Wojciech Trefon created NIFI-16077:
--------------------------------------
Summary: Change default Security Protocol for Kafka components
from PLAINTEXT to SASL_SSL
Key: NIFI-16077
URL: https://issues.apache.org/jira/browse/NIFI-16077
Project: Apache NiFi
Issue Type: Improvement
Components: Extensions
Reporter: Wojciech Trefon
The Kafka components (ConsumeKafka, PublishKafka, and the Kafka Connection
Service) expose a "Security Protocol" property whose default value is
currently PLAINTEXT (KafkaClientComponent.SECURITY_PROTOCOL).
TLS is the norm for production Kafka deployments today, so a plaintext
default is both an insecure and a fragile starting point. When a client is
left on a plaintext protocol but the broker actually requires TLS, the Kafka
client reads the broker's TLS alert record as a message-length field
(0x15030300 ≈ 336 MB) and attempts to allocate that amount per broker
connection, exhausting the heap and driving the process into an
OutOfMemoryError crash-loop within roughly 30-60 seconds. The root cause is
in the Kafka client library (see KAFKA-4090, open and unresolved), so it
cannot be prevented on the NiFi side — but shipping a secure default makes it
far less likely for users to fall into this trap by omission.
Proposed change: set the default value of the Security Protocol property to
SASL_SSL in the shared KafkaClientComponent definition. Because the property
descriptor is shared, this single change covers all Kafka processors and the
Kafka connection service. The property is required and is always persisted
explicitly in existing flows, so this only affects newly added components.
References:
- KAFKA-4090: https://issues.apache.org/jira/browse/KAFKA-4090
--
This message was sent by Atlassian Jira
(v8.20.10#820010)