...

Kafka currently supports providing a JAAS LoginModule for pluggable authentication when using SASL and SASL_SSL.  When using the SASL_SSL channel, the channel will override the setting for requiring a client certificate to be presented so it is not possible to require client authentication by providing a certificate.  This makes sense for SASL_SSL as the SASL mechanism will be used for authentication instead of a client certificate in this case.  However, this means that the SSL channel needs to be used when a client certificate is required for authentication.  Currently when using SSL the only authentication that is done is the SSL handshake between client and server.  It would also be ideal to be able to provide an option for custom authentication for the SSL channel that uses the client's X509 credentials that goes beyond the SSL handshake.  This would allow providing extra authentication based on a user's custom requirements.

Public Interfaces

...