Pass the Confluent Confluent Certified Administrator CCAAK Questions and answers with CertsForce

Kafka topics support two main cleanup policies:

delete: The default policy where Kafka deletes old log segments based on retention time or size.

compact: Enables log compaction, retaining only the latest value for each key.

From Kafka documentation:

“Valid cleanup.policy values are 'delete' and 'compact'.”

B → Invalid: 'default' is not a recognized cleanup policy.

D → Invalid: 'cleanup' is not a valid keyword in this context.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 6, p. 196–197

Apache Kafka Documentation: Topic Configs – cleanup.policy

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

The kafka-consumer-groups.sh script is used to monitor consumer group offsets and lag. It shows the current offset, log end offset, and lag for each partition consumed by a consumer group.

From Kafka documentation:

“You can use kafka-consumer-groups.sh with the --describe flag to get the offset lag per consumer group.”

A → Incorrect: No such built-in script.

B → Correct: Official script for viewing consumer group lag.

C → Incorrect: Does not exist as a built-in Kafka tool.

D → Incorrect: Used for partition reassignment, unrelated to lag monitoring.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 10, p. 308

Apache Kafka Documentation: kafka-consumer-groups.sh usage

To support gradual migration to SSL, Kafka supports configuring multiple listeners. You can run both a PLAINTEXT listener (for legacy clients) and an SSL listener (for new clients), allowing dual access.

From Kafka documentation:

“You can configure multiple listeners on a broker with different security protocols. This allows rolling out SSL while supporting legacy connections.”

A → Incorrect: Modifying the current listener breaks current clients.

B → Misleading: Changing advertised listeners affects how clients connect, which breaks backward compatibility.

C → Correct: Dual listeners allow phased SSL migration.

D → SSL must be configured on both ends to be effective.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 10, p. 305

Apache Kafka Documentation: Configuring Multiple Listeners

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

By default, Kafka does not enable any security mechanism. This means:

Communication is done over PLAINTEXT (unencrypted).

No authentication is configured.

No authorization is enforced.

From Apache Kafka documentation:

“By default, Kafka has no security. All network communication is done in plaintext, and there is no client authentication or authorization.”

This means that:

Option A is correct.

Option B is incorrect because encryption is not enabled by default.

Option C is incorrect because authentication is not provided unless SASL is configured.

Option D is incorrect as neither encryption nor authentication is enabled by default.

Page Reference:

Confluent Kafka: The Definitive Guide, 1st Edition, Chapter 9, p. 275

Apache Kafka Documentation: “Security Overview” section

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

To ensure there is no single point of failure in Kafka, the most critical setting is the replication factor. By setting the replication factor to 3, each partition’s data is replicated across three brokers. This provides fault tolerance and ensures data remains available even if one or two brokers fail.

From Kafka documentation:

“A higher replication factor provides better fault tolerance. A replication factor of 3 is a common choice for production systems that prioritize availability and durability.”

A → Incorrect: min.insync.replicas=1 allows data to be acknowledged even if only one replica is in-sync — not resilient to broker failure.

B → Incorrect: More partitions increase parallelism, not redundancy.

C → Incorrect: linger.ms is a producer-side performance setting, unrelated to durability.

D → Correct: Ensures data is redundantly stored across brokers.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 6, p. 191–193

Apache Kafka Documentation: Topic-Level Configuration – replication.factor

Let me know if you’d like to continue with Question No: 55!

Kafka performs an authorization check every time a client attempts to access a resource (topics, consumer groups, etc.), ensuring real-time enforcement of security policies.

From Kafka documentation:

“Kafka checks authorization for every operation, every time the resource is accessed.”

This behavior ensures that any changes to ACLs are applied immediately and consistently.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 9, p. 284

Apache Kafka Documentation: “Kafka Security - Authorization”

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Apache Kafka's built-in ACL mechanism (SimpleAclAuthorizer) stores ACL data in ZooKeeper. ACLs are propagated to brokers from ZooKeeper and cached in memory for fast lookup.

From Kafka documentation:

“ACLs are stored in ZooKeeper under /kafka-acl and are loaded into each broker at startup and on updates.”

B → Correct: ZooKeeper stores ACLs centrally.

A → Brokers load ACLs but don’t persist them.

C & D → Do not store or manage ACLs.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 9, p. 285

Apache Kafka Documentation: Authorizer Configuration

Unclean leader election allows Kafka to elect a non-in-sync replica as a new leader when all in-sync replicas are unavailable. This increases availability at the cost of possible message loss (sacrificing reliability).

From Kafka documentation:

“If unclean.leader.election.enable is set to true, a broker that is not in the ISR can be elected as leader, which increases availability but may lead to data loss.”

A → Correct: Improves availability when ISR is empty.

B → Best practice for quorum-based systems like ZooKeeper but not the setting that trades off reliability.

C → Controls batching latency, unrelated to availability.

D → Retention -1 means “retain forever,” which impacts storage, not HA.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 6, p. 195

Apache Kafka Documentation: Topic Config – unclean.leader.election.enable

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Kafka supports multiple SASL mechanisms for authentication, including:

SASL/PLAIN – Username/password

SASL/GSSAPI – Kerberos-based

SASL/OAUTHBEARER – OAuth 2.0 token-based

From Apache Kafka documentation:

“Kafka supports the following SASL mechanisms: GSSAPI (Kerberos), PLAIN, SCRAM, OAUTHBEARER.”

B → SAML20 is not supported.

E → OTP is not a supported SASL mechanism.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 9, p. 280–284

Apache Kafka Documentation: Kafka SASL Authentication

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾

Kafka architecture maintains exactly one active Controller at any given time, regardless of the number of brokers. The Controller is responsible for administrative tasks like partition leader election and topic creation. The remaining brokers are replicas, ready to take over if the Controller fails.

From Kafka documentation:

“At any given time, there is only one active controller in the Kafka cluster.”

Even in a cluster with 4 brokers, only 1 broker acts as the Controller.

Page Reference:

Kafka: The Definitive Guide, 1st Edition, Chapter 6, p. 189

Apache Kafka Documentation: Controller Role Description

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