Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Kafka SASL connection stopped working in 2.3.0, but works fine in 2.2.2 version
See original GitHub issueDescribe the bug
We use next configuration for connection to Kafka cluster:
kafka:
health:
enabled: true
security:
protocol: ${KAFKA_SECURITY_PROTOCOL} #SASL_SSL here
sasl:
mechanism: SCRAM-SHA-512
jaas:
config: >
org.apache.kafka.common.security.scram.ScramLoginModule
required username=${KAFKA_JAAS_USERNAME}
password=${KAFKA_JAAS_PASSWORD} ;
ssl:
truststore:
location: ${SSL_TRUSTSTORE_LOCATION}
password: ${SSL_TRUSTSTORE_PASSWORD}
type: JKS
endpoint:
identification:
algorithm: https
Sorry for the broken formatting, I was trying to insert it in different ways and this is the best I found.
So, using this configuration consumer can connect to Kafka cluster and it works perfectly fine in 2.2.0 version. We added this functionality a few versions ago and it was working great until Quarkus version was bumped to 2.3.0 In quarkus 2.3.0 next exception happens:
{“timestamp”:“2021-10-27T18:17:15.038Z”,“sequence”:2123,“loggerClassName”:“org.apache.kafka.common.utils.LogContext$LocationAwareKafkaLogger”,“loggerName”:“org.apache.kafka.clients.NetworkClient”,“level”:“ERROR”,“message”:“[Consumer clientId=kafka-consumer-consumer-name-hidden, groupId=group-id-hidden] Connection to node -1 (cluster-ip-hidden:9093) failed authentication due to: SSL handshake failed”,“threadName”:“smallrye-kafka-consumer-thread-0”,“threadId”:21,“mdc”:{},“ndc”:“”,“hostName”:“service-586cf4c9db-6zv98”,“processName”:“quarkus-run.jar”,“processId”:1}
Expected behavior
Kafka client successfully connects to cluster
Actual behavior
failed authentication due to: SSL handshake failed
How to Reproduce?
Sorry for not attaching the reproducer. I’m on my vacation right now (have no access to the environment), but I can help you with this issue next week.
Output of uname -a or ver
No response
Output of java -version
Java™ SE Runtime Environment 18.9 (build 11.0.12+8-LTS-237)
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.3.0
Build tool (ie. output of mvnw --version or gradlew --version)
Gradle 7.0
Additional information
I’m just a bit unsure about this commit for 2.3.0 version:
Are you sure replaceAll shouldn’t be used instead? I don’t know what was the reason to replace previous behaviour, it’s just the only suspicious lines of code for me.
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@cescoffier Considering there won’t be any Kafka downgrade in Quarkus because of CVE fixes in the 2.8.1 version, I believe it would be fine to have SASL connection configured with domain name instead of IP address and have a more secure version. Thanks for your help and for what you’re doing. I think we can close this issue.
Yes, we cannot downgrade.
Closing this issue.