I recently attempted to add an Oauth listener to an existing Kafka broker that uses Kerberos for authentication. The result was that all communication to the broker immediately started failing with the following error:
[2023-10-17 19:51:41,330] ERROR Exception while processing request from 10.XXX.XXX.XX:9094-10.XXX.XXX.XXX:52800-0 (kafka.network.Processor)
java.lang.NullPointerException
at org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder.applyKerberosShortNamer(DefaultKafkaPrincipalBuilder.java:146)
at org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder.build(DefaultKafkaPrincipalBuilder.java:135)
at io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder.build(OAuthKafkaPrincipalBuilder.java:166)
at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.principal(SaslServerAuthenticator.java:314)
at org.apache.kafka.common.network.KafkaChannel.principal(KafkaChannel.java:162)
at kafka.network.Processor.$anonfun$processCompletedReceives$1(SocketServer.scala:1026)
at java.base/java.util.LinkedHashMap$LinkedValues.forEach(LinkedHashMap.java:608)
at kafka.network.Processor.processCompletedReceives(SocketServer.scala:1008)
at kafka.network.Processor.run(SocketServer.scala:893)
at java.base/java.lang.Thread.run(Thread.java:829)
My analysis of the problem is as follows:
The principal builder extends the DefaultKafkaPrincipalBuilder but it just passes nulls to the two objects, SslPrincipalMapper and KerberosShortNamer in the super class constructor. For the first object, some reflection is used to initialize it anyway, but this is not done for the KerberosShortNamer. The result is that, if this principal builder is used on a broker that has a listener configured for Kerberos authentication, a null pointer exception is thrown here whenever a client tries to authenticate. Since my goal is to add an Oauth listener in-place to an existing Kafka cluster and then begin migrating clients from Kerberos to Oauth, this is a huge problem. As far as I know, there is no way to configure a principal builder for a single listener.
I have a PR out (#207) with a small change that fixes the problem for me.
I recently attempted to add an Oauth listener to an existing Kafka broker that uses Kerberos for authentication. The result was that all communication to the broker immediately started failing with the following error:
My analysis of the problem is as follows:
The principal builder extends the DefaultKafkaPrincipalBuilder but it just passes nulls to the two objects, SslPrincipalMapper and KerberosShortNamer in the super class constructor. For the first object, some reflection is used to initialize it anyway, but this is not done for the KerberosShortNamer. The result is that, if this principal builder is used on a broker that has a listener configured for Kerberos authentication, a null pointer exception is thrown here whenever a client tries to authenticate. Since my goal is to add an Oauth listener in-place to an existing Kafka cluster and then begin migrating clients from Kerberos to Oauth, this is a huge problem. As far as I know, there is no way to configure a principal builder for a single listener.
I have a PR out (#207) with a small change that fixes the problem for me.