wojtre opened a new pull request, #11394:
URL: https://github.com/apache/nifi/pull/11394

   # Summary
   
   [NIFI-16077](https://issues.apache.org/jira/browse/NIFI-16077)
   
   Changes the default value of the shared **Security Protocol** property 
(`KafkaClientComponent.SECURITY_PROTOCOL`) from `PLAINTEXT` to `SASL_SSL`. The 
descriptor is defined once in the shared `KafkaClientComponent` interface and 
reused by `ConsumeKafka`, `PublishKafka` and the Kafka connection service, so a 
single change applies the new default uniformly.
   
   ## Motivation
   
   When `security.protocol` is set to a plaintext variant (e.g. 
`SASL_PLAINTEXT`) while the broker actually requires TLS, the Kafka client 
reads the returned TLS alert record as a message length (`0x15030300`, ~336 MB) 
and attempts to allocate that amount per broker connection, exhausting the heap 
and causing an OOM crash-loop within ~30–60s. The root cause lives in the Kafka 
client (KAFKA-4090, open since 2016 and unresolved), so NiFi cannot prevent it 
directly — but a secure default meaningfully reduces the chance of falling into 
this trap.
   
   The property is `required`, so existing flows already persist an explicit 
value and are unaffected. The new default primarily impacts newly added 
components on the canvas.
   
   ## Verification
   
   Built `nifi-kafka-shared` and related modules and ran the unit tests for 
`nifi-kafka-shared`, `nifi-kafka-service-shared`, `nifi-kafka-3-service`, 
`nifi-kafka-service-aws` and `nifi-kafka-processors` — all pass. Tests that 
exercise the protocol set it explicitly (e.g. `SASL_PLAINTEXT` / `PLAINTEXT`), 
so none depend on the previous default.
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to