Bump kafka-clients to 3.9.1 to fix SASL auth failure on JDK 24+ (#13849)

[NamanKu-tech]

Fix #13849: kafka-clients SASL authentication failure on JDK 24+

JDK 24 permanently disabled Subject.getSubject(AccessControlContext) (JEP 486, see KAFKA-18866).
kafka-clients 3.4.0 calls this method during SASL authentication, causing OAP to crash
at startup when kafka-fetcher is configured with a SASL security protocol.

Bumping to kafka-clients 3.9.1 which includes KAFKA-17078 — a reflective shim that
dispatches between Subject.callAs/current (JDK 18+) and Subject.doAs/getSubject (JDK 11-17),
making it work on JDK 11 through 25 with a single jar.

• Add a unit test to verify that the fix works.
• Explain briefly why the bug exists and how to fix it.

• If this pull request closes/resolves/fixes an existing issue, replace the issue number. Closes Configuring kafka-fetcher to use the SASL_SSL security mode results in a failure when starting OAP. #13849.
• Update the CHANGES log.
  signed by: namanworkie@gmail.com

[Copilot]

Pull request overview

This PR updates the OAP Server BOM-managed Kafka client dependency to address SASL authentication failures when running on JDK 24+ (related to JEP 486 / KAFKA-18866 behavior changes).

Changes:

• Bump org.apache.kafka:kafka-clients from 3.4.0 to 3.9.1 in oap-server-bom.
• Document the dependency bump and rationale in the 10.5.0 changelog.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
oap-server-bom/pom.xml	Updates the BOM property to use kafka-clients 3.9.1.
docs/en/changes/changes.md	Adds a 10.5.0 changelog entry explaining the Kafka client bump and JDK 24+ SASL impact.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wu-sheng]

You should update the license file. And e2e don't have e2e to verify this, so, we are not sure the dependency upgrade, but the compatibility is uncertain.