-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Virtual connections in Kafka server #16658
Virtual connections in Kafka server #16658
Conversation
ec87b64
to
6a3ceb8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
largely looks ok to me.
I had imagined that instead of adding complexity to / generalizing connection_context
, we would instead leave connection_context
as the logical connection largely untounched (except for pulling out the bits that grab the requests off the wire), and virtualize above it.
is_first_request() | ||
&& h->client_id == multi_proxy_initial_client_id)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so what happens if the first request doesn't have this magic client id, and then later the connection starts behaving like its virtualized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, in this case connection is not virtualized
Connection context has a lot of state which is valid only for the physical connection like |
6a3ceb8
to
d4445b9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice job! I like how the diff is pretty small because the abstractions themselves implement process_request
d4445b9
to
7b7af45
Compare
/dt |
Signed-off-by: Michal Maslanka <michal@redpanda.com>
Signed-off-by: Michal Maslanka <michal@redpanda.com>
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45291#018dd530-bf67-46af-ab42-a83347601263 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45296#018dd5c1-3c04-426f-bc06-81d7e8e2e062 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45296#018dd5ea-0df9-4bee-b109-0f26f2b7a3ec ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45347#018de5b0-1e0c-45f7-89bb-ea4d39cca195 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/45387#018de9a6-14d0-47cd-8bc6-1775e1961223 |
7b7af45
to
e5eb0e4
Compare
/dt |
e5eb0e4
to
3ba460d
Compare
/dt |
/ci-repeat 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks nice, just a couple of questions
bytes parse_virtual_connection_id(const ss::temporary_buffer<char>& buffer) { | ||
// TODO: should we use vcluster_id here ? | ||
return bytes{ | ||
reinterpret_cast<const uint8_t*>(buffer.begin()), buffer.size()}; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: So once we get the 'magic' mpx
value, each subsequent request will have the virtual connection ID in the client_id. Is there any format to that value? Does it need any additional validation or once we know we're a virtual connection, any value for client ID is accepted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we haven't yet agreed with the team about the format, i made it to accept any string for now, a plan is to add schema to it in future PR
auto v_connection_id = parse_virtual_connection_id( | ||
rctx.header().client_id_buffer); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: Is there any requirement/need to handle authentication messages differently than other requests? Like, only handle authn requests if it has the magic mpx
header value? As RP now supports re-authentication should that be disallowed in a virtual connection? How does the MPX system authenticate with Redpanda? Is it via SASL/SCRAM or will it use mTLS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe worth noting that reauth is performed automagically (transparently) by modern enough Kafka clients. If the MPX system needs to mediate requests in some way to conform to the virtual connection protocol (and if reauthentication is desirable), this might require additional handling/care.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i went over the code and it seems that there is no additional handling required for authentication/reauth requests. They do not have any special handling of client id. I think in this case we should relay on client to order the requests correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They do not have any special handling of client id
The question I was trying to pose was whether or not authentication for virtual connections should be handled differently based on client ID (e.g. only honor auth requests from the mpx
magic client for example).
I think in this case we should relay on client to order the requests correctly.
I think that's fine. I'm just posing the question as any change of authentication will effect all virtual connections.
Implemented virtualization of Kafka connections on top of one physical TCP connection. Requests processed in a virtual connection context are independent from other requests in different virtual connections. This way we prevent requests from different virtual connections from blocking each other. Virtual connections are only available if first requests handled by the connection has the `__redpanda_mpx` client id set and Redpanda MPX extensions are enabled. Signed-off-by: Michal Maslanka <michal@redpanda.com>
Added a test that validates if requests executed in different connection contexts do not block each other. The test is using a `kafka-python` client. Unfortunately we need to access the client internal to change client ids and expected response sequences but we are able to execute the virtual connection handling code without pulling in MPX into ducktape. Signed-off-by: Michal Maslanka <michal@redpanda.com>
3ba460d
to
dd777b0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Implemented virtualization of Kafka connections on top of one physical
TCP connection. Requests processed in a virtual connection context are
independent from other requests in different virtual connections. This
way we prevent requests from different virtual connections from blocking
each other.
Virtual connections are only available if first requests handled by the
connection has the
__redpanda_mpx
client id set and Redpanda MPXextensions are enabled.
Backports Required
Release Notes