NIFI-16077 Change default Security Protocol for Kafka components from PLAINTEXT to SSL#11394
Merged
Merged
Conversation
2d47726 to
5685f69
Compare
… PLAINTEXT to SSL Changed the default value of the shared "Security Protocol" property (KafkaClientComponent.SECURITY_PROTOCOL) from PLAINTEXT to SSL. This descriptor is defined once and reused by ConsumeKafka, PublishKafka and the Kafka connection service, so the new default applies uniformly. When security.protocol is set to a plaintext variant while the broker requires TLS, the Kafka client reads the returned TLS alert record as a message length (0x15030300, ~336 MB) and attempts to allocate that per broker connection, exhausting the heap and causing an OOM crash-loop within ~30-60s. The root cause is in the Kafka client (KAFKA-4090, open since 2016), so NiFi cannot prevent it directly; defaulting to a TLS-based protocol significantly reduces the risk of falling into this trap. SSL is used as the default rather than SASL_SSL so that transport security is enabled without also mandating SASL authentication. The property is required, so existing flows already persist an explicit value and are unaffected; the new default primarily impacts newly added components on the canvas. Integration tests that exercise a plaintext broker (Kafka3ConnectionServiceBaseIT and AbstractKafkaBaseIT) previously relied on the PLAINTEXT default and now set the Security Protocol to PLAINTEXT explicitly, matching how the SSL and SASL variants already configure it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
exceptionfactory
approved these changes
Jul 6, 2026
exceptionfactory
left a comment
Contributor
There was a problem hiding this comment.
Thanks for proposing this change @wojtre. Based on the issue described with the Kafka Client behavior and TLS, plus the use of TLS as a general best practice, this change looks good. +1 merging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NIFI-16077
Changes the default value of the shared Security Protocol property (
KafkaClientComponent.SECURITY_PROTOCOL) fromPLAINTEXTtoSSL. The descriptor is defined once in the sharedKafkaClientComponentinterface and reused byConsumeKafka,PublishKafkaand the Kafka connection service, so a single change applies the new default uniformly.Motivation
When
security.protocolis set to a plaintext variant (e.g.SASL_PLAINTEXT) while the broker actually requires TLS, the Kafka client reads the returned TLS alert record as a message length (0x15030300, ~336 MB) and attempts to allocate that amount per broker connection, exhausting the heap and causing an OOM crash-loop within ~30-60s. The root cause lives in the Kafka client (KAFKA-4090, open since 2016 and unresolved), so NiFi cannot prevent it directly — but a TLS-based default meaningfully reduces the chance of falling into this trap.SSLis used as the default rather thanSASL_SSLso that transport security is enabled without also mandating SASL authentication. The property isrequired, so existing flows already persist an explicit value and are unaffected. The new default primarily impacts newly added components on the canvas.Verification
Built
nifi-kafka-sharedand related modules and ran the unit tests fornifi-kafka-shared,nifi-kafka-service-shared,nifi-kafka-3-service,nifi-kafka-service-awsandnifi-kafka-processors— all pass. Tests that exercise the protocol set it explicitly, so none depend on the previous default.🤖 Generated with Claude Code