davsclaus opened a new pull request, #24690:
URL: https://github.com/apache/camel/pull/24690

   ## Summary
   
   Fix three bugs in the `saslAuthType` convenience layer (introduced in 
CAMEL-22864) that made 3 of 5 SASL auth types non-functional and silently 
overrode explicit user configuration:
   
   - **Bug 1 — SSL tautology**: `saslAuthType != KafkaAuthType.NONE` was always 
true inside the `isSasl()` branch, forcing `SASL_SSL` even when the user 
explicitly set `securityProtocol=SASL_PLAINTEXT`. Fixed by relying on the 
configurer's default (`useSsl=true`) and only downgrading when the user 
explicitly requests `SASL_PLAINTEXT`.
   - **Bug 2 — KERBEROS always throws**: `saslAuthType=KERBEROS` always threw 
`IllegalArgumentException` because `applyAuthTypeConfiguration()` never called 
`withKerberos()`, and `buildJaasConfig()` validated non-existent fields. Fixed 
by returning `null` from `buildJaasConfig()` when no principal is set, so 
`saslAuthType=KERBEROS` only sets protocol+mechanism (users provide JAAS 
externally).
   - **Bug 3 — OAUTH/AWS_MSK_IAM missing callback handlers**: Neither auth type 
set the required callback handler class, making authentication impossible. 
Fixed by injecting `OAuthBearerLoginCallbackHandler` (KIP-768) for OAUTH and 
`IAMClientCallbackHandler` for AWS_MSK_IAM. Also moved OAuth token endpoint URL 
from the JAAS string to the top-level `sasl.oauthbearer.token.endpoint.url` 
config (KIP-768 convention) and fixed the scope JAAS key from `oauth.scope` to 
`scope`.
   
   ## Test plan
   
   - [x] New test: `saslAuthType=PLAIN&securityProtocol=SASL_PLAINTEXT` → 
respects `SASL_PLAINTEXT`
   - [x] New test: `saslAuthType=KERBEROS` → does not throw, sets 
protocol+mechanism only
   - [x] New test: `saslAuthType=OAUTH` → sets callback handler, token endpoint 
URL, correct JAAS format
   - [x] New test: `saslAuthType=NONE&securityProtocol=SSL` → uses SSL protocol
   - [x] Updated test: `saslAuthType=AWS_MSK_IAM` → verifies callback handler 
class
   - [x] New tests for `KafkaSecurityConfigurer`: Kerberos without principal, 
callback handler injection, user override preservation
   - [x] All 157 existing tests pass
   
   _Claude Code on behalf of davsclaus_
   
   🤖 Generated with [Claude Code](https://claude.ai/code)
   
   Co-Authored-By: Claude Opus 4.6 <[email protected]>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to