kafka
auth_error
ai_generated
true
SASL认证异常:使用SCRAM-SHA-256机制时因无效凭据认证失败
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism SCRAM-SHA-256
ID: kafka/sasl-authentication-failed
80%修复率
87%置信度
1证据数
2024-03-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Kafka 3.6.0 | active | — | — | — |
| Kafka 3.7.0 | active | — | — | — |
根因分析
Kafka客户端提供了错误的用户名或密码进行SASL/SCRAM认证,或者凭据未存储在ZooKeeper中。
English
Kafka client provided incorrect username or password for SASL/SCRAM authentication, or the credential is not stored in ZooKeeper.
官方文档
https://kafka.apache.org/documentation/#security_sasl_scram解决方案
-
Verify credentials with `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --describe` to ensure the user exists and has correct SCRAM credentials.
-
Recreate the SCRAM credential: `kafka-configs.sh --bootstrap-server localhost:9092 --entity-type users --entity-name myuser --alter --add-config 'SCRAM-SHA-256=[password=newpass]'` and update client JAAS file accordingly.
-
Example client JAAS config: `KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="myuser" password="newpass"; };`
无效尝试
常见但无效的做法:
-
90% 失败
The client still uses the old password, causing repeated authentication failures.
-
50% 失败
It is a security risk and not a fix; it also requires broker reconfiguration.