[jira] [Created] (KAFKA-19584) Native docker image authentication fails with SASL PLAIN

Wed, 06 Aug 2025 16:31:11 -0700 

Rob Young created KAFKA-19584:
---------------------------------

             Summary: Native docker image authentication fails with SASL PLAIN
                 Key: KAFKA-19584
                 URL: https://issues.apache.org/jira/browse/KAFKA-19584
             Project: Kafka
          Issue Type: Bug
          Components: docker
    Affects Versions: 4.0.0, 4.1.0
         Environment: podman -v
podman version 5.5.2
uname -r
6.15.8-200.fc42.x86_64
            Reporter: Rob Young


I'm trying to use the native docker image for SASL PLAIN authentication.

The server starts okay but when I connect a client it emits an exception:


 
{code:java}
[2025-08-06 23:20:47,302] WARN [SocketServer listenerType=BROKER, nodeId=1] 
Unexpected error from /192.168.178.96 
(channelId=192.168.178.96:9092-192.168.178.96:42552-1-1); closing connection 
(org.apache.kafka.common.network.Selector) 
java.lang.UnsupportedOperationException: Unable to find suitable Subject#doAs 
or Subject#callAs implementation at 
org.apache.kafka.common.internals.UnsupportedStrategy.createException(UnsupportedStrategy.java:40)
 ~[?:?] at 
org.apache.kafka.common.internals.UnsupportedStrategy.callAs(UnsupportedStrategy.java:58)
 ~[?:?] at 
org.apache.kafka.common.internals.CompositeStrategy.lambda$callAs$1(CompositeStrategy.java:104)
 ~[?:?] at 
org.apache.kafka.common.internals.CompositeStrategy.performAction(CompositeStrategy.java:78)
 ~[?:?] at 
org.apache.kafka.common.internals.CompositeStrategy.callAs(CompositeStrategy.java:104)
 ~[?:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.createSaslServer(SaslServerAuthenticator.java:208)
 ~[?:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleKafkaRequest(SaslServerAuthenticator.java:533)
 ~[?:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:281)
 ~[?:?] at 
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181) 
~[?:?] at 
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:548) 
[kafka.Kafka:?] at 
org.apache.kafka.common.network.Selector.poll(Selector.java:486) 
[kafka.Kafka:?] at kafka.network.Processor.poll(SocketServer.scala:1017) 
[kafka.Kafka:?] at kafka.network.Processor.run(SocketServer.scala:921) 
[kafka.Kafka:?] at java.base/java.lang.Thread.runWith(Thread.java:1596) 
[kafka.Kafka:?] at java.base/java.lang.Thread.run(Thread.java:1583) 
[kafka.Kafka:?] at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:833)
 [kafka.Kafka:?] at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.thread.PosixPlatformThreads.pthreadStartRoutine(PosixPlatformThreads.java:211)
 [kafka.Kafka:?] Suppressed: java.lang.ClassNotFoundException: 
java.security.AccessController at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:122)
 ~[?:?] at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:86)
 ~[?:?] at java.base/java.lang.Class.forName(DynamicHub.java:1356) 
~[kafka.Kafka:?] at java.base/java.lang.Class.forName(DynamicHub.java:1345) 
~[kafka.Kafka:?] at 
org.apache.kafka.common.internals.ReflectiveStrategy$Loader.lambda$forName$0(ReflectiveStrategy.java:66)
 ~[kafka.Kafka:?] at 
org.apache.kafka.common.internals.LegacyStrategy.<init>(LegacyStrategy.java:45) 
~[?:?] at 
org.apache.kafka.common.internals.CompositeStrategy.<init>(CompositeStrategy.java:49)
 ~[?:?] at 
org.apache.kafka.common.internals.CompositeStrategy.<clinit>(CompositeStrategy.java:39)
 ~[?:?] at 
org.apache.kafka.common.internals.SecurityManagerCompatibility.get(SecurityManagerCompatibility.java:38)
 ~[kafka.Kafka:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.createSaslServer(SaslServerAuthenticator.java:208)
 ~[?:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleKafkaRequest(SaslServerAuthenticator.java:533)
 ~[?:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:281)
 ~[?:?] at 
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181) 
~[?:?] at 
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:548) 
[kafka.Kafka:?] at 
org.apache.kafka.common.network.Selector.poll(Selector.java:486) 
[kafka.Kafka:?] at kafka.network.Processor.poll(SocketServer.scala:1017) 
[kafka.Kafka:?] at kafka.network.Processor.run(SocketServer.scala:921) 
[kafka.Kafka:?] at java.base/java.lang.Thread.runWith(Thread.java:1596) 
[kafka.Kafka:?] at java.base/java.lang.Thread.run(Thread.java:1583) 
[kafka.Kafka:?] at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:833)
 [kafka.Kafka:?] at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.thread.PosixPlatformThreads.pthreadStartRoutine(PosixPlatformThreads.java:211)
 [kafka.Kafka:?] Suppressed: java.lang.NoSuchMethodException: 
javax.security.auth.Subject.current() at 
java.base/java.lang.Class.checkMethod(DynamicHub.java:1075) ~[kafka.Kafka:?] at 
java.base/java.lang.Class.getDeclaredMethod(DynamicHub.java:1165) 
~[kafka.Kafka:?] at 
org.apache.kafka.common.internals.ModernStrategy.<init>(ModernStrategy.java:43) 
~[?:?] at 
org.apache.kafka.common.internals.CompositeStrategy.<init>(CompositeStrategy.java:60)
 ~[?:?] at 
org.apache.kafka.common.internals.CompositeStrategy.<clinit>(CompositeStrategy.java:39)
 ~[?:?] at 
org.apache.kafka.common.internals.SecurityManagerCompatibility.get(SecurityManagerCompatibility.java:38)
 ~[kafka.Kafka:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.createSaslServer(SaslServerAuthenticator.java:208)
 ~[?:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleKafkaRequest(SaslServerAuthenticator.java:533)
 ~[?:?] at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:281)
 ~[?:?] at 
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181) 
~[?:?] at 
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:548) 
[kafka.Kafka:?] at 
org.apache.kafka.common.network.Selector.poll(Selector.java:486) 
[kafka.Kafka:?] at kafka.network.Processor.poll(SocketServer.scala:1017) 
[kafka.Kafka:?] at kafka.network.Processor.run(SocketServer.scala:921) 
[kafka.Kafka:?] at java.base/java.lang.Thread.runWith(Thread.java:1596) 
[kafka.Kafka:?] at java.base/java.lang.Thread.run(Thread.java:1583) 
[kafka.Kafka:?] at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:833)
 [kafka.Kafka:?] at 
org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.thread.PosixPlatformThreads.pthreadStartRoutine(PosixPlatformThreads.java:211)
 [kafka.Kafka:?]{code}
 
