{ "id": "kafka/network-exception-reauthentication", "signature": "org.apache.kafka.common.errors.NetworkException: The server disconnected before a response was received. Reauthentication required", "signature_zh": "org.apache.kafka.common.errors.NetworkException:服务器在收到响应前断开连接。需要重新认证", "regex": "NetworkException.*Reauthentication required", "domain": "kafka", "category": "network_error", "subcategory": null, "root_cause": "SASL/SSL session expired or broker forced reauthentication due to configured reauthentication interval, but client failed to reauthenticate in time.", "root_cause_type": "generic", "root_cause_zh": "SASL/SSL会话过期或代理因配置的重新认证间隔而强制重新认证,但客户端未能及时重新认证。", "versions": [], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "This weakens security posture and may violate compliance; also, the broker may still force reauth if session tokens expire.", "fail_rate": 0.3, "condition": "", "sources": [] }, { "action": "", "why_fails": "Reauthentication is per-connection; restarting brokers does not prevent future reauth events and causes downtime.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "This removes authentication, creating a severe security vulnerability and is not acceptable in production.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Enable automatic reauthentication in client by setting 'sasl.client.callback.handler.class' to a handler that refreshes credentials. For Java clients, implement 'org.apache.kafka.common.security.auth.AuthenticationContext' or use 'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler'.", "success_rate": 0.85, "how": "Enable automatic reauthentication in client by setting 'sasl.client.callback.handler.class' to a handler that refreshes credentials. For Java clients, implement 'org.apache.kafka.common.security.auth.AuthenticationContext' or use 'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler'.", "condition": "", "sources": [] }, { "action": "Increase 'sasl.login.refresh.window.factor' and 'sasl.login.refresh.window.jitter' in client config to allow more time for credential refresh before expiry.", "success_rate": 0.75, "how": "Increase 'sasl.login.refresh.window.factor' and 'sasl.login.refresh.window.jitter' in client config to allow more time for credential refresh before expiry.", "condition": "", "sources": [] }, { "action": "Set 'connections.max.reauth.ms' on the broker to a larger value (e.g., 3600000 for 1 hour) if reauthentication is too frequent, while still maintaining security.", "success_rate": 0.8, "how": "Set 'connections.max.reauth.ms' on the broker to a larger value (e.g., 3600000 for 1 hour) if reauthentication is too frequent, while still maintaining security.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Enable automatic reauthentication in client by setting 'sasl.client.callback.handler.class' to a handler that refreshes credentials. For Java clients, implement 'org.apache.kafka.common.security.auth.AuthenticationContext' or use 'org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler'.", "Increase 'sasl.login.refresh.window.factor' and 'sasl.login.refresh.window.jitter' in client config to allow more time for credential refresh before expiry.", "Set 'connections.max.reauth.ms' on the broker to a larger value (e.g., 3600000 for 1 hour) if reauthentication is too frequent, while still maintaining security." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://kafka.apache.org/documentation/#security_sasl_kerberos_reauthentication", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.82, "resolvable": "true", "first_seen": "2024-01-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }