[ 
https://issues.apache.org/jira/browse/NIFI-16077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18094058#comment-18094058
 ] 

ASF subversion and git services commented on NIFI-16077:
--------------------------------------------------------

Commit a0dc20b7ba6576ac376cd0c54fb685f220b6924b in nifi's branch 
refs/heads/main from Wojciech Trefon
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=a0dc20b7ba6 ]

NIFI-16077 Changed default Security Protocol for Kafka components from 
PLAINTEXT to SSL (#11394)

Signed-off-by: David Handermann <[email protected]>

> Change default Security Protocol for Kafka components from PLAINTEXT to SSL
> ---------------------------------------------------------------------------
>
>                 Key: NIFI-16077
>                 URL: https://issues.apache.org/jira/browse/NIFI-16077
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Wojciech Trefon
>            Priority: Minor
>              Labels: kafka
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The Kafka components (ConsumeKafka, PublishKafka, and the Kafka Connection
> Service) expose a "Security Protocol" property whose default value is
> currently PLAINTEXT (KafkaClientComponent.SECURITY_PROTOCOL).
> TLS is the norm for production Kafka deployments today, so a plaintext
> default is both an insecure and a fragile starting point. When a client is
> left on a plaintext protocol but the broker actually requires TLS, the Kafka
> client reads the broker's TLS alert record as a message-length field
> (0x15030300 ≈ 336 MB) and attempts to allocate that amount per broker
> connection, exhausting the heap and driving the process into an
> OutOfMemoryError crash-loop within roughly 30-60 seconds. The root cause is
> in the Kafka client library (see KAFKA-4090, open and unresolved), so it
> cannot be prevented on the NiFi side — but shipping a secure default makes it
> far less likely for users to fall into this trap by omission.
> Proposed change: set the default value of the Security Protocol property to
> SSL in the shared KafkaClientComponent definition. Because the property
> descriptor is shared, this single change covers all Kafka processors and the
> Kafka connection service. The property is required and is always persisted
> explicitly in existing flows, so this only affects newly added components.
> References:
>  - KAFKA-4090: https://issues.apache.org/jira/browse/KAFKA-4090



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to