Closed
Conversation
The previous wording is not 100% clear, a little example clarifies it.
asfgit
pushed a commit
that referenced
this pull request
May 30, 2013
…s with 0; patched by Milosz Tanski; reviewed by Jun Rao
relango
added a commit
to relango/kafka
that referenced
this pull request
Mar 31, 2014
Fix issue with SSLContext initialized globally at JVM level
Ishiihara
referenced
this pull request
in confluentinc/kafka
Jun 16, 2015
Bootstrap Kafka system tests
Member
|
This pull request doesn't merge cleanly anymore, can you please close it? Sorry for not replying to this earlier, but pull requests are not currently monitored as the Kafka project uses JIRA and Review Board for contributions. There is a plan to change this and we would like to close stale PRs before we start. Unfortunately we can't do it ourselves (a JIRA needs to be filed with Apache Infra) so your help is appreciated. If this change is still relevant, please see http://kafka.apache.org/contributing.html. Alternatively wait until the new approach based on GitHub pull requests is in place (hopefully soon). |
Contributor
Author
|
I believe you can close it, this is a really old PR. |
Member
|
@fsaintjacques, for Apache projects, no-one but Apache Infra has write permission to the repository (including pull requests and issues). So, either you (the author) must close it, or we must file a ticket asking Infra to do it. |
asfgit
pushed a commit
that referenced
this pull request
Jul 29, 2015
Initial patch for KIP-25 Note that to install ducktape, do *not* use pip to install ducktape. Instead: ``` $ git clone gitgithub.com:confluentinc/ducktape.git $ cd ducktape $ python setup.py install ``` Author: Geoff Anderson <geoff@confluent.io> Author: Geoff <granders@gmail.com> Author: Liquan Pei <liquanpei@gmail.com> Reviewers: Ewen, Gwen, Jun, Guozhang Closes #70 from granders/KAFKA-2276 and squashes the following commits: a62fb6c [Geoff Anderson] fixed checkstyle errors a70f0f8 [Geoff Anderson] Merged in upstream trunk. 8b62019 [Geoff Anderson] Merged in upstream trunk. 47b7b64 [Geoff Anderson] Created separate tools jar so that the clients package does not pull in dependencies on the Jackson JSON tools or argparse4j. a9e6a14 [Geoff Anderson] Merged in upstream changes d18db7b [Geoff Anderson] fixed :rat errors (needed to add licenses) 321fdf8 [Geoff Anderson] Ignore tests/ and vagrant/ directories when running rat build task 795fc75 [Geoff Anderson] Merged in changes from upstream trunk. 1d93f06 [Geoff Anderson] Updated provisioning to use java 7 in light of KAFKA-2316 2ea4e29 [Geoff Anderson] Tweaked README, changed default log collection behavior on VerifiableProducer 0eb6fdc [Geoff Anderson] Merged in system-tests 69dd7be [Geoff Anderson] Merged in trunk 4034dd6 [Geoff Anderson] Merged in upstream trunk ede6450 [Geoff] Merge pull request #4 from confluentinc/move_muckrake 7751545 [Geoff Anderson] Corrected license headers e6d532f [Geoff Anderson] java 7 -> java 6 8c61e2d [Geoff Anderson] Reverted jdk back to 6 f14c507 [Geoff Anderson] Removed mode = "test" from Vagrantfile and Vagrantfile.local examples. Updated testing README to clarify aws setup. 98b7253 [Geoff Anderson] Updated consumer tests to pre-populate kafka logs e6a41f1 [Geoff Anderson] removed stray println b15b24f [Geoff Anderson] leftover KafkaBenchmark in super call 0f75187 [Geoff Anderson] Rmoved stray allow_fail. kafka_benchmark_test -> benchmark_test f469f84 [Geoff Anderson] Tweaked readme, added example Vagrantfile.local 3d73857 [Geoff Anderson] Merged downstream changes 42dcdb1 [Geoff Anderson] Tweaked behavior of stop_node, clean_node to generally fail fast 7f7c3e0 [Geoff Anderson] Updated setup.py for kafkatest c60125c [Geoff Anderson] TestEndToEndLatency -> EndToEndLatency 4f476fe [Geoff Anderson] Moved aws scripts to vagrant directory 5af88fc [Geoff Anderson] Updated README to include aws quickstart e5edf03 [Geoff Anderson] Updated example aws