The following are some of the updates in Kafka 4.0 release:
++ The password encoder-related configurations have been removed. These configurations were used in ZooKeeper + mode to define the key and backup key for encrypting sensitive data (e.g., passwords), specify the algorithm + and key generation method for password encryption (e.g., AES, RSA), and control the key length and encryption + strength. +
+password.encoder.secretpassword.encoder.old.secretpassword.encoder.keyfactory.algorithmpassword.encoder.cipher.algorithmpassword.encoder.key.lengthpassword.encoder.iterations+ In Kraft mode, Kafka adopts standardized security configurations. Most sensitive data encryption is handled + by the security framework (e.g., SASL, SSL), making the password encoder-related configurations obsolete. + Sensitive data can now be encrypted in two ways: SASL and SSL/TLS. +
++ Using SASL/SCRAM, you can encrypt communication between clients and brokers with mechanisms such as + SCRAM or GSSAPI. To configure SASL. Use the following parameters to specify the desired SASL mechanism. + +
sasl.enabled.mechanismssasl.mechanism.inter.broker.protocol+ Using SSL/TLS, you can encrypt communication between clients and brokers by specifying the SSL keystore + and truststore configurations. Use the following parameters: +
+ssl.keystore.locationssl.keystore.passwordssl.key.passwordssl.truststore.locationssl.truststore.password
+ Removed control.plane.listener.name. Kafka relies on ZooKeeper to manage metadata, but some
+ internal operations (e.g., communication between controllers (a.k.a., broker controller) and brokers) still require
+ Kafka’s internal control plane for coordination.
+
+ In KRaft mode, Kafka eliminates its dependency on ZooKeeper, and the control plane functionality is fully + integrated into Kafka itself. The process roles are clearly separated: brokers handle data-related requests, + while the controllers (a.k.a., quorum controller) manages metadata-related requests. The controllers use the Raft + protocol for internal communication, which operates differently from the ZooKeeper model. Use the following + parameters to configure the control plane listener: +
+controller.listener.nameslistenerslistener.security.protocol.map+ Remove the broker id generation-related configurations. These configurations were used in ZooKeeper mode to + define the broker id, specify the broker id auto generation, and control the broker id generation process. +
+reserved.broker.max.idbroker.id.generation.enablebroker.id+ Kafka use the node id in Kraft mode to identify servers. +
+node.id+ Removed Zookeeper related configurations. +
+zookeeper.connectzookeeper.session.timeout.mszookeeper.connection.timeout.mszookeeper.set.aclzookeeper.max.in.flight.requestszookeeper.ssl.client.enablezookeeper.clientCnxnSocketzookeeper.ssl.keystore.locationzookeeper.ssl.keystore.passwordzookeeper.ssl.keystore.typezookeeper.ssl.truststore.locationzookeeper.ssl.truststore.passwordzookeeper.ssl.truststore.typezookeeper.ssl.protocolzookeeper.ssl.enabled.protocolszookeeper.ssl.cipher.suiteszookeeper.ssl.endpoint.identification.algorithmzookeeper.ssl.crl.enablezookeeper.ssl.ocsp.enable