...

1. We will update DefaultKafkaPrincipalBuilder class to handle above proposed configuration options.
2. Proposed configuration will be applied to X500Principal distinguished name from the client certificatemapping rules works on string representation of the X.500 distinguished name(RFC2253 format) [1].  Mapping rules can use the attribute types keywords defined in RFC 2253 (CN, L, ST, O, OU, C, STREET, DC, UID).

Any additional/custom attribute types are emitted as OIDs. Since we need to have OID -> attribute type keyword String  mapping, we can not use these additional attribute type keyword strings in our rules. If the user want to extract additional attribute keys, then we need to write custom principal builder class.

3. Proposed configuration will be ignored, if SSL client authentication is disabled. (In this case principal name is ANONYMOUS).
4. Proposed configuration will be ignored, if an extension of KafkaPrincipalBuilder is provided by the principal.builder.class configuration.

[1] https://docs.oracle.com/javase/7/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String) 
[2] https://docs.oracle.com/javase/7/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String,%20java.util.Map)

Compatibility, Deprecation, and Migration Plan

...