Vagrantfile.local 96533c3 [Geoff] Update aws-access-keys-commands 25a413d [Geoff] Update aws-example-Vagrantfile.local 884b20e [Geoff Anderson] Moved a bunch of files to kafkatest directory fc7c81c [Geoff Anderson] added setup.py 632be12 [Geoff] Merge pull request #3 from confluentinc/verbose-client 51a94fd [Geoff Anderson] Use argparse4j instead of joptsimple. ThroughputThrottler now has more intuitive behavior when targetThroughput is 0. a80a428 [Geoff Anderson] Added shell program for VerifiableProducer. d586fb0 [Geoff Anderson] Updated comments to reflect that throttler is not message-specific 6842ed1 [Geoff Anderson] left out a file from last commit 1228eef [Geoff Anderson] Renamed throttler 9100417 [Geoff Anderson] Updated command-line options for VerifiableProducer. Extracted throughput logic to make it reusable. 0a5de8e [Geoff Anderson] Fixed checkstyle errors. Changed name to VerifiableProducer. Added synchronization for thread safety on println statements. 475423b [Geoff Anderson] Convert class to string before adding to json object. bc009f2 [Geoff Anderson] Got rid of VerboseProducer in core (moved to clients) c0526fe [Geoff Anderson] Updates per review comments. 8b4b1f2 [Geoff Anderson] Minor updates to VerboseProducer 2777712 [Geoff Anderson] Added some metadata to producer output. da94b8c [Geoff Anderson] Added number of messages option. 07cd1c6 [Geoff Anderson] Added simple producer which prints status of produced messages to stdout. a278988 [Geoff Anderson] fixed typos f1914c3 [Liquan Pei] Merge pull request #2 from confluentinc/system_tests 81e4156 [Liquan Pei] Bootstrap Kafka system tests
ymatsuda
pushed a commit
to ymatsuda/kafka
that referenced
this pull request
Mar 2, 2016
…reams-tech-preview Backport recent changes from trunk/streams: batch apache#2
resetius
added a commit
to resetius/kafka
that referenced
this pull request
Jun 7, 2016
[LOGBROKER-726] Fix debianization
Closed
jasonaliyetti
pushed a commit
to jasonaliyetti/kafka
that referenced
this pull request
Oct 14, 2016
Add ability to prevent broker from taking leadership for any partition
baluchicken
added a commit
to baluchicken/kafka-1
that referenced
this pull request
Jan 3, 2017
3 tasks
3 tasks
3 tasks
3 tasks
3 tasks
3 tasks
3 tasks
lianetm
added a commit
to lianetm/kafka
that referenced
this pull request
Jun 12, 2023
…AndTimestamp and ListOffsetResult & Tests
3 tasks
|
This issue can be caused by a non-existing path but also a misunderstanding from the config file. A short example will help the user. |
3 tasks
Closed
3 tasks
3 tasks
Merged
3 tasks
k0b3rIT
pushed a commit
to k0b3rIT/kafka
that referenced
this pull request
Mar 24, 2025
for testcontainers based integration tests in SMM, Kafka Connectors (kafka_connect_ext/kafka_connect_parent) [CDPD-24861] Adding Docker files for building Docker images. The script will be triggered as part of the build process to create Docker images. Change-Id: I401c0b3a49bb885d7aaad7691a8587873bf7a255 [CDPD-25577] Adding environment variables to docker image for configuring Kafka properties Change-Id: I37eddd212d78f929e1cac94cc6e5f7ca265b46bb CDPD-24861: Making a separate image for Kafka and Connect Base and also adding flexibility to the property configuration. Change-Id: I7725744d5fea0237868604fd36f9d450f6bf7ada CDPD-26355 tagging images with stack latest Change-Id: I6ddb44276b3641a3e6c9e729f5dc1ba0e64cadb7 [docker] CDPD-39536 Update Kafka Connect docker images configuration to use listeners property Change-Id: Ifad3e0369ec7e93b094d27945dc05b2810d810f5 CDPD-40406: Use JDK 11 for docker images Change-Id: Ib899cb7105b8f8ab5ae4094f297d237bb802b006 [docker] CDPD-39536 Update Kafka Connect docker images configuration to use listeners property apache#2 Change-Id: I94202c3f7607219fccb4562b68b1671f6fdee54b [docker] CDPD-41325 Simplifying local build of Kafka, Kafka Connect base docker images Change-Id: Id51eb15fd198ffa929e3eb3d98d66ce087959c9f [docker] CDPD-56944: Build Cruise