[
https://issues.apache.org/jira/browse/KAFKA-19584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gaurav Narula reassigned KAFKA-19584:
-------------------------------------
Assignee: Gaurav Narula
> Native docker image authentication fails with SASL PLAIN
> --------------------------------------------------------
>
> Key: KAFKA-19584
> URL: https://issues.apache.org/jira/browse/KAFKA-19584
> Project: Kafka
> Issue Type: Bug
> Components: docker
> Affects Versions: 4.0.0, 4.1.0
> Environment: podman -v
> podman version 5.5.2
> uname -r
> 6.15.8-200.fc42.x86_64
> Reporter: Rob Young
> Assignee: Gaurav Narula
> Priority: Minor
> Labels: native-image
>
> I'm trying to use the native docker image for SASL PLAIN authentication.
> The server starts okay but when I connect a client it emits an exception:
>
> {code:java}
> [2025-08-06 23:20:47,302] WARN [SocketServer listenerType=BROKER, nodeId=1]
> Unexpected error from /192.168.178.96
> (channelId=192.168.178.96:9092-192.168.178.96:42552-1-1); closing connection
> (org.apache.kafka.common.network.Selector)
> java.lang.UnsupportedOperationException: Unable to find suitable Subject#doAs
> or Subject#callAs implementation at
> org.apache.kafka.common.internals.UnsupportedStrategy.createException(UnsupportedStrategy.java:40)
> ~[?:?] at
> org.apache.kafka.common.internals.UnsupportedStrategy.callAs(UnsupportedStrategy.java:58)
> ~[?:?] at
> org.apache.kafka.common.internals.CompositeStrategy.lambda$callAs$1(CompositeStrategy.java:104)
> ~[?:?] at
> org.apache.kafka.common.internals.CompositeStrategy.performAction(CompositeStrategy.java:78)
> ~[?:?] at
> org.apache.kafka.common.internals.CompositeStrategy.callAs(CompositeStrategy.java:104)
> ~[?:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.createSaslServer(SaslServerAuthenticator.java:208)
> ~[?:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleKafkaRequest(SaslServerAuthenticator.java:533)
> ~[?:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:281)
> ~[?:?] at
> org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
> ~[?:?] at
> org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:548)
> [kafka.Kafka:?] at
> org.apache.kafka.common.network.Selector.poll(Selector.java:486)
> [kafka.Kafka:?] at kafka.network.Processor.poll(SocketServer.scala:1017)
> [kafka.Kafka:?] at kafka.network.Processor.run(SocketServer.scala:921)
> [kafka.Kafka:?] at java.base/java.lang.Thread.runWith(Thread.java:1596)
> [kafka.Kafka:?] at java.base/java.lang.Thread.run(Thread.java:1583)
> [kafka.Kafka:?] at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:833)
> [kafka.Kafka:?] at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.thread.PosixPlatformThreads.pthreadStartRoutine(PosixPlatformThreads.java:211)
> [kafka.Kafka:?] Suppressed: java.lang.ClassNotFoundException:
> java.security.AccessController at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:122)
> ~[?:?] at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:86)
> ~[?:?] at java.base/java.lang.Class.forName(DynamicHub.java:1356)
> ~[kafka.Kafka:?] at java.base/java.lang.Class.forName(DynamicHub.java:1345)
> ~[kafka.Kafka:?] at
> org.apache.kafka.common.internals.ReflectiveStrategy$Loader.lambda$forName$0(ReflectiveStrategy.java:66)
> ~[kafka.Kafka:?] at
> org.apache.kafka.common.internals.LegacyStrategy.<init>(LegacyStrategy.java:45)
> ~[?:?] at
> org.apache.kafka.common.internals.CompositeStrategy.<init>(CompositeStrategy.java:49)
> ~[?:?] at
> org.apache.kafka.common.internals.CompositeStrategy.<clinit>(CompositeStrategy.java:39)
> ~[?:?] at
> org.apache.kafka.common.internals.SecurityManagerCompatibility.get(SecurityManagerCompatibility.java:38)
> ~[kafka.Kafka:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.createSaslServer(SaslServerAuthenticator.java:208)
> ~[?:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleKafkaRequest(SaslServerAuthenticator.java:533)
> ~[?:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:281)
> ~[?:?] at
> org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
> ~[?:?] at
> org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:548)
> [kafka.Kafka:?] at
> org.apache.kafka.common.network.Selector.poll(Selector.java:486)
> [kafka.Kafka:?] at kafka.network.Processor.poll(SocketServer.scala:1017)
> [kafka.Kafka:?] at kafka.network.Processor.run(SocketServer.scala:921)
> [kafka.Kafka:?] at java.base/java.lang.Thread.runWith(Thread.java:1596)
> [kafka.Kafka:?] at java.base/java.lang.Thread.run(Thread.java:1583)
> [kafka.Kafka:?] at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:833)
> [kafka.Kafka:?] at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.thread.PosixPlatformThreads.pthreadStartRoutine(PosixPlatformThreads.java:211)
> [kafka.Kafka:?] Suppressed: java.lang.NoSuchMethodException:
> javax.security.auth.Subject.current() at
> java.base/java.lang.Class.checkMethod(DynamicHub.java:1075) ~[kafka.Kafka:?]
