apache
diff --git a/‎pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java‎
Lines changed: 10 additions & 0 deletions b/‎pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/JsonSchemaCompatibilityCheck.java‎
Lines changed: 22 additions & 7 deletions b/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/JsonSchemaCompatibilityCheck.java‎
Lines changed: 22 additions & 7 deletions
diff --git a/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/SchemaRegistryService.java‎
Lines changed: 12 additions & 1 deletion b/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/SchemaRegistryService.java‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/validator/SchemaDataValidator.java‎
Lines changed: 17 additions & 3 deletions b/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/validator/SchemaDataValidator.java‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/validator/SchemaRegistryServiceWithSchemaDataValidator.java‎
Lines changed: 13 additions & 5 deletions b/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/validator/SchemaRegistryServiceWithSchemaDataValidator.java‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/validator/StructSchemaDataValidator.java‎
Lines changed: 21 additions & 12 deletions b/‎pulsar-broker/src/main/java/org/apache/pulsar/broker/service/schema/validator/StructSchemaDataValidator.java‎
Lines changed: 21 additions & 12 deletions
@@ -3423,6 +3423,16 @@ public double getLoadBalancerBandwidthOutResourceWeight() {
     )
     private SchemaCompatibilityStrategy schemaCompatibilityStrategy = SchemaCompatibilityStrategy.FULL;
 
+    @FieldContext(
+        category = CATEGORY_SCHEMA,
+        doc = "Whether to allow legacy Jackson JsonSchema format for SchemaType.JSON schema definitions. "
+            + "When false (default), only valid Apache Avro schema format is accepted for SchemaType.JSON, "
+            + "consistent with what the consumer side requires. When true, the pre-2.1 backward-compatible "
+            + "behavior is preserved for deployments that still have topics with legacy-format schemas. "
+            + "See PIP-464 for details."
+    )
+    private boolean schemaJsonAllowLegacyJacksonFormat = false;
+
     /**** --- WebSocket. --- ****/
     @FieldContext(
         category = CATEGORY_WEBSOCKET,
 
@@ -36,26 +36,36 @@
 @SuppressWarnings("unused")
 public class JsonSchemaCompatibilityCheck extends AvroSchemaBasedCompatibilityCheck {
 
+    private volatile boolean allowLegacyJacksonFormat = false;
+
     @Override
     public SchemaType getSchemaType() {
         return SchemaType.JSON;
     }
 
+    /**
+     * Set whether to allow legacy Jackson JsonSchema format for backward compatibility.
+     * When false (default), only valid Avro schema format is accepted (PIP-464).
+     */
+    public void setAllowLegacyJacksonFormat(boolean allowLegacyJacksonFormat) {
+        this.allowLegacyJacksonFormat = allowLegacyJacksonFormat;
+    }
+
     @Override
     public void checkCompatible(SchemaData from, SchemaData to, SchemaCompatibilityStrategy strategy)
             throws IncompatibleSchemaException {
         if (isAvroSchema(from)) {
             if (isAvroSchema(to)) {
                 // if both producer and broker have the schema in avro format
                 super.checkCompatible(from, to, strategy);
-            } else if (isJsonSchema(to)) {
+            } else if (allowLegacyJacksonFormat && isJsonSchema(to)) {
                 // if broker have the schema in avro format but producer sent a schema in the old json format
-                // allow old schema format for backwards compatibility
+                // allow old schema format for backwards compatibility (only when legacy format is enabled)
             } else {
-                // unknown schema format
-                throw new IncompatibleSchemaException("Unknown schema format");
+                throw new IncompatibleSchemaException(
+                        "Incompatible schema: expected Avro schema format for SchemaType.JSON");
             }
-        } else if (isJsonSchema(from)){
+        } else if (allowLegacyJacksonFormat && isJsonSchema(from)) {
 
             if (isAvroSchema(to)) {
                 // if broker have the schema in old json format but producer sent a schema in the avro format
@@ -64,9 +74,14 @@ public void checkCompatible(SchemaData from, SchemaData to, SchemaCompatibilityS
                 // if both producer and broker have the schema in old json format
                 isCompatibleJsonSchema(from, to);
             } else {
-                // unknown schema format
-                throw new IncompatibleSchemaException("Unknown schema format");
+                throw new IncompatibleSchemaException(
+                        "Incompatible schema: expected Avro schema format for SchemaType.JSON");
             }
+        } else if (!allowLegacyJacksonFormat && !isAvroSchema(from)) {
+            // When legacy format is disabled, the existing schema must be valid Avro.
+            // If it's not, this is a defense-in-depth rejection (PIP-464).
+            throw new IncompatibleSchemaException(
+                    "Incompatible schema: existing schema is not in valid Avro format for SchemaType.JSON");
         } else {
             // broker has schema format with unknown format
             // maybe corrupted?
 
