[jira] [Commented] (KAFKA-9577) Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk
[ https://issues.apache.org/jira/browse/KAFKA-9577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17042380#comment-17042380 ] ASF GitHub Bot commented on KAFKA-9577: --- hachikuji commented on pull request #8142: KAFKA-9577: SaslClientAuthenticator incorrectly negotiates SASL_HANDSHAKE version URL: https://github.com/apache/kafka/pull/8142 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk > - > > Key: KAFKA-9577 > URL: https://issues.apache.org/jira/browse/KAFKA-9577 > Project: Kafka > Issue Type: Bug > Components: core >Affects Versions: 2.5.0 >Reporter: Lucas Bradstreet >Assignee: Lucas Bradstreet >Priority: Blocker > Fix For: 2.5.0 > > > I am trying 2.5.0 with sasl turned on and my consumer and producer clients > receive: > {noformat} > org.apache.kafka.common.errors.UnsupportedVersionException: The > SASL_HANDSHAKE protocol does not support version 2 > {noformat} > I believe this is due to > [https://github.com/apache/kafka/commit/0a2569e2b9907a1217dd50ccbc320f8ad0b42fd0] > which added flexible version support and bumped the protocol version. > It appears that the SaslClientAuthenticator uses the max version for > SASL_HANDSHAKE received in the broker's AP_VERSIONS response, and then uses > that version even though it may not support it. See > [https://github.com/apache/kafka/blob/eb09efa9ac79efa484307bdcf03ac8eb8a3a94e2/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.java#L290]. > > This may make it hard to ever evolve this schema. In the short term I suggest > we roll back the version bump and flexible schema until we figure out a path > forward. > It appears that this may not have been a problem in the past because the > schema versions were the same and maybe we didn't validate the version number > [https://github.com/apache/kafka/commit/0cf7708007b01faac5012d939f3c50db274f858d#diff-7f65552a2e23aa7028500f8db06cbb30R47] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9577) Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk
[ https://issues.apache.org/jira/browse/KAFKA-9577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17041249#comment-17041249 ] ASF GitHub Bot commented on KAFKA-9577: --- lbradstreet commented on pull request #8142: KAFKA-9577: SaslClientAuthenticator incorrectly negotiates supported SaslHandshakeRequest version URL: https://github.com/apache/kafka/pull/8142 The SaslClientAuthenticator incorrectly negotiates supported SaslHandshakeRequest version and uses the maximum version supported by the broker whether or not the client supports it. This PR rolls back the recent SaslHandshake[Request,Response] bump, fixes the version negotiation, and adds a test to prevent anyone from accidentally bumping the version without a workaround (e.g. a new ApiKey). Tests: - Prevent SASL_HANDSHAKE schema version bump - Add test to return ApiVersions unsupported by client This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk > - > > Key: KAFKA-9577 > URL: https://issues.apache.org/jira/browse/KAFKA-9577 > Project: Kafka > Issue Type: Bug > Components: core >Affects Versions: 2.5.0 >Reporter: Lucas Bradstreet >Assignee: Lucas Bradstreet >Priority: Blocker > Fix For: 2.5.0 > > > I am trying 2.5.0 with sasl turned on and my consumer and producer clients > receive: > {noformat} > org.apache.kafka.common.errors.UnsupportedVersionException: The > SASL_HANDSHAKE protocol does not support version 2 > {noformat} > I believe this is due to > [https://github.com/apache/kafka/commit/0a2569e2b9907a1217dd50ccbc320f8ad0b42fd0] > which added flexible version support and bumped the protocol version. > It appears that the SaslClientAuthenticator uses the max version for > SASL_HANDSHAKE received in the broker's AP_VERSIONS response, and then uses > that version even though it may not support it. See > [https://github.com/apache/kafka/blob/eb09efa9ac79efa484307bdcf03ac8eb8a3a94e2/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.java#L290]. > > This may make it hard to ever evolve this schema. In the short term I suggest > we roll back the version bump and flexible schema until we figure out a path > forward. > It appears that this may not have been a problem in the past because the > schema versions were the same and maybe we didn't validate the version number > [https://github.com/apache/kafka/commit/0cf7708007b01faac5012d939f3c50db274f858d#diff-7f65552a2e23aa7028500f8db06cbb30R47] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9577) Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk
