Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SASL Authentication Failed Error #1183

Open
solpagolaae opened this issue Aug 17, 2023 · 2 comments
Open

SASL Authentication Failed Error #1183

solpagolaae opened this issue Aug 17, 2023 · 2 comments
Assignees
@petedannemann
Labels
bug

Comments

@solpagolaae
Copy link

When we try to produce a message to the kafka topic we receive this error "kafka.(*Client).Produce: [58] SASL Authentication Failed: SASL Authentication failed: [####]: Session too short."

Looking at the code we can identify that "SASL Authentication Failed" is produced when we got an EOF error, calling authenticateSASL(), specifically when we try to send a request to a kafka broker, as "kafka.(*Client).Produce" is part of the error and produced Produce() method from produce.go.
But we couldn't find where "Session too short" is added to the error.

This error when we retry is recovered, but we need to discover what is causing the issue.

Kafka Version

  • What version(s) of Kafka are you testing against?3.2.0
  • What version of kafka-go are you using?v.0.4.38

We don't have the steps to reproduce the issue.

Resources to reproduce the behavior:

We were using https://github.com/segmentio/kafka-go/tree/f4ca0b48296538eb5639027cd83f40a3828caf7d/sasl/aws_msk_iam, but now we migrated to https://github.com/segmentio/kafka-go/tree/f4ca0b48296538eb5639027cd83f40a3828caf7d/sasl/aws_msk_iam_v2, in both versions we are seeing the same error.

Definition of saslMechanism for IAM v2 that we have:
config --> "github.com/aws/aws-sdk-go-v2/config"

    cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(appConfig.AwsRegion))
saslMechanism := aws_msk_iam_v2.NewMechanism(cfg)

For Dialer and Transport:
kafka -->"github.com/segmentio/kafka-go"

dialer = &kafka.Dialer{
	Timeout:       appConfig.DialTimeout,
	DualStack:     true,
	SASLMechanism: saslMechanism,
	TLS:           &tls.Config{},
}
transport = &kafka.Transport{
	SASL:        saslMechanism,
	TLS:         &tls.Config{},
	MetadataTTL: appConfig.MetadataTtl,
}

Expected Behavior

Do not have the error.
It'd be useful also to add more details into the error logs of this function, to identify exactly where it's generated.

Additional Context

Could this be related to https://cwiki.apache.org/confluence/display/KAFKA/KIP-368%3A+Allow+SASL+Connections+to+Periodically+Re-Authenticate#KIP368:AllowSASLConnectionstoPeriodicallyReAuthenticate-DelayingSupportforBrokersKillingConnections ?
@petedannemann
Copy link
Contributor

I think this is likely due to the same underlying issue as #1093, which is exactly what you mentioned at the bottom of your issue about us needing to support re authentication. kafka-go does not currently support that

@petedannemann
Copy link
Contributor

This comment here maybe provides some more insight twmb/franz-go#249 (comment)

@petedannemann petedannemann self-assigned this Sep 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petedannemann petedannemann

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petedannemann @solpagolaae