# org.apache.kafka.common.errors.UnsupportedSaslMechanismException: 代理不支持 SASL 机制 PLAIN

- **ID:** `kafka/unsupported-sasl-mechanism`
- **领域:** kafka
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

客户端配置了代理的 sasl.enabled.mechanisms 配置中未启用的 SASL 机制（例如 PLAIN）。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Kafka 2.8.0 | active | — | — |
| Kafka 3.0.0 | active | — | — |
| Kafka 3.4.0 | active | — | — |
| Kafka 3.6.0 | active | — | — |

## 解决方案

1. ```
   Enable the required SASL mechanism in the broker's server.properties:

sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256

Then restart the broker. Ensure the JAAS file also configures the mechanism's login module:

KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin-secret"
    user_admin="admin-secret"
    user_alice="alice-secret";
};
   ```
2. ```
   On the client side, switch to a mechanism that the broker already supports. Check the broker logs for supported mechanisms or query via kafka-configs:

kafka-configs --bootstrap-server localhost:9092 --entity-type brokers --entity-name 0 --describe --all | grep sasl.enabled.mechanisms
   ```

## 无效尝试

- **Change the client's SASL mechanism to SCRAM-SHA-256 without enabling it on the broker** — If SCRAM-SHA-256 is also not in sasl.enabled.mechanisms, the same error occurs; the broker must have the mechanism enabled. (90% 失败率)
- **Restart the broker after modifying JAAS config only** — JAAS config provides credentials but does not enable the mechanism; sasl.enabled.mechanisms must be set in server.properties. (95% 失败率)