Control Metrics Reporter into Kafka docker image and configure if available Change-Id: I065eaaee0db8ee6301b63d88c7f54a3fe814c811 [docker, ci] CDPD-60283: Run storage initialization when KRaft mode of Kafka is used and use KRaft mode in CI where possible acls are still not supported in KRaft mode, those are still using Zookeeper also some simplifications for M1 local docker image build Change-Id: I4154024a22c920f77ce5277d500d5d3553b540c2 CDPD-60488: Test flakiness corrected by introducing delay Change-Id: Id27fcb371853361ce8f683e16e093b35c123e3da CDPD-68964: Remove tests from under ci module Change-Id: I22173bd078f47f18f166ede936817db2bd8ddc91 [CLOUDERA-BUILD] CI This commit contains the following items: [CLOUDERA-BUILD] [CDPDFX-221] Add kafka CI Change-Id: I0686081492480db93fbca3d3cf194466073deeb4 [CLOUDERA-BUILD] CI Fixing gate job Change-Id: Ifa861e0621f58e6db200c0521223462bfc9b90a7 Change ci tests to java Change-Id: Ia133df85a9300a9f96c1f2d6c27bd9f8c64ca539 CI - Rename helm repo name since cloudera/kafka became an existing directory Change-Id: Iff3bfa926793f0c1664fa9c4ff69976338642aea CDPDFX-756 collect ci logs Change-Id: Iee58b0a6f082a64c9c208a6b116c14731339993f CDPD-35263 Use AclAuthorizer Change-Id: Ifed7f7b531cac988a171fea9690789c8e1b86bbf CDPD-42095 Upgrade junit in CI tests Change-Id: Ia19c231860f7f83fd51ab5e9c7340b486ede0095 CDPD-45541 Remove kafka zuul ci ignore_commit_convention_check Change-Id: If5e6a2f09cca5e61a180a3ed6f9209ecadd49903 CDPD-45541 Include CI tests into test scope Change-Id: I3520813d1bc5f08fc0d39c5bfa2feff91ec6ffa1 CDPD-45541: Canary breaks with older hwqe-kafka-client versions e.g. org.hw.qe:hwqe-kafka-client:0.4.128 is not present in public-non-IN-QA repo - which is used by canary Change-Id: If4cd05cb3e73605168b8d348344863a11f8806e2 [ci] CDPD-27134 Groovy postbuild script to handle gerrit voting Change-Id: If8d26250c504b4c5ae99f075810e1ba1a51897b2 CDPD-35705: Increase timeout for post-unit-test execution Change-Id: I1c136ed3c3eeb3ceec8c430e201abafe7e76e92d fixup! [ci] CDPD-27134 Groovy postbuild script to handle gerrit voting CDPD-48246: Add Unit test+1 label for CDF/smm_app_private Change-Id: I0ae6a32d119931c47d24e3a893d7e11dface06f3 CDPD-55718: Adding file to execute java11 unit tests Change-Id: If15a35d82277b67f942c3b1a4712cacee4757d36 Netcat is used by testcontainers to check the ports in the container Change-Id: Idc98aa472fe5706fb751943e6502d0d8c6f15abe
apalan60
referenced
this pull request
in apalan60/kafka
Apr 19, 2025
clolov
added a commit
to clolov/kafka
that referenced
this pull request
Aug 1, 2025
omkreddy
pushed a commit
that referenced
this pull request
Feb 12, 2026
…ker provisioning (#21394) ## Summary Fixes bugs where `--jdk-version` and `--jdk-arch` parameters were ignored during system test worker provisioning, and refactors `vagrant/base.sh` to support flexible JDK versions without code changes. --- ## Problem The Vagrant provisioning script (`vagrant/base.sh`) had two bugs that caused JDK version parameters to be ignored: | Bug | Problem | |-----|---------| | **#1: `--jdk-version` ignored** | `JDK_FULL` was hardcoded to `17-linux-x64`, so passing `--jdk-version 25` still downloaded JDK 17 | | **#2: `--jdk-arch` ignored** | Architecture parameter was passed but never used in the S3 download URL | --- ## Solution - Validate `JDK_MAJOR` and `JDK_ARCH` input parameters with regex - Dynamically construct `JDK_FULL` from `JDK_MAJOR` and `JDK_ARCH` - Update S3 path to use `/jdk/` subdirectory - Add logging for debugging --- ## Changes ### `vagrant/base.sh` | Change | Description | |--------|-------------| | **Input validation** | Added regex validation for `JDK_MAJOR` and `JDK_ARCH` with sensible defaults | | **Dynamic construction** | `JDK_FULL` is now constructed from `JDK_MAJOR` and `JDK_ARCH` if not explicitly provided | | **Updated S3 path** | Changed URL from `/kafka-packages/jdk-{version}.tar.gz` to `/kafka-packages/jdk/jdk-{version}.tar.gz` | | **Logging** | Added