@@ -49,8 +49,19 @@ static SchemaRegistryService create(SchemaStorage schemaStorage, Set<String> sch
             try {
                 Map<SchemaType, SchemaCompatibilityCheck> checkers = getCheckers(schemaRegistryCompatibilityCheckers);
                 checkers.put(SchemaType.KEY_VALUE, new KeyValueSchemaCompatibilityCheck(checkers));
+
+                // PIP-464: propagate schemaJsonAllowLegacyJacksonFormat to JsonSchemaCompatibilityCheck
+                boolean allowLegacyJacksonFormat =
+                        pulsarService.getConfiguration().isSchemaJsonAllowLegacyJacksonFormat();
+                SchemaCompatibilityCheck jsonCheck = checkers.get(SchemaType.JSON);
+                if (jsonCheck instanceof JsonSchemaCompatibilityCheck) {
+                    ((JsonSchemaCompatibilityCheck) jsonCheck)
+                            .setAllowLegacyJacksonFormat(allowLegacyJacksonFormat);
+                }
+
                 return SchemaRegistryServiceWithSchemaDataValidator.of(
-                        new SchemaRegistryServiceImpl(schemaStorage, checkers, pulsarService));
+                        new SchemaRegistryServiceImpl(schemaStorage, checkers, pulsarService),
+                        allowLegacyJacksonFormat);
             } catch (Exception e) {
                 LOG.warn("Unable to create schema registry storage, defaulting to empty storage", e);
             }
 
@@ -34,16 +34,30 @@ public interface SchemaDataValidator {
 
     /**
      * Validate if the schema data is well formed.
+     * Uses strict Avro-only validation for SchemaType.JSON (no legacy Jackson fallback).
      *
      * @param schemaData schema data to validate
      * @throws InvalidSchemaDataException if the schema data is not in a valid form.
      */
     static void validateSchemaData(SchemaData schemaData) throws InvalidSchemaDataException {
+        validateSchemaData(schemaData, false);
+    }
+
+    /**
+     * Validate if the schema data is well formed.
+     *
+     * @param schemaData schema data to validate
+     * @param allowLegacyJacksonFormat if true, allows legacy Jackson JsonSchema format for SchemaType.JSON
+     *                                  for backward compatibility with pre-2.1 schemas (PIP-464)
+     * @throws InvalidSchemaDataException if the schema data is not in a valid form.
+     */
+    static void validateSchemaData(SchemaData schemaData,
+                                   boolean allowLegacyJacksonFormat) throws InvalidSchemaDataException {
         switch (schemaData.getType()) {
             case AVRO:
             case JSON:
             case PROTOBUF:
-                StructSchemaDataValidator.of().validate(schemaData);
+                StructSchemaDataValidator.of(allowLegacyJacksonFormat).validate(schemaData);
                 break;
             case PROTOBUF_NATIVE:
                 ProtobufNativeSchemaDataValidator.of().validate(schemaData);
@@ -80,8 +94,8 @@ static void validateSchemaData(SchemaData schemaData) throws InvalidSchemaDataEx
             case KEY_VALUE:
                 KeyValue<SchemaData, SchemaData> kvSchema =
                     KeyValueSchemaCompatibilityCheck.decodeKeyValueSchemaData(schemaData);
-                validateSchemaData(kvSchema.getKey());
-                validateSchemaData(kvSchema.getValue());
+                validateSchemaData(kvSchema.getKey(), allowLegacyJacksonFormat);
+                validateSchemaData(kvSchema.getValue(), allowLegacyJacksonFormat);
                 break;
             default:
                 throw new InvalidSchemaDataException("Unknown schema type : " + schemaData.getType());
 
@@ -33,13 +33,21 @@
 public class SchemaRegistryServiceWithSchemaDataValidator implements SchemaRegistryService {
 
     public static SchemaRegistryServiceWithSchemaDataValidator of(SchemaRegistryService service) {
-        return new SchemaRegistryServiceWithSchemaDataValidator(service);
+        return new SchemaRegistryServiceWithSchemaDataValidator(service, false);
+    }
+
+    public static SchemaRegistryServiceWithSchemaDataValidator of(SchemaRegistryService service,
+                                                                   boolean allowLegacyJacksonFormat) {
+        return new SchemaRegistryServiceWithSchemaDataValidator(service, allowLegacyJacksonFormat);
     }
 
     private final SchemaRegistryService service;
+    private final boolean allowLegacyJacksonFormat;
 
-    private SchemaRegistryServiceWithSchemaDataValidator(SchemaRegistryService service) {
+    private SchemaRegistryServiceWithSchemaDataValidator(SchemaRegistryService service,
+                                                         boolean allowLegacyJacksonFormat) {
         this.service = service;
+        this.allowLegacyJacksonFormat = allowLegacyJacksonFormat;
     }
 
