Hey Ismael, I'm considering if we can do something in this KIP for the SASL baggage we've accumulated. Prior to the existence of the `SaslHandshake` API, we supported the raw SASL protocol. The main gap was that it did not support negotiation of the SASL method. This was fixed in https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements where we added the `SaslHandshake` and `SaslAuthenticate`. This has been supported in the broker since 0.10.0 and, as far as I can tell, all major clients mentioned in the KIP support the `SaslHandshake` API. However, we still support fallback logic on the broker, effectively assuming GSSAPI if the initial request is not a Kafka request. Can we require SASL negotiation through `SaslHandshake` and drop support for this fallback logic?
I also looked at `SaslAuthenticate`, which was added in https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures. Once method negotiation is complete using `SaslHandshake`, then we still support direct authentication using the SASL protocol (i.e. without the wrapped `SaslAuthenticate`). It would be nice to drop this as well, but it looks like kafka-python may not implement it. Thanks, Jason On Fri, Nov 24, 2023 at 12:07 PM Ismael Juma <m...@ismaeljuma.com> wrote: > Hi all, > > I also vote +1. > > The vote passes with 4 binding +1s: > > 1. Colin McCabe > 2. Jun Rao > 3. Jose Sancio > 4. Ismael Juma > > Thanks, > Ismael > > On Tue, Nov 21, 2023 at 12:06 PM Ismael Juma <m...@ismaeljuma.com> wrote: > > > Hi all, > > > > I would like to start a vote on KIP-896. Please take a look and let us > > know what you think. > > > > Even though most of the changes in this KIP will be done for Apache Kafka > > 4.0, I would like to introduce a new metric and new request log attribute > > in Apache 3.7 to help users identify usage of deprecated protocol api > > versions. > > > > Link: > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-896%3A+Remove+old+client+protocol+API+versions+in+Kafka+4.0 > > > > Thanks, > > Ismael > > >
