rhauch commented on pull request #388: URL: https://github.com/apache/kafka-site/pull/388#issuecomment-994134387
As background for Connect: * Connect runtime puts all JARs from each connector plugin on a separate classloader, and the Connect runtime nor other connector plugins have access to a plugin's JARs. This is why a connector plugin that includes a Log4J 2.x JAR * Most connector implementations simply use the logging provided by the Connect runtime, which is Log4J 1.x regardless of the JARs included by connector plugins. * However, if a connector plugins does include the Log4J 2.x JAR files, those JAR files will only be used if the connector implementation explicitly uses those APIs. There isn't a need to do this, but connectors are custom code and can do quite a bit. We might consider adding something like this, which I hope conveys the limited scope of the risk: > The Connect runtime of Apache Kafka allows users to install third party connector plugins. These connector plugins will use Connect runtime's Log4J 1.x by default, even when Log4J 1.x or 2.x JARs are inadvertently shipped with the connector plugin. Check with the vendor of any connector plugin that includes a Log4J 2.x JAR file. Basically, AK is not responsible for third party connectors that users add to their Connect installations. But users should consult with the vendor of those third party connectors. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
