_virtual_connection_id( | ||
| rctx.header().client_id_buffer); |
There was a problem hiding this comment.
question: Is there any requirement/need to handle authentication messages differently than other requests? Like, only handle authn requests if it has the magic mpx header value? As RP now supports re-authentication should that be disallowed in a virtual connection? How does the MPX system authenticate with Redpanda? Is it via SASL/SCRAM or will it use mTLS?
There was a problem hiding this comment.
Maybe worth noting that reauth is performed automagically (transparently) by modern enough Kafka clients. If the MPX system needs to mediate requests in some way to conform to the virtual connection protocol (and if reauthentication is desirable), this might require additional handling/care.
There was a problem hiding this comment.
i went over the code and it seems that there is no additional handling required for authentication/reauth requests. They do not have any special handling of client id. I think in this case we should relay on client to order the requests correctly.
There was a problem hiding this comment.
They do not have any special handling of client id
The question I was trying to pose was whether or not authentication for virtual connections should be handled differently based on client ID (e.g. only honor auth requests from the mpx magic client for example).
I think in this case we should relay on client to order the requests correctly.
I think that's fine. I'm just posing the question as any change of authentication will effect all virtual connections.
Implemented virtualization of Kafka connections on top of one physical TCP connection. Requests processed in a virtual connection context are independent from other requests in different virtual connections. This way we prevent requests from different virtual connections from blocking each other. Virtual connections are only available if first requests handled by the connection has the `__redpanda_mpx` client id set and Redpanda MPX extensions are enabled. Signed-off-by: Michal Maslanka <michal@redpanda.com>
Added a test that validates if requests executed in different connection contexts do not block each other. The test is using a `kafka-python` client. Unfortunately we need to access the client internal to change client ids and expected response sequences but we are able to execute the virtual connection handling code without pulling in MPX into ducktape. Signed-off-by: Michal Maslanka <michal@redpanda.com>
mmaslankaprv
force-pushed
the
multiplexing-connections
branch
from
3ba460d
to
dd777b0
Compare
Implemented virtualization of Kafka connections on top of one physical
TCP connection. Requests processed in a virtual connection context are
independent from other requests in different virtual connections. This
way we prevent requests from different virtual connections from blocking
each other.
Virtual connections are only available if first requests handled by the
connection has the
__redpanda_mpxclient id set and Redpanda MPXextensions are enabled.
Backports Required
Release Notes