kafka
auth_error
ai_generated
true
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism SCRAM-SHA-256
ID: kafka/sasl-authentication-failed
80%Fix Rate
87%Confidence
1Evidence
2024-03-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Kafka 3.6.0 | active | — | — | — |
| Kafka 3.7.0 | active | — | — | — |
Root Cause
Kafka client provided incorrect username or password for SASL/SCRAM authentication, or the credential is not stored in ZooKeeper.
generic中文
Kafka客户端提供了错误的用户名或密码进行SASL/SCRAM认证,或者凭据未存储在ZooKeeper中。
Official Documentation
https://kafka.apache.org/documentation/#security_sasl_scramWorkarounds
-
85% success Verify credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --describe` to ensure the user exists and has correct SCRAM credentials.
Verify credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --describe` to ensure the user exists and has correct SCRAM credentials.
-
90% success Recreate the SCRAM credential: `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --alter --add-config 'SCRAM-SHA-256=[password=newpass]'` and update client JAAS file accordingly.
Recreate the SCRAM credential: `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --alter --add-config 'SCRAM-SHA-256=[password=newpass]'` and update client JAAS file accordingly.
-
88% success Example client JAAS config: `KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="myuser" password="newpass"; };`
Example client JAAS config: `KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="myuser" password="newpass"; };`
中文步骤
Verify credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --describe` to ensure the user exists and has correct SCRAM credentials.
Recreate the SCRAM credential: `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --alter --add-config 'SCRAM-SHA-256=[password=newpass]'` and update client JAAS file accordingly.
Example client JAAS config: `KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="myuser" password="newpass"; };`
Dead Ends
Common approaches that don't work:
-
90% fail
The client still uses the old password, causing repeated authentication failures.
-
50% fail
It is a security risk and not a fix; it also requires broker reconfiguration.