debug output for JDK configuration | | **Backward compatibility** | Vagrantfile can still pass `JDK_FULL` directly; the script validates and uses it if valid | --- ## S3 Path Change ### Old Path ``` s3://kafka-packages/jdk-{version}.tar.gz ``` ### New Path ``` s3://kafka-packages/jdk/jdk-{version}.tar.gz ``` ### Available JDKs in `s3://kafka-packages/jdk/` | File | Version | Architecture | |------|---------|--------------| | `jdk-7u80-linux-x64.tar.gz` | 7u80 | x64 | | `jdk-8u144-linux-x64.tar.gz` | 8u144 | x64 | | `jdk-8u161-linux-x64.tar.gz` | 8u161 | x64 | | `jdk-8u171-linux-x64.tar.gz` | 8u171 | x64 | | `jdk-8u191-linux-x64.tar.gz` | 8u191 | x64 | | `jdk-8u202-linux-x64.tar.gz` | 8u202 | x64 | | `jdk-11.0.2-linux-x64.tar.gz` | 11.0.2 | x64 | | `jdk-17-linux-x64.tar.gz` | 17 | x64 | | `jdk-18.0.2-linux-x64.tar.gz` | 18.0.2 | x64 | | `jdk-21.0.1-linux-x64.tar.gz` | 21.0.1 | x64 | | `jdk-21.0.1-linux-aarch64.tar.gz` | 21.0.1 | aarch64 | | `jdk-25-linux-x64.tar.gz` | 25 | x64 | | `jdk-25-linux-aarch64.tar.gz` | 25 | aarch64 | | `jdk-25.0.1-linux-x64.tar.gz` | 25.0.1 | x64 | | `jdk-25.0.1-linux-aarch64.tar.gz` | 25.0.1 | aarch64 | | `jdk-25.0.2-linux-x64.tar.gz` | 25.0.2 | x64 | | `jdk-25.0.2-linux-aarch64.tar.gz` | 25.0.2 | aarch64 | --- ## Future JDK Releases > **IMPORTANT: No code changes required for future Java major/minor releases!** The validation regex supports all version formats: - **Major versions**: `17`, `25`, `26` - **Minor versions**: `25.0.1`, `25.0.2`, `26.0.1` - **Legacy format**: `8u144`, `8u202` ### Adding New JDK Versions To add support for a new JDK version (e.g., JDK 26, 25.0.3): 1. Download the JDK tarball from Oracle/Adoptium 2. Rename to follow naming convention: `jdk-{VERSION}-linux-{ARCH}.tar.gz` 3. Upload to S3: `aws s3 cp jdk-{VERSION}-linux-{ARCH}.tar.gz s3://kafka-packages/jdk/` 4. Use in tests: `--jdk-version {VERSION} --jdk-arch {ARCH}` No modifications to `base.sh` or any other scripts are needed. --- ## Benefits | Before | After | |--------|-------| | `--jdk-version` ignored | ✅ Correctly uses specified version | | `--jdk-arch` ignored | ✅ Correctly uses specified architecture | | Only major version support | ✅ Full version support (e.g., `25.0.2`) | | Code change needed for new JDK | ✅ Just upload to S3 and pass version | --- ## Testing Tested with different JDK versions to confirm the fix works correctly: | Test | JDK_MAJOR | Expected | Actual | Result | Test Report | |------|-----------|----------|--------|--------|-------------| | JDK 17 | `17` | javac 17.0.4 | javac 17.0.4 | ✅ | | JDK 25 | `25` | javac 25.0.2 | javac 25.0.2 | ✅ | --- ## Backward Compatibility - **Vagrantfile**: Continues to work as before - **Existing workflows**: Default behavior unchanged (JDK 17 on x64 architecture) - **No breaking changes**: All existing configurations continue to work --- Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com>
chia7712
pushed a commit
that referenced
this pull request
Feb 18, 2026
…ker provisioning (#21394) ## Summary Fixes bugs where `--jdk-version` and `--jdk-arch` parameters were ignored during system test worker provisioning, and refactors `vagrant/base.sh` to support flexible JDK versions without code changes. --- ## Problem The Vagrant provisioning script (`vagrant/base.sh`) had two bugs that caused JDK version parameters to be ignored: | Bug | Problem | |-----|---------| | **#1: `--jdk-version` ignored** | `JDK_FULL` was hardcoded to `17-linux-x64`, so passing `--jdk-version 25` still downloaded JDK 17 | | **#2: `--jdk-arch` ignored** | Architecture parameter was passed but never used in the S3 download URL | --- ## Solution - Validate `JDK_MAJOR` and `JDK_ARCH` input parameters with regex - Dynamically construct `JDK_FULL` from `JDK_MAJOR` and `JDK_ARCH` - Update S3 path to use `/jdk/` subdirectory - Add logging for debugging --- ## Changes ### `vagrant/base.sh` | Change | Description | |--------|-------------| | **Input validation** | Added regex validation for `JDK_MAJOR` and `JDK_ARCH` with sensible defaults | | **Dynamic construction** | `JDK_FULL` is now constructed from `JDK_MAJOR` and `JDK_ARCH` if not explicitly provided | | **Updated S3 path** | Changed URL from `/kafka-packages/jdk-{version}.tar.gz` to `/kafka-packages/jdk/jdk-{version}.tar.gz` | | **Logging** | Added debug output for JDK configuration | | **Backward compatibility** | Vagrantfile can still pass `JDK_FULL` directly; the script validates and uses it if valid | --- ## S3 Path Change ### Old Path ``` s3://kafka-packages/jdk-{version}.tar.gz ``` ### New Path ``` s3://kafka-packages/jdk/jdk-{version}.tar.gz ``` ### Available JDKs in `s3://kafka-packages/jdk/` | File | Version | Architecture | |------|---------|--------------| | `jdk-7u80-linux-x64.tar.gz` | 7u80 | x64 | | `jdk-8u144-linux-x64.tar.gz` | 8u144 | x64 | | `jdk-8u161-linux-x64.tar.gz` | 8u161 | x64 | | `jdk-8u171-linux-x64.tar.gz` | 8u171 | x64 | | `jdk-8u191-linux-x64.tar.gz` | 8u191 | x64 | | `jdk-8u202-linux-x64.tar.gz` | 8u202 | x64 | | `jdk-11.0.2-linux-x64.tar.gz` | 11.0.2 | x64 | | `jdk-17-linux-x64.tar.gz` | 17 | x64 | | `jdk-18.0.2-linux-x64.tar.gz` | 18.0.2 | x64 | | `jdk-21.0.1-linux-x64.tar.gz` | 21.0.1 | x64 | | `jdk-21.0.1-linux-aarch64.tar.gz` | 21.0.1 | aarch64 | | `jdk-25-linux-x64.tar.gz` | 25 | x64 | | `jdk-25-linux-aarch64.tar.gz` | 25 | aarch64 | | `jdk-25.0.1-linux-x64.tar.gz` | 25.0.1 | x64 | | `jdk-25.0.1-linux-aarch64.tar.gz` | 25.0.1 | aarch64 | | `jdk-25.0.2-linux-x64.tar.gz` | 25.0.2 | x64 | | `jdk-25.0.2-linux-aarch64.tar.gz` | 25.0.2 | aarch64 | --- ## Future JDK Releases > **IMPORTANT: No code changes required for future Java major/minor releases!** The validation regex supports all version formats: - **Major versions**: `17`, `25`, `26` - **Minor versions**: `25.0.1`, `25.0.2`, `26.0.1` - **Legacy format**: `8u144`, `8u202` ### Adding New JDK Versions To add support for a new JDK version (e.g., JDK 26, 25.0.3): 1. Download the JDK tarball from Oracle/Adoptium 2. Rename to follow naming convention: `jdk-{VERSION}-linux-{ARCH}.tar.gz` 3. Upload to S3: `aws s3 cp jdk-{VERSION}-linux-{ARCH}.tar.gz s3://kafka-packages/jdk/` 4. Use in tests: `--jdk-version {VERSION} --jdk-arch {ARCH}` No modifications to `base.sh` or any other scripts are needed. --- ## Benefits | Before | After | |--------|-------| | `--jdk-version` ignored | ✅ Correctly uses specified version | | `--jdk-arch` ignored | ✅ Correctly uses specified architecture | | Only major version support | ✅ Full version support (e.g., `25.0.2`) | | Code change needed for new JDK | ✅ Just upload to S3 and pass version | --- ## Testing Tested with different JDK versions to confirm the fix works correctly: | Test | JDK_MAJOR | Expected | Actual | Result | Test Report | |------|-----------|----------|--------|--------|-------------| | JDK 17 | `17` | javac 17.0.4 | javac 17.0.4 | ✅ | | JDK 25 | `25` | javac 25.0.2 | javac 25.0.2 | ✅ | --- ## Backward Compatibility - **Vagrantfile**: Continues to work as before - **Existing workflows**: Default behavior unchanged (JDK 17 on x64 architecture) - **No breaking changes**: All existing configurations continue to work --- Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com>
blitzy Bot
pushed a commit
to blitzy-public-samples/blitzy-kafka
that referenced
this pull request
Apr 18, 2026
