[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17788786#comment-17788786 ] Andrew Olson commented on KAFKA-7631: - This looks like a duplicate of KAFKA-10556 (fixed in 2.7.0). > NullPointerException when SCRAM is allowed bu ScramLoginModule is not in > broker's jaas.conf > --- > > Key: KAFKA-7631 > URL: https://issues.apache.org/jira/browse/KAFKA-7631 > Project: Kafka > Issue Type: Improvement > Components: security >Affects Versions: 2.0.0, 2.5.0 >Reporter: Andras Beni >Priority: Minor > Attachments: KAFKA-7631.patch > > > When user wants to use delegation tokens and lists {{SCRAM}} in > {{sasl.enabled.mechanisms}}, but does not add {{ScramLoginModule}} to > broker's JAAS configuration, a null pointer exception is thrown on broker > side and the connection is closed. > Meaningful error message should be logged and sent back to the client. > {code} > java.lang.NullPointerException > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:376) > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:262) > at > org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:127) > at > org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:489) > at org.apache.kafka.common.network.Selector.poll(Selector.java:427) > at kafka.network.Processor.poll(SocketServer.scala:679) > at kafka.network.Processor.run(SocketServer.scala:584) > at java.lang.Thread.run(Thread.java:748) > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17108677#comment-17108677 ] Jun Wang commented on KAFKA-7631: - This is a JAAS config issue, For example putting PlainLoginModule inside a scram configuration. {noformat} sasl_scram.KafkaServer { org.apache.kafka.common.security.plain.PlainLoginModule optional username="admin" password="admin-secret" user_admin="admin-secret"; }; {noformat} To fix the NullPointerException. I looked at SaslServerAuthenticator.java code, just need to add one line inside createSaslServer function. According the [java Sasl document|[https://docs.oracle.com/javase/8/docs/api/javax/security/sasl/Sasl.html#createSaslServer-java.lang.String-java.lang.String-java.lang.String-java.util.Map-javax.security.auth.callback.CallbackHandler-] ] Returns:A possibly null {{SaslServer}} created using the parameters supplied. If null, cannot find a {{SaslServerFactory}} that will produce one. also changed line 288 from LOG.debug to LOG.error {noformat} LOG.error("Failed during {}: {}", reauthInfo.authenticationOrReauthenticationText(), e.getMessage());{noformat} Log file shows following error after fix. {noformat} [2020-05-15 17:21:54,521] ERROR Failed during authentication: Kafka Server failed to create a SaslServer to interact with a client during session authentication (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator) {noformat} patch file attached. > NullPointerException when SCRAM is allowed bu ScramLoginModule is not in > broker's jaas.conf > --- > > Key: KAFKA-7631 > URL: https://issues.apache.org/jira/browse/KAFKA-7631 > Project: Kafka > Issue Type: Improvement > Components: security >Affects Versions: 2.0.0 >Reporter: Andras Beni >Assignee: Viktor Somogyi-Vass >Priority: Minor > > When user wants to use delegation tokens and lists {{SCRAM}} in > {{sasl.enabled.mechanisms}}, but does not add {{ScramLoginModule}} to > broker's JAAS configuration, a null pointer exception is thrown on broker > side and the connection is closed. > Meaningful error message should be logged and sent back to the client. > {code} > java.lang.NullPointerException > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:376) > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:262) > at > org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:127) > at > org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:489) > at org.apache.kafka.common.network.Selector.poll(Selector.java:427) > at kafka.network.Processor.poll(SocketServer.scala:679) > at kafka.network.Processor.run(SocketServer.scala:584) > at java.lang.Thread.run(Thread.java:748) > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16827153#comment-16827153 ] koert kuipers commented on KAFKA-7631: -- i fixed this by adding both Krb5LoginModule and ScramLoginModule to broker jaas.conf > NullPointerException when SCRAM is allowed bu ScramLoginModule is not in > broker's jaas.conf > --- > > Key: KAFKA-7631 > URL: https://issues.apache.org/jira/browse/KAFKA-7631 > Project: Kafka > Issue Type: Improvement > Components: security >Affects Versions: 2.0.0 >Reporter: Andras Beni >Assignee: Viktor Somogyi-Vass >Priority: Minor > > When user wants to use delegation tokens and lists {{SCRAM}} in > {{sasl.enabled.mechanisms}}, but does not add {{ScramLoginModule}} to > broker's JAAS configuration, a null pointer exception is thrown on broker > side and the connection is closed. > Meaningful error message should be logged and sent back to the client. > {code} > java.lang.NullPointerException > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:376) > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:262) > at > org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:127) > at > org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:489) > at org.apache.kafka.common.network.Selector.poll(Selector.java:427) > at kafka.network.Processor.poll(SocketServer.scala:679) > at kafka.network.Processor.run(SocketServer.scala:584) > at java.lang.Thread.run(Thread.java:748) > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16827023#comment-16827023 ] koert kuipers commented on KAFKA-7631: -- it is not clear to me how i should handle this situation. this Jira seems to focus on a better error message, presumably pointing to the fact that the broker jaas configuration file does not have ScramLoginModule. but that is correct for me, i want to use kerberos for broker authentication. should it work for me without ScramLoginModule in broker jaas.conf? do i need to add both Krb5LoginModule and ScramLoginModule to broker jaas.conf? > NullPointerException when SCRAM is allowed bu ScramLoginModule is not in > broker's jaas.conf > --- > > Key: KAFKA-7631 > URL: https://issues.apache.org/jira/browse/KAFKA-7631 > Project: Kafka > Issue Type: Improvement > Components: security >Affects Versions: 2.0.0 >Reporter: Andras Beni >Assignee: Viktor Somogyi-Vass >Priority: Minor > > When user wants to use delegation tokens and lists {{SCRAM}} in > {{sasl.enabled.mechanisms}}, but does not add {{ScramLoginModule}} to > broker's JAAS configuration, a null pointer exception is thrown on broker > side and the connection is closed. > Meaningful error message should be logged and sent back to the client. > {code} > java.lang.NullPointerException > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:376) > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:262) > at > org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:127) > at > org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:489) > at org.apache.kafka.common.network.Selector.poll(Selector.java:427) > at kafka.network.Processor.poll(SocketServer.scala:679) > at kafka.network.Processor.run(SocketServer.scala:584) > at java.lang.Thread.run(Thread.java:748) > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16826229#comment-16826229 ] koert kuipers commented on KAFKA-7631: -- i think i ran into this. brokers are kafka 2.2.0. my brokers use GSSAPI/kerberos, but i have also have SCRAM enabled for clients that use delegation tokens: sasl.mechanism.inter.broker.protocol=GSSAPI sasl.enabled.mechanisms=GSSAPI,SCRAM-SHA-256,SCRAM-SHA-512 my jaas.conf for brokers has com.sun.security.auth.module.Krb5LoginModule for KafkaClient kafka server log shows: {code} [2019-04-25 12:23:48,108] WARN [SocketServer brokerId=xx] Unexpected error from /x.x.x.x; closing connection (org.apache.kafka.common.network.Selector) java.lang.NullPointerException at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:450) at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:290) at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:173) at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:536) at org.apache.kafka.common.network.Selector.poll(Selector.java:472) at kafka.network.Processor.poll(SocketServer.scala:830) at kafka.network.Processor.run(SocketServer.scala:730) at java.lang.Thread.run(Thread.java:748) {code} my client is spark structured streaming driver, which in spark 3 has kafka delegation support, which is what i am testing. i see here: {code} 2019-04-25 12:23:48 DEBUG org.apache.kafka.common.security.authenticator.SaslClientAuthenticator: Set SASL client state to SEND_HANDSHAKE_REQUEST 2019-04-25 12:23:48 DEBUG org.apache.kafka.common.security.authenticator.SaslClientAuthenticator: Set SASL client state to RECEIVE_HANDSHAKE_RESPONSE 2019-04-25 12:23:48 DEBUG org.apache.kafka.common.security.authenticator.SaslClientAuthenticator: Set SASL client state to INITIAL 2019-04-25 12:23:48 DEBUG org.apache.kafka.common.security.scram.internals.ScramSaslClient: Setting SASL/SCRAM_SHA_512 client state to RECEIVE_SERVER_FIRST_MESSAGE 2019-04-25 12:23:48 DEBUG org.apache.kafka.common.security.authenticator.SaslClientAuthenticator: Set SASL client state to INTERMEDIATE 2019-04-25 12:23:48 DEBUG org.apache.kafka.common.network.Selector: [Consumer clientId=x, groupId=x] Connection with x/x.x.x.x disconnected java.io.EOFException at org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:96) at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.receiveResponseOrToken(SaslClientAuthenticator.java:407) at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.receiveKafkaResponse(SaslClientAuthenticator.java:497) at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.receiveToken(SaslClientAuthenticator.java:435) at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:259) at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:173) at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:536) at org.apache.kafka.common.network.Selector.poll(Selector.java:472) at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:535) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:265) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:236) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:227) at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.awaitMetadataUpdate(ConsumerNetworkClient.java:161) at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:245) at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:317) at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1226) at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1195) at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1135) at org.apache.spark.sql.kafka010.KafkaOffsetReader.