[
https://issues.apache.org/jira/browse/KAFKA-18866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christian Habermehl updated KAFKA-18866:
----------------------------------------
Description:
Kafka Client is unable to connect to the broker with JDK23, because
SecurityManager is deprecated:
{code}
Caused by: javax.security.sasl.SaslException: User name or extensions could not
be obtained
at
org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:112)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslToken$1(SaslClientAuthenticator.java:535)
at
java.base/jdk.internal.vm.ScopedValueContainer.callWithoutScope(ScopedValueContainer.java:162)
at
java.base/jdk.internal.vm.ScopedValueContainer.call(ScopedValueContainer.java:147)
at java.base/java.lang.ScopedValue$Carrier.call(ScopedValue.java:420)
at java.base/java.lang.ScopedValue.callWhere(ScopedValue.java:568)
at java.base/javax.security.auth.Subject.callAs(Subject.java:439)
at java.base/javax.security.auth.Subject.doAs(Subject.java:614)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:535)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:434)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendInitialToken(SaslClientAuthenticator.java:333)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:274)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
at org.apache.kafka.common.network.Selector.poll(Selector.java:485)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:595)
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:281)
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:231)
at
org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:289)
at
org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:263)
at
org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnreadySync(ConsumerCoordinator.java:450)
at
org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:482)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.updateAssignmentMetadataIfNeeded(LegacyKafkaConsumer.java:652)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:611)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:591)
at
org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:874)
...
Caused by: java.lang.UnsupportedOperationException: getSubject is supported
only if a security manager is allowed
at java.base/javax.security.auth.Subject.getSubject(Subject.java:347)
at
org.apache.kafka.common.security.authenticator.SaslClientCallbackHandler.handle(SaslClientCallbackHandler.java:58)
at
org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:104)
... 28 common frames omitted
{code}
The workaround for JDK23 is to use the JVM flag
{{-Djava.security.manager=allow}}. As far as I know this won't work for JDK24
was:
Kafka Client is unable to connect to the broker with JDK23, because
SecurityManager is deprecated:
{code}
Caused by: javax.security.sasl.SaslException: User name or extensions could not
be obtained
at
org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:112)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslToken$1(SaslClientAuthenticator.java:535)
at
java.base/jdk.internal.vm.ScopedValueContainer.callWithoutScope(ScopedValueContainer.java:162)
at
java.base/jdk.internal.vm.ScopedValueContainer.call(ScopedValueContainer.java:147)
at java.base/java.lang.ScopedValue$Carrier.call(ScopedValue.java:420)
at java.base/java.lang.ScopedValue.callWhere(ScopedValue.java:568)
at java.base/javax.security.auth.Subject.callAs(Subject.java:439)
at java.base/javax.security.auth.Subject.doAs(Subject.java:614)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:535)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:434)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendInitialToken(SaslClientAuthenticator.java:333)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:274)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
at org.apache.kafka.common.network.Selector.poll(Selector.java:485)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:595)
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:281)
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:231)
at
org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:289)
at
org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:263)
at
org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnreadySync(ConsumerCoordinator.java:450)
at
org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:482)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.updateAssignmentMetadataIfNeeded(LegacyKafkaConsumer.java:652)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:611)
at
org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:591)
at
org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:874)
...
Caused by: java.lang.UnsupportedOperationException: getSubject is supported
only if a security manager is allowed
at java.base/javax.security.auth.Subject.getSubject(Subject.java:347)
at
org.apache.kafka.common.security.authenticator.SaslClientCallbackHandler.handle(SaslClientCallbackHandler.java:58)
at
org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:104)
... 28 common frames omitted
{code}
The workaround for JDK26 is to use the JVM flag
{{-Djava.security.manager=allow}}. As far as I know this won't work for JDK24
> JDK23: UnsupportedOperationException: getSubject is supported only if a
> security manager is allowed
> ---------------------------------------------------------------------------------------------------
>
> Key: KAFKA-18866
> URL: https://issues.apache.org/jira/browse/KAFKA-18866
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 3.8.1
> Environment: e.g.
> OpenJDK 64-Bit Server VM Corretto-23.0.2.7.1 (build 23.0.2+7-FR, mixed mode,
> sharing)
> all OS should be affected
> Reporter: Christian Habermehl
> Priority: Major
>
> Kafka Client is unable to connect to the broker with JDK23, because
> SecurityManager is deprecated:
> {code}
> Caused by: javax.security.sasl.SaslException: User name or extensions could
> not be obtained
> at
> org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:112)
> at
> org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslToken$1(SaslClientAuthenticator.java:535)
> at
> java.base/jdk.internal.vm.ScopedValueContainer.callWithoutScope(ScopedValueContainer.java:162)
> at
> java.base/jdk.internal.vm.ScopedValueContainer.call(ScopedValueContainer.java:147)
> at java.base/java.lang.ScopedValue$Carrier.call(ScopedValue.java:420)
> at java.base/java.lang.ScopedValue.callWhere(ScopedValue.java:568)
> at java.base/javax.security.auth.Subject.callAs(Subject.java:439)
> at java.base/javax.security.auth.Subject.doAs(Subject.java:614)
> at
> org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:535)
> at
> org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:434)
> at
> org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendInitialToken(SaslClientAuthenticator.java:333)
> at
> org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:274)
> at
> org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
> at
> org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
> at org.apache.kafka.common.network.Selector.poll(Selector.java:485)
> at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:595)
> at
> org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:281)
> at
> org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:231)
> at
> org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:289)
> at
> org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:263)
> at
> org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnreadySync(ConsumerCoordinator.java:450)
> at
> org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:482)
> at
> org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.updateAssignmentMetadataIfNeeded(LegacyKafkaConsumer.java:652)
> at
> org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:611)
> at
> org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:591)
> at
> org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:874)
> ...
> Caused by: java.lang.UnsupportedOperationException: getSubject is supported
> only if a security manager is allowed
> at java.base/javax.security.auth.Subject.getSubject(Subject.java:347)
> at
> org.apache.kafka.common.security.authenticator.SaslClientCallbackHandler.handle(SaslClientCallbackHandler.java:58)
> at
> org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:104)
> ... 28 common frames omitted
> {code}
> The workaround for JDK23 is to use the JVM flag
> {{-Djava.security.manager=allow}}. As far as I know this won't work for JDK24
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
