apache
Publish Iceberg kafka connect runtime to Confluent hub
Feature Request / Improvement
We should publish the OSS Apache Iceberg kafka connecter sink to confluent hub to get the wider visibility under "apache Iceberg" account. Similar to https://www.confluent.io/hub/tabular/iceberg-kafka-connect
Query engine
Kafka Connect
It makes sense to me. I would also include the Kafka connect artifact on https://iceberg.apache.org/releases/
Naive question, for 1.8 are we saying that we're aiming for automation to push to Confluent Hub or is it something that for the 1.8 milestone, someone needs to manually do? If we're saying we want some automation for pushing, I feel like we should punt to the next release since i think that requires infra changes (e.g. I'm not sure if they even allow it, but if they did probably we'd need a key and whatnot)
cc @bryanck @ajantha-bhat @jbonofre
Previously w/ the Tabular connector it was a manual process, we had a contact at Confluent that would upload it after performing some validation. We'd want a signed and published connector distribution before we'd tackle this I think.
I understand that this is a more complicated thing to do than uploading an artifact.
For the just released 1.9.0, however, there is as well no artifact for the Kafka Connect package uploaded, mentioned also already in #11685 for 1.7.0.
It is quite cumbersome to locally build and add it to a Docker image, every adopter of Kafka Connect has to do the same. Can I somehow support on this issue?
@thjaeckle Feel free to open a PR (or draft PR) if you've got it working.
If we can't finish this in a short time, can we attach kafka-connect zip files to https://github.com/apache/iceberg/releases and link them at https://iceberg.apache.org/releases/#downloads? At least, users don't need to build the zip files themselves.
Hi @manuzhang,
I'd like to take on this issue as my first contribution to Apache Iceberg. I've encountered similar connector deployment challenges in previous projects.
After reading the Confluent documentation, I see the manual email process for confluent-hub publishing(as @bryanck mentioned). Your suggestion to provide zip artifacts with each release is a great alternative.
I can implement:
- Publish kafka-connect zip artifacts to the Nexus repo
- Add download links to release pages
- Update installation documentation
This would let users skip manual builds when using Confluent images.
Happy to discuss implementation details with you, @bryanck, and @ajantha-bhat.
are we still targeting some automated solution for the next Iceberg 1.10.0 release?
Please let me know if there are any manual steps required for 1.10.0 release.
I'm not seeing any automated solution in the near term. @stevenzwu What do you think of manually uploading the zip files to GitHub release page?
What do you think of manually uploading the zip files to GitHub release page?
Any instructions for doing that? Does the release manager need to manually build the zip files locally? or does the CI build already publish the zip file to some staging repository?
We discussed at the community sync and decided to first add it in the https://iceberg.apache.org/releases/#downloads
Understood that publishing to confluent is not very simple and we need to go through checklist and some steps. @jbonofre, @bryanck: please help us in the next steps.
By coincidence, and through no effort of my own, the connector is now live: https://www.confluent.io/hub/iceberg/iceberg-kafka-connect
I downloaded the zip, but it only contained the iceberg-kafka-connector jar, not the same as that built following https://iceberg.apache.org/docs/nightly/kafka-connect/#installation, which included all dependencies.
I got this back from my colleague.
Trivy identified some CVE issues, which blocks us being able to list the connector.
Vulnerability Details:
Library: commons-beanutils:commons-beanutils (commons-beanutils-1.9.4.jar)
Vulnerability: CVE-2025-48734
Severity: HIGH
Status: Fixed
Installed Version: 1.9.4
Fixed Version: 1.11.0
Title: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property...
Link: https://avd.aquaseac.com/nvd/cve-2025-48734
Library: io.netty:netty-handler (netty-handler-4.1.115.Final.jar)
Vulnerability: CVE-2025-24970
Severity: HIGH
Status: (Missing in provided data, assuming "unfixed" or "pending fix" if no gRPC release yet)
Installed Version: 4.1.115.Final
Fixed Version: 4.1.118.Final
Title: SslHandler doesn't correctly validate packets which can lead to native crash...
Link: https://avd.aquaseac.com/nvd/cve-2025-24970
Library: net.minidev:json-smart (json-smart-2.5.1.jar)
Vulnerability: CVE-2024-57699
Severity: HIGH
Status: (Missing in provided data, assuming "unfixed" or "pending fix" if no gRPC release yet)
Installed Version: 2.5.1
Fixed Version: 2.5.2
Title: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)
Link: https://avd.aquaseac.com/nvd/cve-2024-57699
They built it as follows:
git clone [email protected]:apache/iceberg.git
cd iceberg
git checkout apache-iceberg-1.9.1
# Verify the commit hash - To confirm you're on the correct official release (not an RC):
git rev-parse HEAD
# Should return: e2c32ec0e9fc39cd4a29d2e2a69888bbf86ad1e5
# Clean and build with the desired version explicitly set
./gradlew -Prelease -Pbuild.version=1.9.1 \
:iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \
-x test -x integrationTest
Thanks. Can we check once from the main branch? Not from the release tag to confirm that it is fixed in the upcoming 1.10.0 release? There is a plan to do 1.10.0 release soon. If the CVE exist in that version. We can try to upgrade the dependencies before the release.
cc: @stevenzwu, @nastra, @bryanck, @jbonofre
Here's the build & scan with Trivy against main:
$ git rev-parse HEAD
061ae58986db3495ff3af6f1932a96dd086e5fbd
$ sdk use java 11.0.26-tem
$ ./gradlew -Prelease \
:iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \
-x test -x integrationTest
$ unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-1.10.0-SNAPSHOT.zip -d kafka-connect/kafka-connect-runtime/build/distributions/
$ trivy rootfs --severity HIGH,CRITICAL kafka-connect/kafka-connect-runtime/build/distributions/
There's just one HIGH vuln identified:
Java (jar)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────┤
│ commons-beanutils:commons-beanutils │ CVE-2025-48734 │ HIGH │ fixed │ 1.9.4 │ 1.11.0 │ commons-beanutils: Apache Commons BeanUtils: │
│ (commons-beanutils-1.9.4.jar) │ │ │ │ │ │ PropertyUtilsBean does not suppresses an enum's │
│ │ │ │ │ │ │ declaredClass property... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-48734 │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────┘
│ commons-beanutils:commons-beanutils │ CVE-2025-48734 │ HIGH │ fixed │ 1.9.4 │ 1.11.0 │ commons-beanutils: Apache Commons BeanUtils: │ │ (commons-beanutils-1.9.4.jar) │ │ │ │ │ │ PropertyUtilsBean does not suppresses an enum's │ │ │ │ │ │ │ │ declaredClass property... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-48734 │
Working on a PR for this right now.
https://github.com/apache/iceberg/pull/13561 - probably should create a separate issue for this CVE which could also be associated.
(Discussion about the publishing process to Confluent Hub moved to the mailing list: https://lists.apache.org/thread/hlj8kordz6hmr9wf6ktttqchwty13vlt)
1.9.1 and 1.9.2 are available -> https://www.confluent.io/hub/iceberg/iceberg-kafka-connect
@manuzhang see my comment above - this needs someone to bundle it and the project agree a process for submitting it to Confluent Hub for publication.