org.apache.kafka.common.errors.PolicyViolationException: Request parameters do not satisfy the configured policy. log.retention.ms is '1', must not be less than '10'
Key | Type | Description |
---|---|---|
blacklist | BlackList | Blacklist of properties which cannot be changed |
logRetentionBytes | Long | Configuration for log.retention.bytes |
logRetentionMs | Long | Configuration for log.retention.ms |
logSegmentBytes | Long | Configuration for log.segment.bytes |
Key | Type | Description |
---|---|---|
values | Set String | A set of string that contains properties that cannot be changed |
action | Action | Action to take if the value is outside the specified range. |
Key | Type | Description |
---|---|---|
min | double | Minimum value for the configuration. |
max | double | Maximum value for the configuration. |
action | action | Action to take if the value is outside the specified range. |
overrideValue | double | Value to override with (only applicable when action is set to OVERRIDE ). |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.OVERRIDE
- execute API with overrideValue
values, save in audit the fact that we updated on the fly (with wrong value, and the one we used to fix them).retention.ms = 10000
but the Interceptor is being configured minRetentionMs=60000
. When you send that request to the cluster, the following error is returned:
Key | Type | Default | Description |
---|---|---|---|
topic | String | .* | Topics that match this regex will have the Interceptor applied |
blacklist | BlackList | Blacklist of properties which cannot be changed | |
retentionMs | Long | Configuration for retention.ms | |
retentionBytes | Long | Configuration for retention.bytes | |
segmentMs | Long | Configuration for segment.ms | |
segmentBytes | Integer | Configuration for segment.bytes | |
segmentJitterMs | Long | Configuration for segment.jitter.ms | |
flushMessages | Long | Configuration for flush.messages | |
flushMs | Long | Configuration for flush.ms | |
maxMessageBytes | Integer | Configuration for max.message.bytes | |
minInsyncReplicas | Integer | Configuration for min.insync.replicas | |
cleanupPolicy | Cleanupolicy | Configuration for cleanup.policy | |
uncleanLeaderElectionEnable | Boolean | Configuration for unclean.leader.election.enable |
Key | Type | Description |
---|---|---|
values | Set String | A set of string that contains properties that cannot be changed |
action | Action | Action to take if the value is outside the specified range. |
Key | Type | Description |
---|---|---|
min | int | Minimum value for the configuration. |
max | int | Maximum value for the configuration. |
action | action | Action to take if the value is outside the specified range. |
overrideValue | int | Value to override with (only applicable when action is set to OVERRIDE ). |
Key | Type | Description |
---|---|---|
min | double | Minimum value for the configuration. |
max | double | Maximum value for the configuration. |
action | action | Action to take if the value is outside the specified range. |
overrideValue | double | Value to override with (only applicable when action is set to OVERRIDE ). |
Key | Type | Description |
---|---|---|
values | Set String | Value for the configuration, should be a set of string that contains values from delete , compact or specify both policies in a comma-separated list (eg: delete,compact ). |
action | Action | Action to take if the value is outside the specified range. |
overrideValue | String | Value to override with (only applicable when action is set to OVERRIDE ). |
Key | Type | Description |
---|---|---|
value | Boolean | Value for the configuration. If action is OVERRIDE , will use this value for override value |
action | Action | Action to take if the value is outside the specified range. |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.OVERRIDE
- execute API with overrideValue
(or value
for others) values, save in audit the fact that we updated on the fly (with wrong value, and the one we used to fix them)PolicyViolationException
when action
is BLOCK
. Otherwise, fill the client-id with a templating mechanism
We support templating such as clientId-{{userIp}}-testing"
. Here are the values we can expand:
uuid
userIp
vcluster
user
clientId
gatewayIp
gatewayHost
gatewayVersion
apiKey
apiKeyVersion
timestampMillis
Key | Type | Default | Description |
---|---|---|---|
clientIdTemplate | String | Client-id with a templating mechanism to override | |
namingConvention | String | .* | Configuration for validating client id name convention |
action | Action | Action to take if the client id is invalid |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong client id, save in audit.OVERRIDE
- execute API with override value with a templating mechanism, save in audit the fact that we updated on the fly.invalid_group_id
, but the Interceptor is being configured groupId=conduktor_group_id.*
.
invalid_group_id
is still accepted and you will receive an audit record with the following error: Request parameters do not satisfy the configured policy. GroupId 'invalid_group_id' is invalid.