> at java.base/java.lang.Class.getDeclaredMethod(DynamicHub.java:1165)
> ~[kafka.Kafka:?] at
> org.apache.kafka.common.internals.ModernStrategy.<init>(ModernStrategy.java:43)
> ~[?:?] at
> org.apache.kafka.common.internals.CompositeStrategy.<init>(CompositeStrategy.java:60)
> ~[?:?] at
> org.apache.kafka.common.internals.CompositeStrategy.<clinit>(CompositeStrategy.java:39)
> ~[?:?] at
> org.apache.kafka.common.internals.SecurityManagerCompatibility.get(SecurityManagerCompatibility.java:38)
> ~[kafka.Kafka:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.createSaslServer(SaslServerAuthenticator.java:208)
> ~[?:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleKafkaRequest(SaslServerAuthenticator.java:533)
> ~[?:?] at
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:281)
> ~[?:?] at
> org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
> ~[?:?] at
> org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:548)
> [kafka.Kafka:?] at
> org.apache.kafka.common.network.Selector.poll(Selector.java:486)
> [kafka.Kafka:?] at kafka.network.Processor.poll(SocketServer.scala:1017)
> [kafka.Kafka:?] at kafka.network.Processor.run(SocketServer.scala:921)
> [kafka.Kafka:?] at java.base/java.lang.Thread.runWith(Thread.java:1596)
> [kafka.Kafka:?] at java.base/java.lang.Thread.run(Thread.java:1583)
> [kafka.Kafka:?] at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:833)
> [kafka.Kafka:?] at
> org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.thread.PosixPlatformThreads.pthreadStartRoutine(PosixPlatformThreads.java:211)
> [kafka.Kafka:?]{code}
>
>
> Reproducer bash script:
> {code:java}
> temp_dir=$(mktemp -d)
> cd ${temp_dir}
> cat << EOF > kafka_server_jaas.conf
> KafkaServer {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> user_admin="admin-secret";
> };
> EOF
> podman run -it --rm \
> --name kafka-sasl-broker \
> -p 9092:9092 \
> -p 9093:9093 \
> -v ./kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:Z \
> -e KAFKA_CLUSTER_ID=$KAFKA_CLUSTER_ID \
> -e KAFKA_PROCESS_ROLES=broker,controller \
> -e KAFKA_NODE_ID=1 \
> -e
> KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=SASL_PLAINTEXT:SASL_PLAINTEXT,INTER_BROKER:PLAINTEXT,CONTROLLER:PLAINTEXT
> \
> -e
> KAFKA_LISTENERS=SASL_PLAINTEXT://0.0.0.0:9092,INTER_BROKER://0.0.0.0:9093,CONTROLLER://0.0.0.0:9094
> \
> -e
> KAFKA_ADVERTISED_LISTENERS=SASL_PLAINTEXT://localhost:9092,INTER_BROKER://localhost:9093
> \
> -e KAFKA_CONTROLLER_LISTENER_NAMES=CONTROLLER \
> -e KAFKA_CONTROLLER_QUORUM_VOTERS=1@localhost:9094 \
> -e KAFKA_INTER_BROKER_LISTENER_NAME=INTER_BROKER \
> -e KAFKA_SASL_ENABLED_MECHANISMS=PLAIN \
> -e
> KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf"
> \
> apache/${1}{code}
> then to connect I use the producer script to try and send messages:
> {code:java}
> kafka-console-producer.sh \
> --bootstrap-server localhost:9092 \
> --topic your-topic-name \
> --producer-property security.protocol=SASL_PLAINTEXT \
> --producer-property sasl.mechanism=PLAIN \
> --producer-property
> 'sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
> required username="admin" password="admin-secret";'{code}
> For `./run-plain.sh kafka-native:4.0.0` and `./run-plain.sh
> kafka-native:4.1.0-rc2` the producer spins, trying repeatedly to reconnect
> For the main image `./run-plain.sh kafka:4.0.0` and `./run-plain.sh
> kafka:4.1.0-rc2` I can produce messages successfully.
> For context I want to use the native image for integration testing and can
> workaround by switching to the non-native image
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
