THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
2) After (1) is complete, turn on re-authentication for brokers (as inter-broker clients, via 'sasl.login.refresh.reauthenticate.enable') at whatever rate is desired -- just eventually, at some point, get the client-side feature turned on for all brokers so that inter-broker connections are re-authenticating. (Skip this step and consider it complete if SASL/OAUTHBEARER is not used for inter-broker communication.)
3) After (2) is complete, partially enable the server-side kill functionality with a negative value for '[listener].oauthbearer.connections.max.reauth.ms' on all brokers. The metric documenting the number of API requests made over expired connections will begin to increase (but no until the next step (4) is completed. No connections will be killed).
4) In parallel with (1), (2), and (3) above, upgrade non-broker clients to v2.1.0 or later and turn their re-authentication feature on. Clients using SASL/OAUTHBEARER will check the API version and only re-authenticate to a broker that has also been upgraded to 2.1.0 or later (note that the ability of a broker to respond to a re-authentication cannot be turned off -- it is always on beginning with version 2.1.0, and it just sits there doing nothing if it isn't exercised by an enabled client).
5) After (3) and (4) are complete, check the broker metric documenting the number of API requests made over expired connections to confirm that it is no longer increasing. Once you are satisfied that (1), (2), (3), and (4) are indeed complete you can fully enable the server-side expired-connection-kill feature on each broker by changing the 'sasl.login.refresh.reauthenticate.enable[listener].oauthbearer.connections.max.reauth.ms' value from its negative value to its absolute value and restarting itthe broker.
6) Monitor the metric that documents the number of killed connections – it will remain at 0 unless an older client or one that does not have re-authentication enabled connects to the broker via the SASL/OAUTHBEARER mechanism.
Rejected Alternatives
Delaying Support for Brokers Killing Connections
...