org.apache.kafka.common.errors.PrincipalDeserializationException: 无法从字节反序列化主体
org.apache.kafka.common.errors.PrincipalDeserializationException: Failed to deserialize principal from bytes
ID: kafka/principal-deserialization-failure
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| kafka_2.13-3.4.0 | active | — | — | — |
| kafka_2.13-3.5.1 | active | — | — | — |
| kafka_2.13-3.6.0 | active | — | — | — |
根因分析
Kafka 代理无法从认证令牌反序列化主体对象,通常是由于自定义主体构建器类不可用或序列化格式不兼容。
English
Kafka broker cannot deserialize the principal object from the authentication token, often due to a custom principal builder class not being available or incompatible serialization format.
官方文档
https://kafka.apache.org/documentation/#security_authz解决方案
-
Add the custom principal builder JAR to the Kafka broker classpath (e.g., in `libs/` directory) and verify the `principal.builder.class` property in `server.properties` matches the fully qualified class name.
-
If using SASL/PLAIN, switch to a simpler authentication mechanism that uses the default principal builder, e.g., set `sasl.enabled.mechanisms=PLAIN` and `principal.builder.class=org.apache.kafka.common.security.authenticate.DefaultPrincipalBuilder` in `server.properties`, then restart brokers.
-
Ensure the custom principal builder class implements `org.apache.kafka.common.security.auth.PrincipalBuilder` and is serializable; recompile with the same Kafka version as the broker.
无效尝试
常见但无效的做法:
-
95% 失败
The missing custom principal builder class is not loaded at startup; restarting does not add it to the classpath.
-
90% 失败
The issue is in the deserialization code, not in persisted data; clearing logs removes data but does not fix the class loading.
-
80% 失败
If the authentication token was serialized with a custom builder, the default builder cannot deserialize it, causing the same error.