Hi, There are a number of known issues with our native images: - https://issues.apache.org/jira/browse/KAFKA-19583: fail to use SASL OAuth - https://issues.apache.org/jira/browse/KAFKA-19584: fail to use SASL Plain - https://issues.apache.org/jira/browse/KAFKA-19839: fail to use zstd compression - https://issues.apache.org/jira/browse/KAFKA-20314: random crash with GraalVM 21
I raised the issue last year: https://lists.apache.org/thread/7k8b6l9sz57bbttmnym91mgkjnj9bntz (also covering the official Docker images) The main problem is that we don't have the required tooling to maintain the native image. The Kafka code base is evolving all the time and we don't have an automatic way to keep the native configuration files in sync. We need to be much more careful when accepting KIPs that introduce new components or release assets. These require detailed processes, infra and automations to be maintained properly. Thanks, Mickael On Tue, May 26, 2026 at 11:10 AM Stanislav Kozlovski <[email protected]> wrote: > > I've been testing out the native docker image and I notice that it seems to > not work with the most simple authentication scheme - sasl plain. > > KAFKA-19584<https://issues.apache.org/jira/browse/KAFKA-19584> from August > 2025 describes the issue I'm seeing - the SaslServerAuthenticator fails with > "java.lang.UnsupportedOperationException: Unable to find suitable > Subject#doAs or Subject#callAs implementation at". > > I am sending the mail to check if people are aware of the issue - to me it > sounds like a potential blocker for the native image that is advertised as > suitable for non-prod scenarios and testing — almost all non-prod scenarios > ought to be secured, and it seems like the image has a critical bug in that > path. > > > Best, > Stan
