wojtre opened a new pull request, #11394: URL: https://github.com/apache/nifi/pull/11394
# Summary [NIFI-16077](https://issues.apache.org/jira/browse/NIFI-16077) Changes the default value of the shared **Security Protocol** property (`KafkaClientComponent.SECURITY_PROTOCOL`) from `PLAINTEXT` to `SASL_SSL`. The descriptor is defined once in the shared `KafkaClientComponent` interface and reused by `ConsumeKafka`, `PublishKafka` and the Kafka connection service, so a single change applies the new default uniformly. ## Motivation When `security.protocol` is set to a plaintext variant (e.g. `SASL_PLAINTEXT`) while the broker actually requires TLS, the Kafka client reads the returned TLS alert record as a message length (`0x15030300`, ~336 MB) and attempts to allocate that amount per broker connection, exhausting the heap and causing an OOM crash-loop within ~30–60s. The root cause lives in the Kafka client (KAFKA-4090, open since 2016 and unresolved), so NiFi cannot prevent it directly — but a secure default meaningfully reduces the chance of falling into this trap. The property is `required`, so existing flows already persist an explicit value and are unaffected. The new default primarily impacts newly added components on the canvas. ## Verification Built `nifi-kafka-shared` and related modules and ran the unit tests for `nifi-kafka-shared`, `nifi-kafka-service-shared`, `nifi-kafka-3-service`, `nifi-kafka-service-aws` and `nifi-kafka-processors` — all pass. Tests that exercise the protocol set it explicitly (e.g. `SASL_PLAINTEXT` / `PLAINTEXT`), so none depend on the previous default. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