Resolve all 9 Minor and 10 Info findings from the Checkpoint 1 code review, correcting factual inaccuracies, citation line-range imprecisions, and cross- artifact consistency drift. No modifications to pre-existing Kafka source, tests, build files, or comments — Audit Only rule preserved. Findings by file: accepted-mitigations.md #1 [MINOR] AclCache imports corrected: org.apache.kafka.server.immutable (PCollections-backed Kafka-internal) instead of Guava's com.google.common.collect. apache#2 [MINOR] API surface rewritten to reflect PCollections-style structural- sharing methods .updated()/.added()/.removed() instead of Guava builder pattern. apache#3 [MINOR] ZstdCompression BufferPool path split: wrap-for-output uses zstd-jni RecyclingBufferPool.INSTANCE (L55-L63), wrap-for- input uses ChunkedBytesStream (L65-L75), wrap-for-zstd-input uses anonymous Kafka-owned BufferPool delegating to BufferSupplier (L77-L98). apache#4 [INFO] MAX_RECORDS_PER_USER_OP citation corrected: declaration at QuorumController.java:L185; AclControlManager.java:L52 is the static import only. apache#5 [INFO] AclCache.removeAcl(Uuid) line corrected to L91-L103 (was L89+). references.md apache#6 [MINOR] SafeObjectInputStream citation range tightened from L17-L25 (class header + imports only) to L25-L62 covering the class declaration, DEFAULT_NO_DESERIALIZE_CLASS_NAMES blocklist (L27-L37), resolveClass (L43-L52), and isBlocked helper (L54-L62). apache#7 [INFO] PropertyFileLoginModule citation corrected to L42-L50, pointing at the Javadoc PLAINTEXT warning (L47-L48) plus the class declaration (L50). remediation-roadmap.md apache#8 [INFO] Gantt markers sanitised: all :done/:active markers replaced with :crit (illustrative critical emphasis) or plain markers to avoid any visual suggestion of work already performed. Explanatory blockquote added clarifying the marker change. severity-matrix.md apache#9 [MINOR] 7 occurrences of parenthesised '(Accepted Mitigation)' replaced with bracketed '[Accepted Mitigation]' per Global Conventions for plain-text markers. Cross-validated 9 bracketed instances, 0 parenthesised remaining. README.md apache#11 [MINOR] HEAD commit reference corrected to the pre-audit baseline 6d16f68 (was 8a99096, a mid-audit snapshot); baseline attestation now refers to the commit immediately before the audit began. apache#12 [MINOR] Snapshot date unified to 2026-04-17 across all artifacts. apache#14 [INFO] '25 files' claim qualified as 'planned at project completion' vs 'delivered at this checkpoint (15 files)'. attack-surface-map.md apache#16 [MINOR] Clients module category count corrected from 'six' to 'nine' (actual Mermaid edges: C1, C2, C3, C4, C5, C7, C8, C9, C10). apache#17 [MINOR] Connect module category count corrected from 'five' to 'seven' (actual Mermaid edges: C1, C4, C6, C7, C8, C9, C10). oauth-jwt-validation-paths.md apache#18 [INFO] Outer citation ranges tightened: BrokerJwtValidator.configure at L107-L138 (not L102-L134); OAuthBearerUnsecuredValidatorCallbackHandler.handleCallback at L154-L177 (not L161-L204, which spanned unrelated helpers); allowableClockSkewMs helper cited separately at L194-L207. executive-summary.html Cross-ref A [MINOR] HEAD commit aligned to 6d16f68 at three sites (L621, L668, L1544); methodology Mermaid node re-labelled 'Baseline 6d16f68'. Cross-ref B [MINOR] Snapshot date aligned to 2026-04-17 at two sites (L619, L1542). Out-of-scope (Info-level forward-refs): apache#10, apache#13, apache#15 — Links to docs/security-audit/findings/*.md deliverables not yet present at Checkpoint 1; expected per scope boundary; will resolve at Checkpoint 2 when the 10 per-category findings files land. Validation results (Phase 3): - Mermaid fences: all balanced (20 blocks total, all typed) - HTML tag balance: 22 sections + all 20+ tag types balanced - CDNs intact: reveal.js 5.1.0, Mermaid 11.4.0, Font Awesome 6.6.0 - Emojis: zero across all 15 artifacts - TODOs/placeholders introduced: zero - Gantt markers: :crit + plain only (no :done/:active) - Cross-artifact consistency: zero wrong SHA/date values remaining - Citation ranges: 12 verified against AclCache, QuorumController, AclControlManager, ZstdCompression, SafeObjectInputStream, PropertyFileLoginModule, BrokerJwtValidator, and OAuthBearerUnsecuredValidatorCallbackHandler. Audit Only rule verification: git diff --name-status 6d16f68..HEAD returns only 'A' entries, all under docs/security-audit/. Zero modifications, deletions, or renames of any pre-existing Kafka path.
