Kafka Interview Questions and Answers

Question: What is Apache Kafka?
Apache Kafka is a open source framework written in Scala and Java which is used for distributed streaming platform.


Question: What are components of Kafka?

1. Producer –Producers are responsible for sending the data to Kafka topic.
2. Consumer –Consumers are subscribers to a topic and also reads and processes from the topic.
3. Topic –It is name of Group where producer send the messages and consumer receive the messages.
4. Brokers – We use broker to manage storage of messages in the topic .
5. ZooKeeper - ZooKeeper is used to coordinate the brokers/cluster topology.

Question: Explain the role of the offset.
There is a sequential ID number given to the messages in the partitions that called offset.
It is used identify each message in the partition uniquely.


Question: What is a Consumer Group?
Kafka consumer group consists of one or more consumers that jointly consume a set of subscribed topics.


Question: What is the role of the ZooKeeper?
Apache Kafka is a distributed system is built to use Zookeeper.
Zookeeper’s main role here is to coordinate the brokers/cluster topology.
It also uses to recover from previously committed offset if any node fails because it works as periodically commit offset.

Question: What is Partition in Kafka?
In every Kafka broker, there are few partitions available, and each partition in Kafka can be either a leader or a replica of a topic. 

Question: What are advantage of kafka?

1. High-throughput
2. Low Latency
3. Fault-Tolerant
4. Durability
5. Scalability

Question: What are main APIs of Kafka?

1. Producer API
2. Consumer API
3. Streams API
4. Connector API

Question: What are consumers?
Kafka Consumer subscribes to a topic, and also reads and processes messages from the topic. 

Question: Explain the concept of Leader and Follower?
There is one server which acts as the Leader, and Other servers plays the role as a Followers. 

Question: What ensures load balancing of the server in Kafka?
Main role of the Leader is to perform the task of all read and write requests for the partition, whereas Followers passively replicate the leader. At the time of Leader failing, one of the Followers takeover the role of the Leader. 

Question: Why are Replications critical in Kafka?
Replications make sure that published messages are not lost and can be consumed in the event of any machine error, program error or frequent software upgrades. 

Question: In the Producer, when does QueueFullException occur?
Kafka Producer attempts to send messages at a pace that the Broker cannot handle at that time QueueFullException typically occurs. 

Question: What is the purpose of retention period in Kafka cluster
Retention period retains all the published records within the Kafka cluster but It doesn’t check whether they have been consumed or not. We can also update the Retention period through configuration. 

Question: What is Maximum size of a message that can be received by the Kafka?
1000000 bytes 

Question: Explain Multi-tenancy?
We can enable the Multi-tenancy is enabled, We can easily deploy Kafka as a multi-tenant solution. However, by configuring which topics can produce or consume data 

Question: What is Streams API?
Streams API permits an application to act as a stream processor, and also consuming an input stream and producing an output stream to output topics. 

  Question: What is Connector API?
Connector API permits to run as well as build the reusable producers or consumers which connect Kafka topics to existing applications. 

Question: What are top companies which uses of Kafka?
Netflix
Mozilla
Oracle
etc

XML external entity vs Broken Access Control vs Security Misconfiguration

 

Question: What is XML external entity injection?
It allows an attacker to interfere with an application's processing of XML data.
It often allows an attacker to view files on the application server filesystem, and to interact with any back-end.


Question: How do XXE vulnerabilities arise?
Some applications use the XML format to transmit data between the browser and the server.
Applications that do this virtually always use a standard library or platform API to process the XML data on the server.
XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.


Question: What are the types of XXE attacks?

1. Exploiting XXE to retrieve files
2. Exploiting XXE to perform SSRF attacks
3. Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.
4. Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.

Question: How to prevent XXE vulnerabilities
The easiest and most effective way to prevent XXE attacks is to disable dangerous XML features that the application does not need or intend to use.


What is Broken Access Control?
Most of the website/Application have Access controls by Groups. When this functionality was not implemented properly or having loop holes thats Broken Access Control Vulnerablity.
Access control sounds like a simple problem but is insidiously difficult to implement correctly.


How to Protect Yourself from Broken Access Control Vulnerablity?

1. Insecure Id’s : Web applications should not rely on the secrecy of any id’s for protection.
2. Forced Browsing Past Access Control Checks
3. Path Traversal must be there before grant access
4. File Permissions: We should give minimum file access
5. Client Side Caching: Developers should use multiple mechanisms, including HTTP headers and meta tags, to be sure that pages containing sensitive information are not cached by user’s browsers.

Question: What is Security Misconfiguration?
Security Misconfiguration is defined as failing to implement all the security controls for a server or web application, or implementing the security controls.



Give few example of Security Misconfiguration Attack Scenarios?

1. The application server comes with sample applications that are not removed from the production server.
   These sample applications have known security flaws attackers use to compromise the server.
2. Directory listing is not disabled on the server.
3. The application server’s configuration allows detailed error messages, e.g. stack traces, to be returned to users
4. cloud service provider has default sharing permissions open to the Internet by other CSP users.

Question: How to Prevent Security Misconfiguration?

1. Remove sample application that comes.
2. Directory listing must be disabled on the server
3. Disabled default error message dtails
4. Always give least permissions
5. Upto date the servers.
6. Must be unit testing by developer then by QA
7. An automated process to verify the effectiveness of the configurations and settings in all environments.
8. Remove or do not install unused features and frameworks.