feat: Connection for Kafka source & sink

[tabVersion]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

following #18975

Checklist

• I have written necessary rustdoc comments
• I have added necessary unit tests and integration tests
• I have added test labels as necessary. See details.
• I have added fuzzing tests or opened an issue to track them. (Optional, recommended for new SQL features Sqlsmith: Sql feature generation #7934).
• My PR contains breaking changes. (If it deprecates some features, please create a tracking issue to remove them in the future).
• All checks passed in ./risedev check (or alias, ./risedev c)
• My PR changes performance-critical code. (Please run macro/micro-benchmarks and show the results.)

• My PR contains critical fixes that are necessary to be merged into the latest release. (Please check out the details)

Documentation

• My PR needs documentation updates. (Please use the Release note section below to summarize the impact on users)

Release note

introducing a new catalog CONNECTION. and have integrated with SECRET

please note that the legacy create connection to AWS PrivateLink has been deprecated in #18975.

new syntax

CREATE CONNECTION [ IF NOT EXISTS ] <connection name> with (
  type = 'kafka' / 'iceberg'
  some_atter_1 = secret <secret name>,
  some_attr_2 = '...'
);

planned support for Kafka, iceberg (by @chenzl25 ) and FS (@wcy-fdu ) at the first stage.

---

when creating source/sink from a connection, connector must match with the connection type & the ref key must be connection

create source s ( ... ) with (
  connector = 'kafka', # <- match with connection type
  connection = <connection name> # <- the key must be `profile` and use `connection` to mark ref to connection catalog. 
) format ... encode ...;

and the attrs defined in connection and source/table/sink cannot have overlap

create connection conn with ( type = 'kafka', a = 'a', b = 'b' );

# reject as overlap key `a` and `b`
create source s with ( connector = 'kafka', a = '1', 'b' = '2' , connection = conn ) format ... encode ... ;

• one more thing
  • we still allow creating source/table/sink without connection and the syntax remains unchanged.

---

to perform connection validate, we need a new kafka ACL: DESCRIBE CLUSTER (the privilege is auth via username and password, not related with consumer group. )

---

Connection stores KV in the catalog and validation only takes a copy.
When building source/sink/table, we first fill the KVs in connection catalog to the with options and then start the create procedure.

accepted kafka connection props

(connection related)

• properties.bootstrap.server (only required)
• properties.security.protocol
• properties.ssl.endpoint.identification.algorithm
• properties.ssl.ca.location
• properties.ssl.ca.pem
• properties.ssl.certificate.location
• properties.ssl.certificate.pem
• properties.ssl.key.location
• properties.ssl.key.pem
• properties.ssl.key.password
• properties.sasl.mechanism
• properties.sasl.username
• properties.sasl.password
• properties.sasl.kerberos.service.name
• properties.sasl.kerberos.keytab
• properties.sasl.kerberos.principal
• properties.sasl.kerberos.kinit.cmd
• properties.sasl.kerberos.min.time.before.relogin
• properties.sasl.oauthbearer.config

(private link related)

• privatelink.targets
• privatelink.endpoint

handle_create_connection will do the private link resolve and remove both privatelink.targets and privatelink.endpoint and insert the broker.rewrite.endpoints to the props.

so if users specify privatelink.targets and privatelink.endpoint in connection, they cannot set it again when create source/table/sink.

(aws auth related: for msk)

• aws.region
• endpoint
• aws.credentials.access_key_id
• aws.credentials.secret_access_key
• aws.credentials.session_token
• aws.credentials.role.arn
• aws.credentials.role.external_id

[wcy-fdu]

we still allow creating source/table/sink without connection and the syntax remains unchanged.

So should we implement new connection for all file source&iceberg source and do not change previous Properties?

[tabVersion]

we still allow creating source/table/sink without connection and the syntax remains unchanged.

So should we implement new connection for all file source&iceberg source and do not change previous Properties?

At least keep the props in the with-clause unchanged.

[fuyufjh]

Perhaps the madsim needs to be updated?

[fuyufjh]

This is kind of a weak-typed implementation, as the properties are kept as a map<string,string> here.

On the contrary, we may optionally make it strong-typed by defining connection's fields as a message (such as message KafkaConnection), and meanwhile, the corresponding struct (such as struct KafkaConnectionInner) would be substituted.

I tend to prefer the latter one, but I am not sure how to handle secrets. Comments are welcomed.