blitzy Bot
pushed a commit
to blitzy-public-samples/blitzy-kafka
that referenced
this pull request
Apr 18, 2026
QA Checkpoint #1 identified 9 MINOR documentation-quality findings in the Apache Kafka 4.2 security audit deliverables. All 9 findings are documentation corrections confined to the docs/security-audit/ tree; no source code, tests, or build configuration touched — fully compliant with the Audit Only rule. FIXES APPLIED (by QA finding number): Issue #1 [MINOR] — findings/07-external-function-callback-misuse.md L247 Validation Checklist cited legacy path 'internals/secured/BrokerJwtValidator.java'. Updated to current Kafka 4.2 canonical path 'clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java' with an explanatory note that the class was reorganized out of the internals/secured sub-package in a prior Kafka refactor. Issue apache#2 [MINOR] — findings/08-deserialization-attacks.md L305 Same pattern as #1 — Validation Checklist updated from 'internals/secured/{Broker,Client}JwtValidator.java' to 'clients/.../oauthbearer/{Broker,Client}JwtValidator.java' with explanatory note. Issue apache#3 [MINOR] — findings/09-information-leakage.md L245 Validation Checklist cited legacy path 'connect/runtime/src/main/java/org/apache/kafka/connect/runtime/RecordRedactor.java'. Updated to current canonical path 'metadata/src/main/java/org/apache/kafka/metadata/util/RecordRedactor.java' with explanatory note. Issue apache#4 [MINOR] — findings/09-information-leakage.md L248 Validation Checklist BrokerJwtValidator and ClientJwtValidator paths updated to current 'oauthbearer/' canonical paths with explanatory note. Issue apache#5 [MINOR] — findings/10-public-api-developer-misuse.md L298 Validation Checklist BrokerJwtValidator path updated to current 'oauthbearer/BrokerJwtValidator.java:L131' canonical path with explanatory note. Issue apache#6 [MINOR] — findings/10-public-api-developer-misuse.md L302 Validation Checklist cited legacy path 'server-common/src/main/java/org/apache/kafka/server/config/ReplicationConfigs.java'. Updated to current canonical path 'server/src/main/java/org/apache/kafka/server/config/ReplicationConfigs.java' with explanatory note that the file moved from the server-common module to the server module in a prior Kafka refactor. Issue apache#7 [MINOR] — references.md Section 3.1 Configuration Added missing entry for 'AllowedPaths.java' ('clients/src/main/java/org/apache/kafka/common/config/internals/AllowedPaths.java'), inserted between the DirectoryConfigProvider and EnvVarConfigProvider entries. Finding 01 cites AllowedPaths 14 times; this bibliography gap is now closed. Issue apache#8 [MINOR] — references.md Section 7 Server Module Added missing entry for 'SocketServerConfigs.java' ('server/src/main/java/org/apache/kafka/network/SocketServerConfigs.java'), inserted after the ReplicationConfigs entry with an inline note about the 'org.apache.kafka.network' vs 'org.apache.kafka.server.config' package mismatch. Findings 03 (11 cites) and 10 (5 cites) reference SocketServerConfigs; this bibliography gap is now closed. Issue apache#9 [MINOR] — findings/01 and findings/10 section header numbering Harmonized H2 section headers to match the numbered 1-10 pattern used by findings 02-09. Applied 20 header replacements total: 10 in finding 01 ('## Category' -> '## 1. Category', etc.), 10 in finding 10 (same pattern). Validation Checklist and Key Insights remain unnumbered per the existing majority convention. Content substance is unchanged; only section prefixes updated. VALIDATION RESULTS: - All 6 canonical file paths verified via 'test -f' to exist in the Kafka source tree at HEAD. - Zero stale 'internals/secured/', 'connect/runtime/.../RecordRedactor', or 'server-common/.../ReplicationConfigs' references remain across the audit corpus. - All 10 findings now have exactly 10 numbered H2 section headers (verified via 'grep -cE "^## [0-9]+\. "'). - Markdown fence balance intact (all diagram files: 4 fences each; findings: all balanced). - Cross-referenced anchors (DISALLOW_NONE, ALLOW_LEADING_ZEROS, AllowedPaths, MAX_RECORDS_PER_USER_OP) preserved. - references.md entries verified present (AllowedPaths=1 match, SocketServerConfigs=1 match). AUDIT ONLY RULE COMPLIANCE: Modifications confined exclusively to documentation artifacts under docs/security-audit/. Zero source code, test, build-configuration, or inline-comment modifications. The untracked 'blitzy/' directory (pre-existing baseline) is NOT part of this commit. Files changed: 6 (+46 / -26 lines) M docs/security-audit/findings/01-filesystem-access-path-traversal.md M docs/security-audit/findings/07-external-function-callback-misuse.md M docs/security-audit/findings/08-deserialization-attacks.md M docs/security-audit/findings/09-information-leakage.md M docs/security-audit/findings/10-public-api-developer-misuse.md M docs/security-audit/references.md