 
Reproducer bash script:


{code:java}
temp_dir=$(mktemp -d)
cd ${temp_dir}
cat << EOF > kafka_server_jaas.conf
KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    user_admin="admin-secret";
};
EOF
podman run -it --rm \
--name kafka-sasl-broker \
  -p 9092:9092 \
  -p 9093:9093 \
  -v ./kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:Z \
  -e KAFKA_CLUSTER_ID=$KAFKA_CLUSTER_ID \
  -e KAFKA_PROCESS_ROLES=broker,controller \
  -e KAFKA_NODE_ID=1 \
  -e 
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=SASL_PLAINTEXT:SASL_PLAINTEXT,INTER_BROKER:PLAINTEXT,CONTROLLER:PLAINTEXT
 \
  -e 
KAFKA_LISTENERS=SASL_PLAINTEXT://0.0.0.0:9092,INTER_BROKER://0.0.0.0:9093,CONTROLLER://0.0.0.0:9094
 \
  -e 
KAFKA_ADVERTISED_LISTENERS=SASL_PLAINTEXT://localhost:9092,INTER_BROKER://localhost:9093
 \
  -e KAFKA_CONTROLLER_LISTENER_NAMES=CONTROLLER \
  -e KAFKA_CONTROLLER_QUORUM_VOTERS=1@localhost:9094 \
  -e KAFKA_INTER_BROKER_LISTENER_NAME=INTER_BROKER \
  -e KAFKA_SASL_ENABLED_MECHANISMS=PLAIN \
  -e 
KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf"
 \
  apache/${1}{code}
then to connect I use the producer script to try and send messages:


{code:java}
kafka-console-producer.sh \
  --bootstrap-server localhost:9092 \
  --topic your-topic-name \
  --producer-property security.protocol=SASL_PLAINTEXT \
  --producer-property sasl.mechanism=PLAIN \
  --producer-property 
'sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule 
required username="admin" password="admin-secret";'{code}

For `./run-plain.sh kafka-native:4.0.0` and `./run-plain.sh 
kafka-native:4.1.0-rc2` the producer spins, trying repeatedly to reconnect

For the main image `./run-plain.sh kafka:4.0.0` and `./run-plain.sh 
kafka:4.1.0-rc2` I can produce messages successfully.

For context I want to use the native image for integration testing and can 
workaround by switching to the non-native image



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to