-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JDK 23+15] org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslClientCallbackHandler.handleCallback fails with UnsupportedOperationException #39634
Comments
/cc @Karm (mandrel), @alesj (kafka), @cescoffier (kafka), @galderz (mandrel), @ozangunalp (kafka), @pedroigor (bearer-token), @sberyozkin (bearer-token,security), @zakkak (mandrel) |
Unfortunately there is not much we can do. It's an issue to report in the Apache Kafka Client. |
OK. Feel free to bring this to the Apache Kafka Client team. |
Isn't the security manager supposed to go away? I'm surprised they made it mandatory for some operations? |
Yes the security manager is going away. The reason this change was done was supporting this move. Please see the CSR of this change which should have all the info needed: https://bugs.openjdk.org/browse/JDK-8327134 It appears a possible work-around is to add
Hope that helps. |
@cescoffier Is there an upstream kafka client issue for this? Who would we need to talk to to get it created? I'm hoping to get this on the radar for kafka client folks. |
Yes, it's an issue for Apache Kafka (the upstream project). |
Understood. If possible, could somebody create an upstream issue? That tracker seems invite only and I'm not keen on creating one just for a single bug. Could somebody with an (existing) account there file one? Thanks! |
@ozangunalp do you have an account? @jerboaa let me ping Mickael Maison (working in the AMQ Streams team) |
Thanks! Please let me know once somebody has created an issue. |
@jerboaa There is an existing ticket: https://issues.apache.org/jira/browse/KAFKA-15862. However, it's not planned before the Q3. |
@cescoffier OK, thanks. Whether or not that is a problem for quarkus is something you know better. GraalVM for JDK 23 will get out in September 2024, which is when a fix/known issue for this needs to be in place. |
Yeah, the timing might be problematic. Basically, if it's not fixed before September 2024, it would not be possible to run Quarkus apps using Kafka authentication in native. Note that it's not only Quarkus, it's anything compiling Java to native using GraalVM. |
That's my understanding. At least with GraalVM for JDK 23 (the older GraalVM for JDK 21 would still work). |
Is this still an issue? |
Yes. See graalvm/mandrel#742 (comment) |
The Kafka team has an issue for it too. It should land 'just in time' (September-ish) |
@cescoffier Do you know any update on this? JDK 23 is in RC 2 and there will be a Mandrel for JDK 23 release shortly after JDK 23 GA. Should we start planning on drafting a "known issue" or the like for this, or do you think there will be a fix for it in time still. |
@jerboaa no news so far - there is a keep and a jira (https://issues.apache.org/jira/browse/KAFKA-15862), but nothing in motion. |
Thanks. Sounds like it's going to be a known issue for the Mandrel 24.1 for JDK 23 release. |
@cescoffier Is there a way to advise quarkus users about the issue with the |
Except in the documentation, i don't think we can do much. @ozangunalp do you think we can intercept the exception and log a more meaningful message? |
Last time I checked I couldn't reproduce this on JVM mode with 23.ea.29-open (by simply running the @jerboaa is there anywhere I can get an early access release Mandrel for JDK 23? cc @cescoffier |
@ozangunalp you can get the latest build from https://github.com/graalvm/mandrel/actions/runs/10722382634/artifacts/1896697043 Built in this CI run https://github.com/graalvm/mandrel/actions/runs/10722382634 |
You probably need to exercise this code path:
Not sure if the test does that in all cases. |
That's not about the test code path. I had a |
That would explain it yes. |
The test is known to fail for quite some time generating a lot of CI noise. Let's skip it till quarkusio#39634 is resolved.
The test is known to fail for quite some time generating a lot of CI noise. Let's skip it till quarkusio#39634 is resolved.
The test is known to fail for quite some time generating a lot of CI noise. Let's skip it till quarkusio#39634 is resolved.
The root cause should be fixed in Kafka 4. Until that, we would need the flag (as shown by Ozan) |
Note that |
Hard to say, it will be tricky. |
It seems that all of us who are on JDK 23 or updated projects have been stuck because of Kafka and have posted it in the wrong place. It's not Quarkus' fault but Kafka's. But since this problem doesn't exist on the Internet, then we come to post it here. This is going to be forgotten. You have to link to Java, Kafka and Spring boot. This mainly has to be linked to Kafka/Java to be fixed. |
@drakgoku this is already tracked in Kafka as https://issues.apache.org/jira/browse/KAFKA-15862 and https://cwiki.apache.org/confluence/display/KAFKA/KIP-1006%3A+Remove+SecurityManager+Support As mentioned in spring-projects/spring-kafka#3619 (comment) it would be best if people affected by it could somehow reach the Kafka team. I don't have an account on their issue tracker and I can't really see the comments but it looks like the issue was last updated on 30/Sep/24, and according to @cescoffier it will be fixed in version 4.0.0 Update: You can also try reaching out the Kafka team through their mailing lists https://kafka.apache.org/contact.html |
Tried this config, still not working. :( |
…s not have security manager which is needed by Kafka. More details here - quarkusio/quarkus#39634.
The test is known to fail for quite some time generating a lot of CI noise. Let's skip it till quarkusio#39634 is resolved.
we have been hit by this issue as well trying to upgrade to 23 to solve a graalvm issue fixed in 21, as suggested in a jobrunr issue discussed in this zulip thread. |
Describe the bug
In our Mandrel native integration tests we see new failures since the JDK
23+15
ea build inquarkus-integration-test-kafka-oauth-keycloak-999-SNAPSHOT-runner
tests:See: https://github.com/graalvm/mandrel/actions/runs/8384081617/job/22961614228#step:12:968
I'm pretty sure, though, this isn't a native-only issue but can happen in JVM mode on
JDK 23+15
as well.Expected behavior
No
java.lang.UnsupportedOperationException: getSubject is supported only if a security manager is allowed
is being thrown.Actual behavior
java.lang.UnsupportedOperationException
is being thrown.How to Reproduce?
Build
Integration Tests - Kafka OAUTH with Keycloak
native test and run test with a23-beta+15-ea, vendor version: Mandrel-24.1.0-dev13054560
mandrel build. For example from here.Additional information
This seems to be caused by https://bugs.openjdk.org/browse/JDK-8296244 freshly part of
JDK 23+15
. See the CSR on how to possibly fix it: https://bugs.openjdk.org/browse/JDK-8327134The text was updated successfully, but these errors were encountered: