kafka network_error ai_generated true

org.apache.kafka.common.errors.NetworkException: The server disconnected before a response was received. Reauthentication required

ID: kafka/network-exception-reauthentication

Also available as: JSON · Markdown · 中文
82%Fix Rate
88%Confidence
1Evidence
2024-01-20First Seen

Root Cause

SASL/SSL session expired or broker forced reauthentication due to configured reauthentication interval, but client failed to reauthenticate in time.

generic

中文

SASL/SSL会话过期或代理因配置的重新认证间隔而强制重新认证,但客户端未能及时重新认证。

Official Documentation

https://kafka.apache.org/documentation/#security_sasl_kerberos_reauthentication

Workarounds

  1. 85% success Enable automatic reauthentication in client by setting 'sasl.client.callback.handler.class' to a handler that refreshes credentials. For Java clients, implement 'org.apache.kafka.common.security.auth.AuthenticationContext' or use 'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler'. 
    Enable automatic reauthentication in client by setting 'sasl.client.callback.handler.class' to a handler that refreshes credentials. For Java clients, implement 'org.apache.kafka.common.security.auth.AuthenticationContext' or use 'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler'.
  2. 75% success Increase 'sasl.login.refresh.window.factor' and 'sasl.login.refresh.window.jitter' in client config to allow more time for credential refresh before expiry. 
    Increase 'sasl.login.refresh.window.factor' and 'sasl.login.refresh.window.jitter' in client config to allow more time for credential refresh before expiry.
  3. 80% success Set 'connections.max.reauth.ms' on the broker to a larger value (e.g., 3600000 for 1 hour) if reauthentication is too frequent, while still maintaining security. 
    Set 'connections.max.reauth.ms' on the broker to a larger value (e.g., 3600000 for 1 hour) if reauthentication is too frequent, while still maintaining security.

中文步骤

  1. Enable automatic reauthentication in client by setting 'sasl.client.callback.handler.class' to a handler that refreshes credentials. For Java clients, implement 'org.apache.kafka.common.security.auth.AuthenticationContext' or use 'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler'.
  2. Increase 'sasl.login.refresh.window.factor' and 'sasl.login.refresh.window.jitter' in client config to allow more time for credential refresh before expiry.
  3. Set 'connections.max.reauth.ms' on the broker to a larger value (e.g., 3600000 for 1 hour) if reauthentication is too frequent, while still maintaining security.

Dead Ends

Common approaches that don't work:

  1. 30% fail

    This weakens security posture and may violate compliance; also, the broker may still force reauth if session tokens expire.

  2. 80% fail

    Reauthentication is per-connection; restarting brokers does not prevent future reauth events and causes downtime.

  3. 90% fail

    This removes authentication, creating a severe security vulnerability and is not acceptable in production.