THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- In the first stage, perform rolling restart of Kafka brokers to enable a non-SASL port (eg. SSL).
- Enable SSL port for the brokers and perform rolling restart of all brokers
- Restart all clients with SSL as protocol
- If using SASL for inter-broker communication, switch to SSL and perform another rolling restart of brokers.
- In the second stage when SASL is no longer in use, perform rolling restart of Kafka brokers to update SASL mechanism with the updated JAAS configuration and properties.
- Update SASL mechanism, JAAS configuration and other properties for the brokers and perform rolling restart of all brokers
- Restart all clients with SASL_SSL/SASL_PLAINTEXT as required
- If using SASL for inter-broker communication, switch to SASL_SSL/SASL_PLAINTEXT and perform rolling restart of brokers again.
Rejected Alternatives
Enable a small set of SASL mechanisms with a default implementation in Kafka
Since the security requirements and infrastructure used in different organizations vary, default implementation of login modules and security providers and unlikely to be sufficient for all users. Unlike Kerberos, where most users are likely to use the Kerberos module provided in the JDK, other mechanisms are likely to be customized by users to enable integration with existing authentication providers. The proposed implementation removes the restriction that a SASL mechanism without a default implementation in Kafka cannot be used at all.
Make Authenticator configurable
This would provide additional flexibility, but would require users to implement more code. This would be more suitable if there is a requirement to implement authentication using protocols other than SASL.
...