{
  "id": "kafka/principal-deserialization-failure",
  "signature": "org.apache.kafka.common.errors.PrincipalDeserializationException: Failed to deserialize principal from bytes",
  "signature_zh": "org.apache.kafka.common.errors.PrincipalDeserializationException: 无法从字节反序列化主体",
  "regex": "PrincipalDeserializationException.*Failed to deserialize principal",
  "domain": "kafka",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "Kafka broker cannot deserialize the principal object from the authentication token, often due to a custom principal builder class not being available or incompatible serialization format.",
  "root_cause_type": "generic",
  "root_cause_zh": "Kafka 代理无法从认证令牌反序列化主体对象，通常是由于自定义主体构建器类不可用或序列化格式不兼容。",
  "versions": [
    {
      "version": "kafka_2.13-3.4.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "kafka_2.13-3.5.1",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "kafka_2.13-3.6.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The missing custom principal builder class is not loaded at startup; restarting does not add it to the classpath.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The issue is in the deserialization code, not in persisted data; clearing logs removes data but does not fix the class loading.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "If the authentication token was serialized with a custom builder, the default builder cannot deserialize it, causing the same error.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Add the custom principal builder JAR to the Kafka broker classpath (e.g., in `libs/` directory) and verify the `principal.builder.class` property in `server.properties` matches the fully qualified class name.",
      "success_rate": 0.85,
      "how": "Add the custom principal builder JAR to the Kafka broker classpath (e.g., in `libs/` directory) and verify the `principal.builder.class` property in `server.properties` matches the fully qualified class name.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If using SASL/PLAIN, switch to a simpler authentication mechanism that uses the default principal builder, e.g., set `sasl.enabled.mechanisms=PLAIN` and `principal.builder.class=org.apache.kafka.common.security.authenticate.DefaultPrincipalBuilder` in `server.properties`, then restart brokers.",
      "success_rate": 0.75,
      "how": "If using SASL/PLAIN, switch to a simpler authentication mechanism that uses the default principal builder, e.g., set `sasl.enabled.mechanisms=PLAIN` and `principal.builder.class=org.apache.kafka.common.security.authenticate.DefaultPrincipalBuilder` in `server.properties`, then restart brokers.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Ensure the custom principal builder class implements `org.apache.kafka.common.security.auth.PrincipalBuilder` and is serializable; recompile with the same Kafka version as the broker.",
      "success_rate": 0.9,
      "how": "Ensure the custom principal builder class implements `org.apache.kafka.common.security.auth.PrincipalBuilder` and is serializable; recompile with the same Kafka version as the broker.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Add the custom principal builder JAR to the Kafka broker classpath (e.g., in `libs/` directory) and verify the `principal.builder.class` property in `server.properties` matches the fully qualified class name.",
    "If using SASL/PLAIN, switch to a simpler authentication mechanism that uses the default principal builder, e.g., set `sasl.enabled.mechanisms=PLAIN` and `principal.builder.class=org.apache.kafka.common.security.authenticate.DefaultPrincipalBuilder` in `server.properties`, then restart brokers.",
    "Ensure the custom principal builder class implements `org.apache.kafka.common.security.auth.PrincipalBuilder` and is serializable; recompile with the same Kafka version as the broker."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://kafka.apache.org/documentation/#security_authz",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.78,
  "resolvable": "true",
  "first_seen": "2023-09-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}