     @Override
@@ -89,7 +97,7 @@ public CompletableFuture<SchemaVersion> putSchemaIfAbsent(String schemaId,
                                                               SchemaData schema,
                                                               SchemaCompatibilityStrategy strategy) {
         try {
-            SchemaDataValidator.validateSchemaData(schema);
+            SchemaDataValidator.validateSchemaData(schema, allowLegacyJacksonFormat);
         } catch (InvalidSchemaDataException e) {
             return FutureUtil.failedFuture(e);
         }
@@ -115,7 +123,7 @@ public CompletableFuture<SchemaVersion> deleteSchemaStorage(String schemaId, boo
     public CompletableFuture<Boolean> isCompatible(String schemaId, SchemaData schema,
                                                    SchemaCompatibilityStrategy strategy) {
         try {
-            SchemaDataValidator.validateSchemaData(schema);
+            SchemaDataValidator.validateSchemaData(schema, allowLegacyJacksonFormat);
         } catch (InvalidSchemaDataException e) {
             return FutureUtil.failedFuture(e);
         }
@@ -127,7 +135,7 @@ public CompletableFuture<Void> checkCompatible(String schemaId,
                                                    SchemaData schema,
                                                    SchemaCompatibilityStrategy strategy) {
         try {
-            SchemaDataValidator.validateSchemaData(schema);
+            SchemaDataValidator.validateSchemaData(schema, allowLegacyJacksonFormat);
         } catch (InvalidSchemaDataException e) {
             return FutureUtil.failedFuture(e);
         }
 
@@ -24,7 +24,6 @@
 import java.io.IOException;
 import org.apache.avro.NameValidator;
 import org.apache.avro.Schema;
-import org.apache.avro.SchemaParseException;
 import org.apache.pulsar.broker.service.schema.exceptions.InvalidSchemaDataException;
 import org.apache.pulsar.common.protocol.schema.SchemaData;
 import org.apache.pulsar.common.schema.SchemaType;
@@ -39,10 +38,21 @@ public static StructSchemaDataValidator of() {
         return INSTANCE;
     }
 
-    private static final StructSchemaDataValidator INSTANCE = new StructSchemaDataValidator();
+    public static StructSchemaDataValidator of(boolean allowLegacyJacksonFormat) {
+        return allowLegacyJacksonFormat ? LEGACY_INSTANCE : INSTANCE;
+    }
+
+    // Default instance: strict Avro-only validation for SchemaType.JSON (PIP-464)
+    private static final StructSchemaDataValidator INSTANCE = new StructSchemaDataValidator(false);
+    // Legacy instance: allows Jackson JsonSchema fallback for backward compatibility
+    private static final StructSchemaDataValidator LEGACY_INSTANCE = new StructSchemaDataValidator(true);
     public static final NameValidator COMPATIBLE_NAME_VALIDATOR = new CompatibleNameValidator();
 
-    private StructSchemaDataValidator() {}
+    private final boolean allowLegacyJacksonFormat;
+
+    private StructSchemaDataValidator(boolean allowLegacyJacksonFormat) {
+        this.allowLegacyJacksonFormat = allowLegacyJacksonFormat;
+    }
 
     private static final ObjectReader JSON_SCHEMA_READER =
             ObjectMapperFactory.getMapper().reader().forType(JsonSchema.class);
@@ -57,11 +67,14 @@ public void validate(SchemaData schemaData) throws InvalidSchemaDataException {
             if (SchemaType.AVRO.equals(schemaData.getType())) {
                 checkAvroSchemaTypeSupported(schema);
             }
-        } catch (SchemaParseException e) {
-            if (schemaData.getType() == SchemaType.JSON) {
-                // we used JsonSchema for storing the definition of a JSON schema
-                // hence for backward compatibility consideration, we need to try
-                // to use JsonSchema to decode the schema data
+        } catch (InvalidSchemaDataException invalidSchemaDataException) {
+            throw invalidSchemaDataException;
+        } catch (Exception e) {
+            // Avro 1.12.0 may throw NullPointerException (not SchemaParseException) for
+            // non-Avro schemas, so the legacy fallback must be in the general catch block.
+            if (schemaData.getType() == SchemaType.JSON && allowLegacyJacksonFormat) {
+                // For backward compatibility with pre-2.1 schemas: try Jackson JsonSchema parsing.
+                // This fallback is only enabled when schemaJsonAllowLegacyJacksonFormat=true (PIP-464).
                 try {
                     JSON_SCHEMA_READER.readValue(data);
                 } catch (IOException ioe) {
@@ -70,10 +83,6 @@ public void validate(SchemaData schemaData) throws InvalidSchemaDataException {
             } else {
                 throwInvalidSchemaDataException(schemaData, e);
             }
-        } catch (InvalidSchemaDataException invalidSchemaDataException) {
-            throw invalidSchemaDataException;
-        } catch (Exception e) {
-            throwInvalidSchemaDataException(schemaData, e);
         }
     }