[ https://issues.apache.org/jira/browse/KAFKA-9577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17041087#comment-17041087 ] Lucas Bradstreet commented on KAFKA-9577: - [~enether] I will have to check the system test results, but I don't think it's likely unless we have a SASL related test that uses an older client version. > Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk > - > > Key: KAFKA-9577 > URL: https://issues.apache.org/jira/browse/KAFKA-9577 > Project: Kafka > Issue Type: Bug > Components: core >Affects Versions: 2.5.0 >Reporter: Lucas Bradstreet >Assignee: Lucas Bradstreet >Priority: Blocker > Fix For: 2.5.0 > > > I am trying 2.5.0 with sasl turned on and my consumer and producer clients > receive: > {noformat} > org.apache.kafka.common.errors.UnsupportedVersionException: The > SASL_HANDSHAKE protocol does not support version 2 > {noformat} > I believe this is due to > [https://github.com/apache/kafka/commit/0a2569e2b9907a1217dd50ccbc320f8ad0b42fd0] > which added flexible version support and bumped the protocol version. > It appears that the SaslClientAuthenticator uses the max version for > SASL_HANDSHAKE received in the broker's AP_VERSIONS response, and then uses > that version even though it may not support it. See > [https://github.com/apache/kafka/blob/eb09efa9ac79efa484307bdcf03ac8eb8a3a94e2/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.java#L290]. > > This may make it hard to ever evolve this schema. In the short term I suggest > we roll back the version bump and flexible schema until we figure out a path > forward. > It appears that this may not have been a problem in the past because the > schema versions were the same and maybe we didn't validate the version number > [https://github.com/apache/kafka/commit/0cf7708007b01faac5012d939f3c50db274f858d#diff-7f65552a2e23aa7028500f8db06cbb30R47] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9577) Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk
[ https://issues.apache.org/jira/browse/KAFKA-9577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17041046#comment-17041046 ] Stanislav Kozlovski commented on KAFKA-9577: Do we have a system test that would catch this? > Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk > - > > Key: KAFKA-9577 > URL: https://issues.apache.org/jira/browse/KAFKA-9577 > Project: Kafka > Issue Type: Bug > Components: core >Affects Versions: 2.5.0 >Reporter: Lucas Bradstreet >Assignee: Lucas Bradstreet >Priority: Blocker > Fix For: 2.5.0 > > > I am trying 2.5.0 with sasl turned on and my consumer and producer clients > receive: > {noformat} > org.apache.kafka.common.errors.UnsupportedVersionException: The > SASL_HANDSHAKE protocol does not support version 2 > {noformat} > I believe this is due to > [https://github.com/apache/kafka/commit/0a2569e2b9907a1217dd50ccbc320f8ad0b42fd0] > which added flexible version support and bumped the protocol version. > It appears that the SaslClientAuthenticator uses the max version for > SASL_HANDSHAKE received in the broker's AP_VERSIONS response, and then uses > that version even though it may not support it. See > [https://github.com/apache/kafka/blob/eb09efa9ac79efa484307bdcf03ac8eb8a3a94e2/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.java#L290]. > > This may make it hard to ever evolve this schema. In the short term I suggest > we roll back the version bump and flexible schema until we figure out a path > forward. > It appears that this may not have been a problem in the past because the > schema versions were the same and maybe we didn't validate the version number > [https://github.com/apache/kafka/commit/0cf7708007b01faac5012d939f3c50db274f858d#diff-7f65552a2e23aa7028500f8db06cbb30R47] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9577) Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk
[ https://issues.apache.org/jira/browse/KAFKA-9577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17040550#comment-17040550 ] Ismael Juma commented on KAFKA-9577: cc [~mumrah] > Client encountering SASL_HANDSHAKE protocol version errors on 2.5 / trunk > - > > Key: KAFKA-9577 > URL: https://issues.apache.org/jira/browse/KAFKA-9577 > Project: Kafka > Issue Type: Bug > Components: core >Affects Versions: 2.5.0 >Reporter: Lucas Bradstreet >Priority: Blocker > > I am trying 2.5.0 with sasl turned on and my consumer and producer clients > receive: > {noformat} > org.apache.kafka.common.errors.UnsupportedVersionException: The > SASL_HANDSHAKE protocol does not support version 2 > {noformat} > I believe this is due to > [https://github.com/apache/kafka/commit/0a2569e2b9907a1217dd50ccbc320f8ad0b42fd0] > which added flexible version support and bumped the protocol version. > It appears that the SaslClientAuthenticator uses the max version for > SASL_HANDSHAKE returned by the broker's api versions request, and then uses > that version even though it may not support it. See > [https://github.com/apache/kafka/blob/eb09efa9ac79efa484307bdcf03ac8eb8a3a94e2/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.java#L290]. > > This may make it hard to ever evolve this schema. In the short term I suggest > we roll back the version bump and flexible schema until we figure out a path > forward. -- This message was sent by Atlassian Jira (v8.3.4#803005)