Key | Type | Description |
---|---|---|
groupId | Regex | Configuration for groupId. |
sessionTimeoutMs | Integer | Configuration for session timeout. |
rebalanceTimeoutMs | Integer | Configuration for rebalance timeout. |
memberId | Regex | Configuration for memberId. |
groupInstanceId | Regex | Configuration for groupInstanceId. |
Key | Type | Default | Description |
---|---|---|---|
value | String | Value as a regex, request values matching this regex will have Interceptor applied. | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
min | int | Minimum value for the configuration. | |
max | int | Maximum value for the configuration. | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
overrideValue | int | Value to override with (only applicable when action is set to OVERRIDE ). |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.OVERRIDE
- execute API with overrideValue
values, save in audit the fact that we updated on the fly (with wrong value, and the one we used to fix them).Key | Type | Default | Description |
---|---|---|---|
topic | String | .* | Topics that match this regex will have the Interceptor applied |
namingConvention | Regex | Configuration for validating topic name convention | |
numPartition | Integer | Configuration for number of partitions | |
replicationFactor | Integer | Configuration for number of replicas | |
cleanupPolicy | Cleanup policy | Configuration for cleanup.policy | |
compressionType | Compression type | Configuration for compression.type | |
deleteRetentionMs | Long | Configuration for delete.retention.ms | |
fileDeleteDelayMs | Long | Configuration for file.delete.delay.ms | |
flushMessages | Long | Configuration for flush.messages | |
flushMs | Long | Configuration for flush.ms | |
indexIntervalBytes | Integer | Configuration for index.interval.bytes | |
maxCompactionLagMs | Long | Configuration for max.compaction.lag.ms | |
maxMessageBytes | Integer | Configuration for max.message.bytes | |
messageTimestampDifferenceMaxMs | Long | Configuration for message.timestamp.difference.max.ms | |
messageTimestampType | Message timestamp type | Configuration for message.timestamp.type | |
minCleanableDirtyRatio | Double | Configuration for min.cleanable.dirty.ratio | |
minCompactionLagMs | Long | Configuration for min.compaction.lag.ms | |
minInsyncReplicas | Integer | Configuration for min.insync.replicas | |
preallocate | Boolean | Configuration for preallocate | |
retentionBytes | Long | Configuration for retention.bytes | |
retentionMs | Long | Configuration for retention.ms | |
segmentBytes | Integer | Configuration for segment.bytes | |
segmentIndexBytes | Integer | Configuration for segment.bytes | |
segmentJitterMs | Long | Configuration for segment.jitter.ms | |
segmentMs | Long | Configuration for segment.ms | |
uncleanLeaderElectionEnable | Boolean | Configuration for unclean.leader.election.enable | |
messageDownconversionEnable | Boolean | Configuration for message.downconversion.enable |
Key | Type | Default | Description |
---|---|---|---|
value | String | Regex for validating topic name | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
min | int | Minimum value for the configuration. | |
max | int | Maximum value for the configuration. | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
overrideValue | int | Value to override with (only applicable when action is set to OVERRIDE ). |
Key | Type | Default | Description |
---|---|---|---|
min | double | Minimum value for the configuration. | |
max | double | Maximum value for the configuration. | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
overrideValue | double | Value to override with (only applicable when action is set to OVERRIDE ). |
Key | Type | Default | Description |
---|---|---|---|
values | Set String | Value for the configuration, should be a set of string that contains values from delete , compact or specify both policies in a comma-separated list like delete,compact . | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
overrideValue | String | Value to override with (only applicable when action is set to OVERRIDE ). |
Key | Type | Default | Description |
---|---|---|---|
values | Set Compression | Set of string contains compression types. | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
overrideValue | Compression | Value to override with (only applicable when action is set to OVERRIDE ). |
Key | Type | Default | Description |
---|---|---|---|
value | String | Only these are allowed, allowed values: CreateTime or LogAppendTime . If action is OVERRIDE , will use this value for override value | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
value | Boolean | Value for the configuration. If action is OVERRIDE , will use this value for override value | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
uncompressed
gzip
snappy
lz4
zstd
producer
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.OVERRIDE
- execute API with overrideValue
(or value
for others) values, save in audit the fact that we updated on the fly (with wrong value, and the one we used to fix them)The fetch policy interceptor
will be able to encourage (log) or block fetch requests that do not meet the specified configuration.
isolationLevel=read_uncommitted
.
When you send that request to the cluster, consumer will retry the request and the following error is logged in Gateway:
Key | Type | Default | Description |
---|---|---|---|
topic | String | .* | Topics that match this regex will have the Interceptor applied. If no value is set, it will be applied to all topics. |
isolationLevel | IsolationLevel | Configuration for isolation level | |
rackIdRequired | Boolean | Configuration of rankId usage | |
fetchMaxBytes | SafeguardIntegerConfig | Configuration for maxBytes | |
fetchMinBytes | SafeguardIntegerConfig | Configuration for minBytes | |
maxWaitMs | SafeguardIntegerConfig | Configuration for maxWaitMs | |
version | Version | Configuration for fetch version |
Key | Type | Default | Description |
---|---|---|---|
value | Isolation | Isolation level for fetch request | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
value | Boolean | Value for the configuration | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
min | int | Minimum value of fetch version | |
max | int | Maximum value of fetch version | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
min | int | Minimum value of property | |
max | int | Maximum value of property | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
read_uncommitted
read_committed
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.groupId
within a minute. If commit offset attempts hit more than limitation in specific duration, it will respond PolicyViolationException
.
