rondagostino opened a new pull request #10297: URL: https://github.com/apache/kafka/pull/10297
ZooKeeper-related system tests in `zookeeper_security_upgrade_test.py` and `zookeeper_tls_test.py` broke due to https://github.com/apache/kafka/pull/10199/. That patch changed the logic of `SecurityConfig.enabled_sasl_mechanisms()` to only add the inter-broker SASL mechanism when the inter-broker protocol was `SASL_{PLAINTEXT,SSL}`. The inter-broker protocol is left to default to `PLAINTEXT` for the `SecurityConfig` instance associated with Zookeeper since that value doesn't apply to ZooKeeper, so the default inter-broker SASL mechanism of `GSSAPI` was not being added into the set returned by `enabled_sasl_mechanisms()`. This is actually correct -- `GSSAPI` shouldn't be added since inter-broker communication is a Kafka concept and doesn't apply to ZooKeeper. `GSSAPI` should be added when ZooKeeper uses it, though -- which is the case in these tests. So the prior patch referred to above uncovered a bug: we were relying on the default inter-broker SASL mechanism to signal that Kerberos was being used by ZooKeeper even though the inter-broker protocol has nothing to do with that determination in such cases. This patch explicitly includes `GSSAPI` in the list of enabled SASL mechanisms when SASL is enabled for use by ZooKeeper. ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
