Guy Pascarella created KAFKA-13613:
--------------------------------------
Summary: Kafka Connect has a hard dependency on
KeyGenerator.HmacSHA256
Key: KAFKA-13613
URL: https://issues.apache.org/jira/browse/KAFKA-13613
Project: Kafka
Issue Type: Bug
Components: KafkaConnect
Affects Versions: 3.0.0
Environment: RHEL 8.5
OpenJDK 1.8.0_312
Confluent Platform 7.0.1 (Kafka 3.0.0)
Reporter: Guy Pascarella
If a server is running Java 8 that has been configured for FIPS mode according
to[openjdk-8-configuring_openjdk_8_on_rhel_with_fips-en-us.pdf|https://access.redhat.com/documentation/en-us/openjdk/8/pdf/configuring_openjdk_8_on_rhel_with_fips/openjdk-8-configuring_openjdk_8_on_rhel_with_fips-en-us.pdf]
then the SunJCE provider is not available. As such the KeyGenerator HmacSHA256
is not available. The KeyGenerators I see available are
* DES
* ARCFOUR
* AES
* DESede
Out of these I think AES would be most appropriate, but that's not the point of
this issue, just including for completeness.
When Kafka Connect is started in distributed mode on one of these servers I see
the following stack trace
{noformat}
[2022-01-20 20:36:30,027] ERROR Stopping due to error
(org.apache.kafka.connect.cli.ConnectDistributed)
java.lang.ExceptionInInitializerError
at
org.apache.kafka.connect.cli.ConnectDistributed.startConnect(ConnectDistributed.java:94)
at
org.apache.kafka.connect.cli.ConnectDistributed.main(ConnectDistributed.java:79)
Caused by: org.apache.kafka.common.config.ConfigException: Invalid value
HmacSHA256 for configuration inter.worker.key.generation.algorithm: HmacSHA256
KeyGenerator not available
at
org.apache.kafka.connect.runtime.distributed.DistributedConfig.validateKeyAlgorithm(DistributedConfig.java:504)
at
org.apache.kafka.connect.runtime.distributed.DistributedConfig.lambda$configDef$2(DistributedConfig.java:375)
at
org.apache.kafka.common.config.ConfigDef$LambdaValidator.ensureValid(ConfigDef.java:1043)
at
org.apache.kafka.common.config.ConfigDef$ConfigKey.<init>(ConfigDef.java:1164)
at org.apache.kafka.common.config.ConfigDef.define(ConfigDef.java:152)
at org.apache.kafka.common.config.ConfigDef.define(ConfigDef.java:172)
at org.apache.kafka.common.config.ConfigDef.define(ConfigDef.java:211)
at org.apache.kafka.common.config.ConfigDef.define(ConfigDef.java:373)
at
org.apache.kafka.connect.runtime.distributed.DistributedConfig.configDef(DistributedConfig.java:371)
at
org.apache.kafka.connect.runtime.distributed.DistributedConfig.<clinit>(DistributedConfig.java:196)
... 2 more
{noformat}
It appears the
{{org.apache.kafka.connect.runtime.distributed.DistributedConfig}} is
triggering a validation of the hard-coded default
{{inter.worker.key.generation.algorithm}} property, which is {{HmacSHA256}}.
Ideally a fix would use the value from the configuration file before attempting
to validate a default value.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)