Regression main container image - SASL "getSubject" not supported #1544
Description
Issue submitter TODO list
- I've looked up my issue in FAQ
- I've searched for an already existing issues here
- I've tried running
main-labeled docker image and the issue still persists there - I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
The current container image on main - https://github.com/orgs/kafbat/packages/container/kafka-ui/590070571?tag=f51df4c - has a problem with SASL connection.
There is an exception coming up with "getSubject" not supported while trying to do an SSL connect to the configured Kafka broker. This leads to CrashLoopBackoff.
This almost certainly is a side-effect from #1355 or #1518
Expected behavior
Software comes up
Your installation details
https://github.com/orgs/kafbat/packages/container/kafka-ui/590070571?tag=f51df4c
-> f51df4c
Steps to reproduce
Start container with f51df4c (previous on slightly beyond 1.4.2)
Screenshots
No response
Logs
2025-12-01T08:10:46.212Z ERROR 1 --- [in-1764576645-1] org.apache.kafka.clients.NetworkClient : [AdminClient clientId=kafbat-ui-admin-1764576645-1] Connection to node -1 (mynode/xxx.xxx.xxx.xxx:9092) failed authentication due to: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: User name or extensions could not be obtained [Caused by java.lang.UnsupportedOperationException: getSubject is not supported]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.
2025-12-01T08:10:46.213Z WARN 1 --- [in-1764576645-1] o.a.k.c.a.i.AdminMetadataManager : [AdminClient clientId=kafbat-ui-admin-1764576645-1] Metadata update failed due to authentication error
org.apache.kafka.common.errors.SaslAuthenticationException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: User name or extensions could not be obtained [Caused by java.lang.UnsupportedOperationException: getSubject is not supported]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.
Caused by: javax.security.sasl.SaslException: User name or extensions could not be obtained
at org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:113) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslToken$1(SaslClientAuthenticator.java:536) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at java.base/jdk.internal.vm.ScopedValueContainer.callWithoutScope(ScopedValueContainer.java:162) ~[na:na]
at java.base/jdk.internal.vm.ScopedValueContainer.call(ScopedValueContainer.java:147) ~[na:na]
at java.base/java.lang.ScopedValue$Carrier.call(ScopedValue.java:419) ~[na:na]
at java.base/javax.security.auth.Subject.callAs(Subject.java:331) ~[na:na]
at java.base/javax.security.auth.Subject.doAs(Subject.java:440) ~[na:na]
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:536) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:435) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendInitialToken(SaslClientAuthenticator.java:335) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:276) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:563) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.network.Selector.poll(Selector.java:501) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:596) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.processRequests(KafkaAdminClient.java:1542) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1473) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at java.base/java.lang.Thread.run(Thread.java:1474) ~[na:na]
Caused by: java.lang.UnsupportedOperationException: getSubject is not supported
at java.base/javax.security.auth.Subject.getSubject(Subject.java:277) ~[na:na]
at org.apache.kafka.common.security.authenticator.SaslClientCallbackHandler.handle(SaslClientCallbackHandler.java:58) ~[kafka-clients-7.9.0-ccs.jar!/:na]
at org.apache.kafka.common.security.scram.internals.ScramSaslClient.evaluateChallenge(ScramSaslClient.java:105) ~[kafka-clients-7.9.0-ccs.jar!/:na]
... 17 common frames omitted
2025-12-01T08:10:46.221Z INFO 1 --- [in-1764576645-1] o.a.kafka.common.utils.AppInfoParser : App info kafka.admin.client for kafbat-ui-admin-1764576645-1 unregistered
2025-12-01T08:10:46.222Z INFO 1 --- [in-1764576645-1] o.a.k.c.a.i.AdminMetadataManager : [AdminClient clientId=kafbat-ui-admin-1764576645-1] Metadata update failed
org.apache.kafka.common.errors.TimeoutException: The AdminClient thread has exited. Call: fetchMetadata
2025-12-01T08:10:46.222Z INFO 1 --- [in-1764576645-1] o.a.k.c.a.i.AdminMetadataManager : [AdminClient clientId=kafbat-ui-admin-1764576645-1] Metadata update failed
org.apache.kafka.common.errors.TimeoutException: The AdminClient thread has exited. Call: fetchMetadata
Additional context
No response