RivenSun created KAFKA-15472:
--------------------------------
Summary: Kraft broker does not seem to support sasl/scram
authentication
Key: KAFKA-15472
URL: https://issues.apache.org/jira/browse/KAFKA-15472
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 3.4.1
Reporter: RivenSun
kafka server&client version: 3.4.1
server.properties
{code:java}
#controller communicate config
sasl.mechanism.controller.protocol=PLAIN
#broker communicate config
#security.inter.broker.protocol=SASL_PLAINTEXT
inter.broker.listener.name=INTERNAL_SSL
sasl.mechanism.inter.broker.protocol=PLAIN
#sasl authentication config
sasl.kerberos.service.name=kafka
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-512,GSSAPI,OAUTHBEARER
{code}
kafkaClient test code
{code:java}
AdminClient adminClient = AdminClient.create(props);
try {
UserScramCredentialUpsertion credentialUpsertion = new
UserScramCredentialUpsertion("test",
new ScramCredentialInfo(ScramMechanism.SCRAM_SHA_256, 4096),"test");
adminClient.alterUserScramCredentials(Collections.singletonList(credentialUpsertion)).all().get();
Set<String> users =
adminClient.describeUserScramCredentials(Collections.singletonList("test")).all().get().keySet();
System.out.println(users);
Collection<Node> nodes = adminClient.describeCluster().nodes().get();
System.out.println(nodes);
} catch (Exception e) {
System.out.println(e.toString());
LOG.error("failed", e);
} finally {
adminClient.close();
} {code}
error log
{code:java}
[main] INFO org.apache.kafka.common.security.authenticator.AbstractLogin -
Successfully logged in.
[main] INFO org.apache.kafka.common.utils.AppInfoParser - Kafka version: 3.4.1
[main] INFO org.apache.kafka.common.utils.AppInfoParser - Kafka commitId:
8a516edc2755df89
[main] INFO org.apache.kafka.common.utils.AppInfoParser - Kafka startTimeMs:
1695024285450
Disconnected from the target VM, address: '127.0.0.1:52962', transport: 'socket'
java.util.concurrent.ExecutionException:
org.apache.kafka.common.errors.UnsupportedVersionException: The broker does not
support ALTER_USER_SCRAM_CREDENTIALS
[main] ERROR us.zoom.mq.examples.AdminClientTest - failed
java.util.concurrent.ExecutionException:
org.apache.kafka.common.errors.UnsupportedVersionException: The broker does not
support ALTER_USER_SCRAM_CREDENTIALS
at
java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396)
at
java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073)
at
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:165)
at us.zoom.mq.examples.AdminClientTest.main(AdminClientTest.java:50)
Caused by: org.apache.kafka.common.errors.UnsupportedVersionException: The
broker does not support ALTER_USER_SCRAM_CREDENTIALS
[kafka-admin-client-thread | adminclient-1] INFO
org.apache.kafka.common.utils.AppInfoParser - App info kafka.admin.client for
adminclient-1 unregistered
[kafka-admin-client-thread | adminclient-1] INFO
org.apache.kafka.common.metrics.Metrics - Metrics scheduler closed
[kafka-admin-client-thread | adminclient-1] INFO
org.apache.kafka.common.metrics.Metrics - Closing reporter
org.apache.kafka.common.metrics.JmxReporter
[kafka-admin-client-thread | adminclient-1] INFO
org.apache.kafka.common.metrics.Metrics - Metrics reporters closed {code}
When executing the adminClient.describeUserScramCredentials method, an error
will also be reported: java.util.concurrent.ExecutionException:
{code:java}
org.apache.kafka.common.errors.UnsupportedVersionException: The broker does not
support DESCRIBE_USER_SCRAM_CREDENTIALS{code}
In Kafka's official website,
https://kafka.apache.org/documentation/#kraft_missing
I didn't see that Kraft does not support sasl/scram.
But when I read the sasl/scram chapter, I found that zookeeper is still used to
introduce the scram authentication mechanism.
https://kafka.apache.org/documentation/#security_sasl_scram
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
