fix: reset _authentication_state to none by AldoFusterTurpin · Pull Request #30409 · redpanda-data/redpanda

AldoFusterTurpin · 2026-05-07T16:10:15Z

I am not a C++ developer (good memories from college 😆 ), but I was investigating this issue I faced and then I discovered this...

When the schema registry client tries to connect to a broker, it calls connect_with_retries() → connect() → do_connect(), which opens a TCP+TLS connection and stores it in _fd. Then maybe_authenticate() is called and throws sasl_authentication_failed.

State after auth failure:

_fd = non-null (TLS socket open, TCP alive) → is_valid() = true
_authentication_state = in_progress (never reset to none)

Every subsequent retry (every ~20s):

maybe_initialize_connection() checks: is_valid()==true AND needs_authentication()==false (state is in_progress, not none)
Returns early. The broker is permanently stuck, it thinks it has a valid connection that doesn't need authentication, but authentication never succeeded.

The TCP connection eventually drops (keepalive timeout). Then is_valid() = false, connect_with_retries() proceeds, allocates a new connection, auth fails again, and the cycle repeats. The broker never successfully authenticates.

What call is missing: the catch block in maybe_authenticate() needs to reset _authentication_state to none so that the next retry actually attempts to reconnect and re-authenticate:

    } catch (...) {
        _authentication_state = auth_state::none;  // allow retry to reconnect and re-authenticate
        vlog(_logger.warn, "Authentication error - {}", std::current_exception());
        throw;
    }

The TLDR; We do the code change so the next call to maybe_initialize_connection() sees needs_authentication()==true and retries the full reconnect+authenticate sequence instead of returning early.

Backports Required

Release Notes

Bug Fixes

Fix Kafka client broker getting stuck in in_progress authentication state after a SASL authentication failure, preventing subsequent retries from re-attempting authentication.

CLAassistant · 2026-05-07T16:10:23Z

All committers have signed the CLA.

Copilot

Pull request overview

Fixes a Kafka client broker-connection edge case where a SASL authentication failure could leave remote_broker stuck in an in_progress authentication state, preventing subsequent retries from re-attempting authentication.

Changes:

Reset _authentication_state back to auth_state::none when maybe_authenticate() throws, enabling future authentication attempts on retry.

dotnwat · 2026-05-07T23:20:14Z

Thanks!

So the next call to maybe_initialize_connection() sees needs_authentication()==true and retries the full reconnect+authenticate sequence instead of returning early

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

1. Connect successfully first so the cluster is running and brokers exist 2. Swap in wrong credentials and force a reconnect via restart(): this causes the existing broker instance to reconnect and hit maybe_authenticate() with bad credentials 3. After the expected failure, restore correct credentials 4. Dispatch again: this is the moment that exercises the fix: the same broker instance calls maybe_initialize_connection() -> maybe_authenticate(), and with the fix _authentication_state is none so it retries; without the fix it's in_progress so it skips auth silently and fails

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings May 7, 2026 16:10

github-actions Bot added the area/redpanda label May 7, 2026

Copilot started reviewing on behalf of AldoFusterTurpin May 7, 2026 16:10 View session

AldoFusterTurpin mentioned this pull request May 7, 2026

Health reporting cache reports false leaderless/under-replicated partitions, causing sidecar readiness probe failures #30385

Open

AldoFusterTurpin force-pushed the aldo/_authentication_state-to-none branch from 9187616 to 3ef13f3 Compare May 7, 2026 16:13

Copilot AI reviewed May 7, 2026

View reviewed changes

Comment thread src/v/kafka/client/broker.cc

WillemKauf requested review from dotnwat and mmaslankaprv May 7, 2026 21:06

dotnwat requested review from oleiman and pgellert May 7, 2026 23:19

AldoFusterTurpin force-pushed the aldo/_authentication_state-to-none branch 3 times, most recently from ea5dcfd to f73b1e2 Compare May 9, 2026 10:11

kafka/client: reset _authentication_state to none on auth failure

fd110cb

So the next call to maybe_initialize_connection() sees needs_authentication()==true and retries the full reconnect+authenticate sequence instead of returning early

AldoFusterTurpin force-pushed the aldo/_authentication_state-to-none branch from f73b1e2 to 587600b Compare May 9, 2026 11:34

AldoFusterTurpin requested a review from Copilot May 9, 2026 11:34

Copilot started reviewing on behalf of AldoFusterTurpin May 9, 2026 11:35 View session

Copilot AI reviewed May 9, 2026

View reviewed changes

Comment thread src/v/kafka/client/test/reconnect.cc

Comment thread src/v/kafka/client/test/reconnect.cc Outdated

Comment thread src/v/kafka/client/test/reconnect.cc Outdated

Comment thread src/v/kafka/client/test/reconnect.cc Outdated

AldoFusterTurpin requested a review from Copilot May 9, 2026 14:48

Copilot started reviewing on behalf of AldoFusterTurpin May 9, 2026 14:49 View session

Copilot AI reviewed May 9, 2026

View reviewed changes

Comment thread src/v/kafka/client/test/reconnect.cc

Comment thread src/v/kafka/client/test/reconnect.cc

AldoFusterTurpin force-pushed the aldo/_authentication_state-to-none branch 2 times, most recently from b32eb45 to 0a3ddf8 Compare May 9, 2026 15:14

AldoFusterTurpin force-pushed the aldo/_authentication_state-to-none branch from 0a3ddf8 to ec188ee Compare May 9, 2026 15:18

AldoFusterTurpin requested a review from Copilot May 9, 2026 15:18

Copilot started reviewing on behalf of AldoFusterTurpin May 9, 2026 15:19 View session

Copilot AI reviewed May 9, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: reset _authentication_state to none#30409

fix: reset _authentication_state to none#30409
AldoFusterTurpin wants to merge 2 commits intoredpanda-data:devfrom
AldoFusterTurpin:aldo/_authentication_state-to-none

AldoFusterTurpin commented May 7, 2026 •

edited

Loading

Uh oh!

CLAassistant commented May 7, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

dotnwat commented May 7, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

AldoFusterTurpin commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Backports Required

Release Notes

Bug Fixes

Uh oh!

CLAassistant commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

dotnwat commented May 7, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

AldoFusterTurpin commented May 7, 2026 •

edited

Loading

CLAassistant commented May 7, 2026 •

edited

Loading