Key | Type | Default | Description |
---|---|---|---|
groupId | string | .* | groupId regex, groupId that match this regex will have the Interceptor applied. |
maximumCommitsPerMinute | int | Maximum commit offset attempts on the same groupId within a minute | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
throttleTimeMs | int | 100 | Value to throttle with (only applicable when action is set to THROTTLE ). |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.THROTTLE
- when fail, save in audit and the request will be throttled with time = throttleTimeMs
.PolicyViolationException
.
Key | Type | Default | Description |
---|---|---|---|
maximumConnectionsPerSecond | int | Maximum connections which is allowed within a second | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
throttleTimeMs | int | 100 | Value to throttle with (only applicable when action is set to THROTTLE ). |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.THROTTLE
- when fail, save in audit and the request will be throttled with time = throttleTimeMs
.groupId
within a minute. If joinGroups attempts hit more than limitation in specific duration, it will respond PolicyViolationException
.
Key | Type | Default | Description |
---|---|---|---|
groupId | string | .* | groupId regex, groupId that match this regex will have the Interceptor applied |
maximumJoinsPerMinute | int | Maximum joinGroup attempts on the same groupId within a minute. | |
action | action | Action to take if the value is outside the specified range. | |
throttleTimeMs | int | 100 | Value to throttle with (only applicable when action is set to THROTTLE ). |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.THROTTLE
- when fail, save in audit and the request will be throttled with time = throttleTimeMs
.Key | Type | Default | Description |
---|---|---|---|
topic | String | .* | Topics that match this regex will have the Interceptor applied |
headerKeyRegex | String | Record header key regex, record header with key matches this regex will be removed |
recordHeaderRequired=true
. When you send that request to the cluster, the following error is returned:
Key | Type | Default | Description |
---|---|---|---|
topic | String | .* | Topics that match this regex will have the Interceptor applied. If no value is set, it will be applied to all topics. |
acks | Acks | Configuration for acks modes | |
recordHeaderRequired | Boolean | Configuration of header usage | |
compressions | Compression type | Configuration for compression types | |
idempotenceRequired | Boolean | Configuration for idempotency usage | |
transactionRequired | Boolean | Configuration for transaction usage | |
version | Version | Configuration for produce version |
Key | Type | Default | Description |
---|---|---|---|
value | Array integer | Only these acks modes are allowed, allowed values: -1, 0, 1 | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
value | Boolean | Value for the configuration. If action is OVERRIDE , will use this value for override value | |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
min | int | Minimum value of produce version | |
max | int | Maximum value of produce version | |
action | action | BLOCK | Action to take if the value is outside the specified range. |
Key | Type | Default | Description |
---|---|---|---|
values | Set Compression | Set of string contains compression types. | |
action | Action | BLOCK | Action to take if the value is outside the specified range. ` |
overrideValue | Compression | Value to override with (only applicable when action is set to OVERRIDE ). |
NONE
GZIP
SNAPPY
LZ4
ZSTD
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.Key | Type | Default | Description |
---|---|---|---|
maximumBytesPerSecond | int | Maximum bytes which is allowed to produce within a second | |
action | BLOCK | action | Action to take if the value is outside the specified range |
BLOCK
- when threshold is reached, throttle and save an error in audit.INFO
- when threshold is reached, do not throttle but save in audit a warn.Read-only
. This means that any mutating requests are denied. For example, produce requests are blocked, as are any requests that alter or delete topics.
The full list of Kafka API requests that this Interceptor blocks for the specified topics is:
Key | Type | Default | Description |
---|---|---|---|
topic | String | .* | Topics that match this regex will have the Interceptor applied. |
action | Action | BLOCK | Action to take if the value is outside the specified range. |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.Key | Description |
---|---|
schemaIdRequired: true | When sending a record without schemaId: Request parameters do not satisfy the configured policy. SchemaId is required. |
schemaIdRequired: false | When sending a record with schemaId: Request parameters do not satisfy the configured policy. SchemaId is not allowed. |
Key | Type | Default | Description |
---|---|---|---|
topic | String | .* | Topics that match this regex will have the Interceptor applied |
schemaIdRequired | Boolean | Records must/must not have schemaId | |
action | Action | BLOCK | Action to take if the value is outside the specified range |
BLOCK
- when fail, save in audit and return error.INFO
- execute API with wrong value, save in audit.