Kafka Schema Registry with basic authentication not working in native mode

[missourian55]

Describe the bug
When accessing schema registry in native mode, the basic authentication is not working and I am getting 401 unauthorized. It works good in the JVM mode

In Native mode below properties are not honored.

kafka.basic.auth.credentials.source=USER_INFO
kafka.basic.auth.user.info=user:pass

stacktrace

2021-03-03 18:43:05,304 ERROR [io.sma.rea.mes.kafka] (vert.x-eventloop-thread-1) SRMSG18206: Unable to write to Kafka from channel movies (topic: movies): org.apache.kafka.common.errors.InvalidConfigurationException: Unauthorized; error code: 401

Expected behavior
Schema registry with basic authentication works in native mode similar to JVM mode

Configuration

kafka.bootstrap.servers=somehost.us-east4.gcp.confluent.cloud:9092
kafka.security.protocol=SASL_SSL
kafka.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule  \
required username='secretuser'  \
password='pass';
kafka.sasl.mechanism=PLAIN
kafka.acks=all
kafka.schema.registry.url=https://someurl.confluent.cloud
kafka.basic.auth.credentials.source=USER_INFO
kafka.basic.auth.user.info=user:pass


mp.messaging.outgoing.movies.connector=smallrye-kafka
mp.messaging.outgoing.movies.topic=movies
mp.messaging.outgoing.movies.value.serializer=io.confluent.kafka.serializers.KafkaAvroSerializer
mp.messaging.outgoing.movies.schema.registry.url=${kafka.schema.registry.url}
mp.messaging.outgoing.movies.specific.avro.reader=true



mp.messaging.incoming.movies-from-kafka.connector=smallrye-kafka
mp.messaging.incoming.movies-from-kafka.topic=movies
mp.messaging.incoming.movies-from-kafka.value.deserializer=io.confluent.kafka.serializers.KafkaAvroDeserializer
mp.messaging.incoming.movies-from-kafka.auto.offset.reset=earliest
mp.messaging.incoming.movies-from-kafka.enable.auto.commit=false
mp.messaging.incoming.movies-from-kafka.group.id=movies
mp.messaging.incoming.movies-from-kafka.schema.registry.url=${kafka.schema.registry.url}
mp.messaging.incoming.movies-from-kafka.specific.avro.reader=true

Screenshots
(If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

• Output of uname -a or ver: Linux x64
• Output of java -version: Java 11
• GraalVM version (if different from Java):
• Quarkus version or git rev: 1.12.0.Final
• Build tool (ie. output of mvnw --version or gradlew --version): mvnw

Additional context
(Add any other context about the problem here.)

[quarkus-bot]

/cc @cescoffier

[cescoffier]

Can you provide a reproducer? It seems that the underlying Http client used by the Confluent Avro serde do not get the authentication data.

[missourian55]

Can you provide a reproducer? It seems that the underlying Http client used by the Confluent Avro serde do not get the authentication data.

Please find attached the reproducer

I can share the credentials of confluent cloud/schema registry through private DM if you want

[missourian55]

You gave me a clue on the underlying HTTP client of Confluent Avro Serde. After doing some reverse engineering, I landed on below class which uses ServiceLoader

https://github.com/confluentinc/schema-registry/blob/master/client/src/main/java/io/confluent/kafka/schemaregistry/client/security/basicauth/BasicAuthCredentialProviderFactory.java

Once I enabled this in application properties and build a native image, everything works as expected.

quarkus.native.auto-service-loader-registration=true

Thanks again for the insights. Is this info worthwhile to add in documentation?

[cescoffier]

Awesome!

With that, I can extend the Kafka extension to do that automatically (register the service implementation).