blitzy Bot
pushed a commit
to blitzy-public-samples/blitzy-kafka
that referenced
this pull request
Apr 19, 2026
Addresses 4 issues raised in Checkpoint apache#2 QA report for the Kafka 4.2 security-audit deliverable under docs/security-audit/. All changes are isolated to the audit-artifact tree per AAP §0.4.1 and the "Audit Only" user rule — zero source-code files modified. Issue 1 (MAJOR) — Mermaid HTML-entity parse failure File: docs/security-audit/diagrams/kraft-quorum-safety.md (lines 104, 107) Root cause: Raw <VoterSet> and <= 1 HTML entities inside a sequenceDiagram fenced block. Mermaid 11.4.0 renders markdown fences without HTML-entity decoding, producing a "Syntax error in text" bomb icon on GitHub and in the standalone renderer. Fix applied: Decoded the standalone "<= 1" operator directly, and rewrote the templated type Optional<VoterSet> as Optional[VoterSet] (square brackets). Angle-bracket decoding alone was insufficient because Mermaid with securityLevel: 'loose' parses "<Word>" as an HTML tag inside message payloads; the square-bracket form carries equivalent semantics for a generic-type annotation in pseudocode. Verified at runtime: Custom 14-block test harness confirms all 14 standalone Mermaid blocks across the 7 diagram files now render. kraft-quorum-safety.md block 2 produces a 34859-byte SVG. The result (14 PASS / 0 FAIL) is captured in blitzy/screenshots/qa_fix_14_block_mermaid_test_14pass_0fail.png. Issue 12 (INFO) — HIGH badge color "deviation" File: docs/security-audit/executive-summary.html (:root, badge rules) Root cause: QA flagged .badge-high (#EA580C orange-600) as deviating from the AAP palette #D97706 (amber-600). Investigation across 6 audit artifacts proved #EA580C is the CANONICAL High-severity color (also used in attack-surface-map.md classDef high, icon-orange on slide 8, heatmap cells, etc.) — #D97706 is reserved for Medium. Fix applied: Added explicit CSS comment blocks at :root CSS variables and at the .badge-* rules documenting the canonical mapping (Critical=#DC2626, High=#EA580C, Medium=#D97706, Low=#16A34A, Info=#64748B) and explaining that High / Medium deliberately use adjacent warm tones so the two tiers remain visually separable. Verified at runtime: getComputedStyle confirms .badge-high yields rgb(234, 88, 12) (#EA580C) and .badge-medium yields rgb(217, 119, 6) (#D97706) — no visual change; the fix is documentation only. Issue 13 (MINOR a11y) — 22 Font Awesome icons lacked aria-hidden File: docs/security-audit/executive-summary.html Root cause: On slide-supply-chain (dependency tables) and slide-22 (link-button icons), 22 decorative <i> elements carried no aria-hidden or aria-label. Screen readers could announce the icon-font code-point which is noise to non-sighted users. Fix applied: Added aria-hidden="true" to all 22 decorative icons (12 in the supply-chain table, 10 in slide-22 link buttons). Verified at runtime: DOM query returned total=104, with_aria_hidden= 104, with_neither=0. 100% coverage achieved. Issues 2–11 (MINOR responsive) — 9 observations at 375 px mobile File: docs/security-audit/executive-summary.html (new @media block at lines 666-713) Root cause: At ≤480 px viewports, the .two-col flex row (slides 3 and 18) and the .icon-grid-links 4-card row (slide 22) compressed aggressively, reducing readability of cards and dual-tables. Fix applied: Non-invasive mobile-only @media (max-width: 480px) block. Stacks .two-col to single column; wraps .icon-grid-links cards to 2-per-row (calc(50% - 0.6em) widths). Scoped strictly to mobile — desktop (1280) and tablet (768) rendering are unchanged. Verified at runtime: evaluate_script confirmed stylesheet.cssRules grew from 97 to 98 after reload; screenshots captured at 375 mobile AND 1280 desktop show the expected layouts. Scope compliance git diff --name-only confirms ONLY docs/security-audit/ paths modified. No clients/, core/, connect/, raft/, metadata/, storage/, streams/, release/, gradle/, or build.gradle changes. The "Audit Only" user rule is fully honored. Validation summary • Static: HTML parses clean (0 unclosed tags across 1736 lines); kraft-quorum-safety.md valid UTF-8, 4 balanced fences, 0 HTML entities in Mermaid code. • Runtime: 22 slides render at 1280 / 768 / 375 breakpoints; all 104 FA icons aria-hidden; 6 canonical palette colors verified via getComputedStyle; 14/14 standalone Mermaid blocks render (incl. kraft-quorum-safety block 2 — the original MAJOR failure point); 12/12 embedded deck Mermaid blocks still lazy-render; 0 console errors during any navigation; keyboard navigation and overview mode unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This issue can be caused by a non-existing path but also a misunderstanding from the config file. A short example will help the user.