You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "dengziming (Jira)" <ji...@apache.org> on 2022/04/29 02:59:00 UTC

[jira] [Resolved] (KAFKA-13859) SCRAM authentication issues with kafka-clients 3.0.1

     [ https://issues.apache.org/jira/browse/KAFKA-13859?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

dengziming resolved KAFKA-13859.
--------------------------------
    Resolution: Not A Problem

In [KIP-679]([https://cwiki.apache.org/confluence/display/KAFKA/KIP-679%3A+Producer+will+enable+the+strongest+delivery+guarantee+by+default#KIP679:Producerwillenablethestrongestdeliveryguaranteebydefault-%60IDEMPOTENT_WRITE%60Deprecation)] 

We are relaxing the ACL restriction from {{IDEMPOTENT_WRITE}} to {{WRITE}} earlier (release version 2.8) and changing the producer defaults later (release version 3.0) in order to give the community users enough time to upgrade their broker first. So their later client-side upgrading, which enables idempotence by default, won't get blocked by the {{IDEMPOTENT_WRITE}} ACL required by the old version brokers.

so this is designed intentionally, we should help the users to make this change.

> SCRAM authentication issues with kafka-clients 3.0.1
> ----------------------------------------------------
>
>                 Key: KAFKA-13859
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13859
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 3.0.1
>            Reporter: Oliver Payne
>            Assignee: dengziming
>            Priority: Major
>
> When attempting to produce records to Kafka using a client configured with SCRAM authentication, the authentication is being rejected, and the following exception is thrown:
> {{org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.}}
> I am seeing this happen with a Springboot service that was recently upgraded to 2.6.5. After looking into this, I learned that Springboot moved to kafka-clients 3.0.1 from 3.0.0 in that version. And sure enough, downgrading to kafka-clients resolved the issue, with no changes made to the configs.
> I have also attempted to connect to a separate server with kafka-clients 3.0.1, using plaintext authentication. That works fine. So the issue appears to be with SCRAM authentication.
> I will note that I am attempting to connect to an AWS MSK instance. We use SCRAM-SHA-512 as our sasl mechanism, using the basic {{ScramLoginModule.}} 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)