Skip to content

Reading message fails with SASL_SSL when using consumer groups #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jfancher opened this issue Jul 19, 2019 · 3 comments · Fixed by #323
Closed

Reading message fails with SASL_SSL when using consumer groups #317

jfancher opened this issue Jul 19, 2019 · 3 comments · Fixed by #323
Assignees
@stevevls
Labels
bug

Comments

@jfancher
Copy link

Describe the bug
We have a Kafka cluster configured to use SASL_SSL and SCRAM-SHA-256. Using a Dialer configured with github.com/segmentio/kafka-go/sasl/scram, I am able to:

  • Create a topic
  • Write a message
  • Read the message when not using a consumer group

But when I try to change the reader to use a consumer group, the fetch starts failing with an error originating from scram: server nonce did not extend client nonce

Kafka Version
Kafka 2.1.1

To Reproduce
With a server configured as above:

func main() {
	saslmech, err := scram.Mechanism(scram.SHA256, "my-user", "my-pass")
	if err != nil {
		panic(err)
	}

	dialer := &kafka.Dialer{
		Timeout:       10 * time.Second,
		DualStack:     true,
		SASLMechanism: saslmech,
		TLS: &tls.Config{
			InsecureSkipVerify: true,
		},
	}

	rdr := kafka.NewReader(kafka.ReaderConfig{
		Brokers: []string{"my-broker:9094"},
		Topic:   "my-topic",
		Dialer:  dialer,
		GroupID: "my-group",
	})

	_, err := rdr.FetchMessage(context.Background())
	if err != nil {
		panic(err)
	}
}

This errors on the FetchMessage line with server nonce did not extend client nonce; if I remove the GroupID from the reader config, it reads the message successfully.
@jfancher jfancher added the bug label Jul 19, 2019
@stevevls stevevls self-assigned this Jul 19, 2019
@jfancher
Copy link
Author

I did a bit more debugging, and have hit upon an important detail -- I am not able to reproduce this against a topic that has only one partition. By adding a Logger I can also see that including a consumer group does some work in parallel per-partition, further indicating some kind of synchronization issue.

@stevevls
Copy link
Contributor

Hi @jfancher. Thanks for the bug report, and the additional info regarding the single topic case. With that extra info, I think you've hit upon a flaw in our SASL implementation--the sasl.Mechanism is stateful, so when you have multiple go routines using the Dialer, they're clobbering each others' stage. I'll have to think on a way to fix it while still preserving API compatibility.

stevevls pushed a commit that referenced this issue Jul 23, 2019
Make sasl.Mechanism safe for concurrent use
24279a1 
While is a breaking change for the sasl.Mechanism interface, it's
not expected that library clients are implementing said interface
as Kafka only accepts a very specific set of mechanisms.

Fixes #317
@stevevls stevevls mentioned this issue Jul 23, 2019
Merged
stevevls pushed a commit that referenced this issue Jul 24, 2019
Make sasl.Mechanism safe for concurrent use (#323)
3d2413f 
While is a breaking change for the sasl.Mechanism interface, it's
not expected that library clients are implementing said interface
as Kafka only accepts a very specific set of mechanisms.

Fixes #317
@mcauto
Copy link

mcauto commented Jul 25, 2022

It still does not seem to support sasl_ssl.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stevevls stevevls

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make sasl.Mechanism safe for concurrent use segmentio/kafka-go
3 participants
@stevevls @jfancher @mcauto