[tabVersion]

I had this idea before.
If we are going with a concrete type here, we have to accept a more complex impl when handling create source/sink/table, ie. we have to know an attr comes from either with-clause or connection catalog and make sure it won't collide. Besides, secret ref is a problem.

Current impl overcomes the prior problem by merging everything into hashmap and keeps the original path to create source/sink/table unchanged.

[fuyufjh]

No need to keep the oneof now. May remove it to improve readability.

[tabVersion]

We are still using the proto in meta backup. Removing the oneof might break compatibility.

[fuyufjh]

Well, then let's place connection_params outside the oneof at least

[fuyufjh]

What's this for?

[tabVersion]

We will validate the connection on meta, which needs to fill in the secrets. So introducing Secret Error here for handling possible failure.

[fuyufjh]

I think this should be added to SinkParam & SinkDesc instead, side-by-side with the Sink's properties.

[tabVersion]

Let me clear the logic for the related proto defs

• Sink (proto/catalog.proto): def of sink in catalog for all sink, we will read props and resolve connection dep based on this message. And the message contains SinkFormatDesc. We already have connection.id field here.
  • We do solve connection ref when creating sink, so the props in Sink.properties contains the ones from connection catalog.
• SinkFormatDesc (proto/catalog.proto): specifying format ... encode ... options (and contained by sink catalog). We ref a connection here for schema registry.
• SinkDesc (proto/stream_plan.proto): It defines what field we dispatch to CNs. But we have already resolved the props from connection def in meta so there is no need to change things here.
• SinkParam (proto/connector_service.proto): seems to define the transport protocol between kernel and connector node (most ref in Java). And ditto, the step is behind the meta node so no change is needed.

[fuyufjh]

We do solve connection ref when creating sink, so the props in Sink.properties contains the ones from connection catalog.

I see. So here we expand all the connections into concrete parameters on creation, right? This is okay to me, but in this way, I think connection_id here in SinkFormatDesc should not appear as well, because all connection-related things are already eliminated on creation.

(It seems SinkFormatDesc::connection_id was indeed not used anywhere?)

[tabVersion]

Similar to the source side, the connector part and schema registry part will have independent connection, just like individual secret_refs.

we are offering syntax like

create source s(...) with (
  connector = 'kafka',
  connection = <connector connection>, ...
) format ... encode ... (
  connection = <schema registry connection / glue connection>
)

[fuyufjh]

Yeah, I know. What I mean is: should it be resolved and eliminated before converting into a proto message?

We do solve connection ref when creating sink, so the props in Sink.properties contains the ones from connection catalog.

[tabVersion]

Yeah, I know. What I mean is: should it be resolved and eliminated before converting into a proto message?

We resolve the props in the frontend and the catalog is persisted in the meta. We have to reserve a field to keep the connection_id to maintain the dependency. And to keep the design simple and align with the secret ref, I think adding connection.id for each connector and schema registry is the best practice.

& We are going to support alter connection and apply the changes to all related source/sink. Eliminating the connection.id in the catalog makes the step harder.

[fuyufjh]

I see. You keep both connection_id and the resolved connection arguments in these message structures, right? It's acceptable to me but a bit counter-intuitive.

And to keep the design simple and align with the secret ref,

IIRC, secret ref doesn't keep the resolved plaintext secret at all. It always resolves whenever using a secret.

[tabVersion]

IIRC, secret ref doesn't keep the resolved plaintext secret at all. It always resolves whenever using a secret.

Oh, here is a some gap on resolve.
You can ref to resolve_connection_ref_and_secret_ref, resolve here means extracting xxx = secret <secret name> from "with props" to PbSecretRef (secret_id). We will do the same op for secrets coming from both connection catalog and with props.

[fuyufjh]

Ditto.

[tabVersion]

Please add or update some e2e test to cover this feature.

Does e2e_test/source_inline/connection/ddl.slt lack some scenes?

[fuyufjh]

Overall LGTM

[fuyufjh]

Well, then let's place connection_params outside the oneof at least

[fuyufjh]

I see. You keep both connection_id and the resolved connection arguments in these message structures, right? It's acceptable to me but a bit counter-intuitive.

And to keep the design simple and align with the secret ref,

IIRC, secret ref doesn't keep the resolved plaintext secret at all. It always resolves whenever using a secret.

[wcy-fdu]

Common part generally LGTM.

[wcy-fdu]

So we just reuse Source.connection_id?

[tabVersion]

Yes and same for the schema registry part and sink.