Skip to content

NIFI-16077 Change default Security Protocol for Kafka components from PLAINTEXT to SSL#11394

Merged
exceptionfactory merged 1 commit into
apache:mainfrom
wojtre:NIFI-16077
Jul 6, 2026
Merged

NIFI-16077 Change default Security Protocol for Kafka components from PLAINTEXT to SSL#11394
exceptionfactory merged 1 commit into
apache:mainfrom
wojtre:NIFI-16077

Conversation

@wojtre

@wojtre wojtre commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

NIFI-16077

Changes the default value of the shared Security Protocol property (KafkaClientComponent.SECURITY_PROTOCOL) from PLAINTEXT to SSL. The descriptor is defined once in the shared KafkaClientComponent interface and reused by ConsumeKafka, PublishKafka and the Kafka connection service, so a single change applies the new default uniformly.

Motivation

When security.protocol is set to a plaintext variant (e.g. SASL_PLAINTEXT) while the broker actually requires TLS, the Kafka client reads the returned TLS alert record as a message length (0x15030300, ~336 MB) and attempts to allocate that amount per broker connection, exhausting the heap and causing an OOM crash-loop within ~30-60s. The root cause lives in the Kafka client (KAFKA-4090, open since 2016 and unresolved), so NiFi cannot prevent it directly — but a TLS-based default meaningfully reduces the chance of falling into this trap.

SSL is used as the default rather than SASL_SSL so that transport security is enabled without also mandating SASL authentication. The property is required, so existing flows already persist an explicit value and are unaffected. The new default primarily impacts newly added components on the canvas.

Verification

Built nifi-kafka-shared and related modules and ran the unit tests for nifi-kafka-shared, nifi-kafka-service-shared, nifi-kafka-3-service, nifi-kafka-service-aws and nifi-kafka-processors — all pass. Tests that exercise the protocol set it explicitly, so none depend on the previous default.

🤖 Generated with Claude Code

@wojtre wojtre force-pushed the NIFI-16077 branch 2 times, most recently from 2d47726 to 5685f69 Compare July 6, 2026 09:38
@wojtre wojtre changed the title NIFI-16077 Change default Security Protocol for Kafka components from PLAINTEXT to SASL_SSL NIFI-16077 Change default Security Protocol for Kafka components from PLAINTEXT to SSL Jul 6, 2026
… PLAINTEXT to SSL

Changed the default value of the shared "Security Protocol" property
(KafkaClientComponent.SECURITY_PROTOCOL) from PLAINTEXT to SSL. This
descriptor is defined once and reused by ConsumeKafka, PublishKafka and
the Kafka connection service, so the new default applies uniformly.

When security.protocol is set to a plaintext variant while the broker
requires TLS, the Kafka client reads the returned TLS alert record as a
message length (0x15030300, ~336 MB) and attempts to allocate that per
broker connection, exhausting the heap and causing an OOM crash-loop
within ~30-60s. The root cause is in the Kafka client (KAFKA-4090, open
since 2016), so NiFi cannot prevent it directly; defaulting to a
TLS-based protocol significantly reduces the risk of falling into this
trap.

SSL is used as the default rather than SASL_SSL so that transport
security is enabled without also mandating SASL authentication. The
property is required, so existing flows already persist an explicit
value and are unaffected; the new default primarily impacts newly added
components on the canvas.

Integration tests that exercise a plaintext broker
(Kafka3ConnectionServiceBaseIT and AbstractKafkaBaseIT) previously relied
on the PLAINTEXT default and now set the Security Protocol to PLAINTEXT
explicitly, matching how the SSL and SASL variants already configure it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@exceptionfactory exceptionfactory left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for proposing this change @wojtre. Based on the issue described with the Kafka Client behavior and TLS, plus the use of TLS as a general best practice, this change looks good. +1 merging

@exceptionfactory exceptionfactory merged commit a0dc20b into apache:main Jul 6, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants