Hi Colin, Hi all, Thanks for your feedback! >Do you really think you'll have both a lot of PLAINTEXT and a lot of SSL >connections? Yes, and here is our use-case: Generally we have four listeners for users:
MGR_CHANNEL: For administrators management (SSL) REPLICA: Inter broker replication(PLAINTEXT) CLIENT: Inner VPC connections (SASL_PLAINTEXT/SASL_SSL) PUBLIC_CLIENT : Public network connection (SASL_PLAINTEXT/SASL_SSL) Users will use the CLIENT listener for connections under same VPC subnet, while using the PUBLIC_CLIENT port for public or cross-VPC access. When user configure SASL_SSL protocol for both the two listeners, there will be a lot of PLAINTEXT connections and SSL connections at the same time. >limit the SSL connections precisely To elaborate further, by setting connection limits at the listener level, it is possible to limit SSL connections. However, determining the appropriate value can be challenging, especially when considering multiple SSL listeners in the future. For example, if we have four listeners, the maximum value for the connection count of each listener may be set to 2500. This implementation may result in that the actual limit imposed much lower than what we desired to be when the connections of some listeners are relatively low. Original From:"Colin McCabe"< cmcc...@apache.org >; Date:2024/1/9 4:37 To:"dev"< dev@kafka.apache.org >; Subject:Re: [DISCUSS] KIP-1015: Limit number of ssl connections in brokers Hi zw, As you yourself wrote in the rejected alternatives section, the existing listener-specific connection limit already lets administrators limit the number of SSL connections (assuming that one listener is SSL and another is not). I don't understand the objection to just using that capability. You mention that "the protocol of the listener may change dynamically, and the limit of the listener also needs to be modified." But the connection limit is also dynamic, so that doesn't seem to be a problem. I didn't understand the objection that a per-listener limit doesn't allow you to "limit the ssl connections precisely" -- can you explain more? Just as a general comment, I think the biggest use-case for mixed clusters that support both PLAINTEXT and SSL is when you have replication using PLAINTEXT and external connections using SSL. In that case, it's hardly worth having a separate limit for SSL, since the number of plaintext connections is bounded, and low. But perhaps your use-case is different. Do you really think you'll have both a lot of PLAINTEXT and a lot of SSL connections? cheers, Colin On Sat, Jan 6, 2024, at 23:17, zw wrote: > Hi all, > I'd like to begin discussion on KIP-1015 which proposes to add new > configuration max.ssl.connections to limit number of ssl connections in > brokers. > KIP linkļ¼ > https://cwiki.apache.org/confluence/display/KAFKA/KIP-1015%3A+Limit+number+of+ssl+connections+in+brokers > > > Best, > Jimmy Wang a