$anonfun$fetchLatestOffsets$2(KafkaOffsetReader.scala:217) at org.apache.spark.sql.kafka010.KafkaOffsetReader.$anonfun$withRetriesWithoutInterrupt$1(KafkaOffsetReader.scala:358) at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) at org.apache.spark.util.UninterruptibleThread.runUninterruptibly(UninterruptibleThread.scala:77) at
[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711771#comment-16711771 ] Andras Beni commented on KAFKA-7631: [~mrsrinivas] none that I know of > NullPointerException when SCRAM is allowed bu ScramLoginModule is not in > broker's jaas.conf > --- > > Key: KAFKA-7631 > URL: https://issues.apache.org/jira/browse/KAFKA-7631 > Project: Kafka > Issue Type: Improvement > Components: security >Affects Versions: 2.0.0 >Reporter: Andras Beni >Assignee: Attila Sasvari >Priority: Minor > > When user wants to use delegation tokens and lists {{SCRAM}} in > {{sasl.enabled.mechanisms}}, but does not add {{ScramLoginModule}} to > broker's JAAS configuration, a null pointer exception is thrown on broker > side and the connection is closed. > Meaningful error message should be logged and sent back to the client. > {code} > java.lang.NullPointerException > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:376) > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:262) > at > org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:127) > at > org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:489) > at org.apache.kafka.common.network.Selector.poll(Selector.java:427) > at kafka.network.Processor.poll(SocketServer.scala:679) > at kafka.network.Processor.run(SocketServer.scala:584) > at java.lang.Thread.run(Thread.java:748) > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711730#comment-16711730 ] Srinivas Reddy commented on KAFKA-7631: --- [~andrasbeni], [~asasvari]: is there any unit test to reproduce this issue? TIA > NullPointerException when SCRAM is allowed bu ScramLoginModule is not in > broker's jaas.conf > --- > > Key: KAFKA-7631 > URL: https://issues.apache.org/jira/browse/KAFKA-7631 > Project: Kafka > Issue Type: Improvement > Components: security >Affects Versions: 2.0.0 >Reporter: Andras Beni >Assignee: Attila Sasvari >Priority: Minor > > When user wants to use delegation tokens and lists {{SCRAM}} in > {{sasl.enabled.mechanisms}}, but does not add {{ScramLoginModule}} to > broker's JAAS configuration, a null pointer exception is thrown on broker > side and the connection is closed. > Meaningful error message should be logged and sent back to the client. > {code} > java.lang.NullPointerException > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:376) > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:262) > at > org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:127) > at > org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:489) > at org.apache.kafka.common.network.Selector.poll(Selector.java:427) > at kafka.network.Processor.poll(SocketServer.scala:679) > at kafka.network.Processor.run(SocketServer.scala:584) > at java.lang.Thread.run(Thread.java:748) > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-7631) NullPointerException when SCRAM is allowed bu ScramLoginModule is not in broker's jaas.conf
[ https://issues.apache.org/jira/browse/KAFKA-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16687631#comment-16687631 ] Andras Beni commented on KAFKA-7631: [~asasvari], [~viktorsomogyi] you might want to look at this issue. > NullPointerException when SCRAM is allowed bu ScramLoginModule is not in > broker's jaas.conf > --- > > Key: KAFKA-7631 > URL: https://issues.apache.org/jira/browse/KAFKA-7631 > Project: Kafka > Issue Type: Improvement > Components: security >Affects Versions: 2.0.0 >Reporter: Andras Beni >Priority: Minor > > When user wants to use delegation tokens and lists {{SCRAM}} in > {{sasl.enabled.mechanisms}}, but does not add {{ScramLoginModule}} to > broker's JAAS configuration, a null pointer exception is thrown on broker > side and the connection is closed. > Meaningful error message should be logged and sent back to the client. > {code} > java.lang.NullPointerException > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:376) > at > org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:262) > at > org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:127) > at > org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:489) > at org.apache.kafka.common.network.Selector.poll(Selector.java:427) > at kafka.network.Processor.poll(SocketServer.scala:679) > at kafka.network.Processor.run(SocketServer.scala:584) > at java.lang.Thread.run(Thread.java:748) > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)