Minor correction: only `SaslHandshake` was introduced in KIP-43. `SaslAuthenticate` came later in KIP-152.
On Thu, Dec 7, 2023 at 3:18 PM Jason Gustafson <ja...@confluent.io> wrote: > Hey Ismael, > > I'm considering if we can do something in this KIP for the SASL baggage > we've accumulated. Prior to the existence of the `SaslHandshake` API, we > supported the raw SASL protocol. The main gap was that it did not support > negotiation of the SASL method. This was fixed in > https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements > where we added the `SaslHandshake` and `SaslAuthenticate`. This has been > supported in the broker since 0.10.0 and, as far as I can tell, all major > clients mentioned in the KIP support the `SaslHandshake` API. However, we > still support fallback logic on the broker, effectively assuming GSSAPI if > the initial request is not a Kafka request. Can we require SASL negotiation > through `SaslHandshake` and drop support for this fallback logic? > > I also looked at `SaslAuthenticate`, which was added in > https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures. > Once method negotiation is complete using `SaslHandshake`, then we still > support direct authentication using the SASL protocol (i.e. without the > wrapped `SaslAuthenticate`). It would be nice to drop this as well, but it > looks like kafka-python may not implement it. > > Thanks, > Jason > > > > On Fri, Nov 24, 2023 at 12:07 PM Ismael Juma <m...@ismaeljuma.com> wrote: > >> Hi all, >> >> I also vote +1. >> >> The vote passes with 4 binding +1s: >> >> 1. Colin McCabe >> 2. Jun Rao >> 3. Jose Sancio >> 4. Ismael Juma >> >> Thanks, >> Ismael >> >> On Tue, Nov 21, 2023 at 12:06 PM Ismael Juma <m...@ismaeljuma.com> wrote: >> >> > Hi all, >> > >> > I would like to start a vote on KIP-896. Please take a look and let us >> > know what you think. >> > >> > Even though most of the changes in this KIP will be done for Apache >> Kafka >> > 4.0, I would like to introduce a new metric and new request log >> attribute >> > in Apache 3.7 to help users identify usage of deprecated protocol api >> > versions. >> > >> > Link: >> > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-896%3A+Remove+old+client+protocol+API+versions+in+Kafka+4.0 >> > >> > Thanks, >> > Ismael >> > >> >