Status

  • Current State: Draft
  • Discussion Thread: TBD
  • JIRA: KAFKA-20526
  • Release: TBD

Motivation

Kafka brokers authenticate every client connection and store the authenticated principal (KafkaPrincipal) in memory on each KafkaChannel. However, there is no admin API, CLI command, JMX MBean, or log output that allows an operator to answer:

"Which user principals currently have active connections to this broker?"

This is a fundamental observability gap. Every comparable system provides this capability:

SystemCommand / API
MySQLSHOW PROCESSLIST
PostgreSQLpg_stat_activity
RabbitMQManagement API /api/connections
MongoDBdb.currentOp()
Apache KafkaNothing

Use Cases

  • Security incident response: When a SASL credential is compromised, operators cannot determine if the compromised user has active connections without restarting brokers or using indirect workarounds.
  • Credential rotation: During planned rotation, there is no way to verify that old credentials are no longer in use on active connections.
  • Audit and compliance: Regulatory requirements mandate the ability to report who is connected to a system at any point in time.
  • Capacity planning: Per-principal connection counts help with quota tuning and resource allocation.
  • Debugging: Correlating connections with authenticated identities during troubleshooting.

Current State of the Data

The broker already holds all the data in memory:

SocketServer
  └── NetworkProcessor (one per network thread)
        └── Selector
              └── channels: Map[String, KafkaChannel]
                    └── KafkaChannel
                          ├── principal(): KafkaPrincipal    ← authenticated user
                          ├── socketAddress: InetAddress      ← client IP
                          ├── channelMetadataRegistry
                          │     └── clientInformation         ← software name/version
                          └── id: String                      ← connection ID

The data is simply not surfaced through any external interface.

Existing Workarounds

WorkaroundLimitation
Set kafka.authorizer.logger=DEBUG dynamicallyOnly logs principals when they make requests that trigger authorization. Truly idle connections are invisible.
Set kafka.request.logger=DEBUG dynamicallyExtremely verbose. Still misses connections that send zero requests.
JMX quota metrics (kafka.server:type=*,user=*)Sensors expire after 600s of inactivity. Requires quotas to be enabled.
Heap dump (jmap)Causes GC pause. Requires post-processing. Not suitable for real-time use.

Related Work

  • KIP-511 (shipped, Kafka 2.4): Exposes client software name/version via JMX — aggregate counts only, no principals or individual connections.
  • KIP-714 (shipped, Kafka 3.7): Client-pushed telemetry — client-side metrics, not server-side connection listing. Requires client opt-in.
  • KIP-1000 (accepted): ListClientMetricsResources API — lists telemetry configs, not connections.
  • KIP-567 (stalled): Kafka Cluster Audit — audit log of operations, not real-time connection state.
  • KIP-1313 (under discussion): ClientInstanceId in request headers — enriches tracing but no API to query connections.

None of these address the core gap.

Public Interfaces

To be detailed in a future revision.

Proposed Changes

To be detailed in a future revision.

Compatibility, Deprecation, and Migration Plan

To be detailed in a future revision.

Test Plan

To be detailed in a future revision.

Rejected Alternatives

To be detailed in a future revision.

  • No labels