[
https://issues.apache.org/jira/browse/KAFKA-9577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17041249#comment-17041249
]
ASF GitHub Bot commented on KAFKA-9577:
---------------------------------------
lbradstreet commented on pull request #8142: KAFKA-9577:
SaslClientAuthenticator incorrectly negotiates supported SaslHandshakeRequest
version
URL: https://github.com/apache/kafka/pull/8142
The SaslClientAuthenticator incorrectly negotiates supported
SaslHandshakeRequest version and uses the maximum version supported by the
broker whether or not the client supports it. This PR rolls back the recent
SaslHandshake[Request,Response] bump, fixes the version negotiation, and adds a
test to prevent anyone from accidentally bumping the version without a
workaround (e.g. a new ApiKey).
Tests:
- Prevent SASL_HANDSHAKE schema version bump
- Add test to return ApiVersions unsupported by client
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk
> -------------------------------------------------------------------------
>
> Key: KAFKA-9577
> URL: https://issues.apache.org/jira/browse/KAFKA-9577
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 2.5.0
> Reporter: Lucas Bradstreet
> Assignee: Lucas Bradstreet
> Priority: Blocker
> Fix For: 2.5.0
>
>
> I am trying 2.5.0 with sasl turned on and my consumer and producer clients
> receive:
> {noformat}
> org.apache.kafka.common.errors.UnsupportedVersionException: The
> SASL_HANDSHAKE protocol does not support version 2
> {noformat}
> I believe this is due to
> [https://github.com/apache/kafka/commit/0a2569e2b9907a1217dd50ccbc320f8ad0b42fd0]
> which added flexible version support and bumped the protocol version.
> It appears that the SaslClientAuthenticator uses the max version for
> SASL_HANDSHAKE received in the broker's AP_VERSIONS response, and then uses
> that version even though it may not support it. See
> [https://github.com/apache/kafka/blob/eb09efa9ac79efa484307bdcf03ac8eb8a3a94e2/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.java#L290].
>
> This may make it hard to ever evolve this schema. In the short term I suggest
> we roll back the version bump and flexible schema until we figure out a path
> forward.
> It appears that this may not have been a problem in the past because the
> schema versions were the same and maybe we didn't validate the version number
> [https://github.com/apache/kafka/commit/0cf7708007b01faac5012d939f3c50db274f858d#diff-7f65552a2e23aa7028500f8db06cbb30R47]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
