...

This issue can be addressed if Kafka stores the original Principal object when it processes the incoming request, before handing it over to the API threads. The Authorizer will then be able to access this Principal object and use it to verify the ACLs.

New or Changed Public Interfaces

This KIP introduces a new constructor in the KafkaPrincipal class, that takes in an additional parameter of type Java Principal. It also introduces a new API in PrincipalBuilder, that would build a Java Principal from the passed in map of configs. kafka-acls.sh would take in 2 optional command line parameters specifying the PrincipalBuilder class name and the properties used to create the PrincpalBuilder.

...

Compatibility, Deprecation, and Migration Plan

What impact (if any) will there be on existing users?

The existing users implementing PrincipalBuilder interface will get compile time error and will have to add the new API implementation to resolve itThis KIP is a pure addition to existing functionality and does not include any backward incompatible changes.

Test Plan

- Unit tests to validate that new changes work as expected without affecting the existing behavior.

...