[
https://issues.apache.org/jira/browse/JAMES-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17514538#comment-17514538
]
Benoit Tellier commented on JAMES-3700:
---------------------------------------
Hi,
We *could* define schemas.
We *must* have a dead letter policy, and not crash the consumer on poisoned
messages.
Note that schemas also don't guaranty that consumer won't crash on a given
message. Having schemas in place still require us to handle errors and set up
dead-lettering.
Note that Jean warned "The schema way is really neat but I feel a small word of
warning is required.". Please review his comment, concerns are clearly well
expressed.
For the time being I would not necessarily try to set schema up but rather
implement error handling + dead lettering.
> Dead letter policy for the Pulsar MailQueue
> -------------------------------------------
>
> Key: JAMES-3700
> URL: https://issues.apache.org/jira/browse/JAMES-3700
> Project: James Server
> Issue Type: Sub-task
> Components: pulsar, Queue
> Affects Versions: master
> Reporter: Benoit Tellier
> Priority: Major
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Currently the Pulsar MailQueue do not come up with a dead-letter policy.
> A bad JSON payload halts the processing.
> This makes the Pulsar MailQeue brittle:
> - The ability to inject a single message with a bad payload can cause an
> entire James cluster to come to a halt.
> - Could be seen as an attack vector
> - But also any changes to the underlying JSON schema for payloads is
> susceptible to cause major downtime.
> We should define a deadletter policy:
> - Given a number of failures delivery of the message would be abandonned
> - And moved to a dead-letter topic for later audit (prevent data loss)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
