Hi Jason, Thanks for bringing this up. A couple of comments:
1. Yes, we should deprecate and remove the raw SASL protocol that preceded KIP-43 - the popular clients have supported SaslHandshake for a very long time. 2. Yes, kafka-python still uses SaslHandshake v0 and it doesn't support SaslAuthenticate, so we can't require SaslAuthenticate yet (KIP-152). I updated the KIP to: 1. Note the removal of the raw SASL protocol that preceded KIP-43. 2. Keep SaslHandshake v0 in Apache Kafka 4.0 since kafka-python still relies on it (the KIP had incorrectly stated that kafka-python supports SaslHandshake v1 since the definition exists, but it turns out that the code never actually uses it). Ismael On Thu, Dec 7, 2023 at 3:37 PM Jason Gustafson <ja...@confluent.io.invalid> wrote: > Minor correction: only `SaslHandshake` was introduced in KIP-43. > `SaslAuthenticate` came later in KIP-152. > > On Thu, Dec 7, 2023 at 3:18 PM Jason Gustafson <ja...@confluent.io> wrote: > > > Hey Ismael, > > > > I'm considering if we can do something in this KIP for the SASL baggage > > we've accumulated. Prior to the existence of the `SaslHandshake` API, we > > supported the raw SASL protocol. The main gap was that it did not support > > negotiation of the SASL method. This was fixed in > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements > > where we added the `SaslHandshake` and `SaslAuthenticate`. This has been > > supported in the broker since 0.10.0 and, as far as I can tell, all major > > clients mentioned in the KIP support the `SaslHandshake` API. However, we > > still support fallback logic on the broker, effectively assuming GSSAPI > if > > the initial request is not a Kafka request. Can we require SASL > negotiation > > through `SaslHandshake` and drop support for this fallback logic? > > > > I also looked at `SaslAuthenticate`, which was added in > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures > . > > Once method negotiation is complete using `SaslHandshake`, then we still > > support direct authentication using the SASL protocol (i.e. without the > > wrapped `SaslAuthenticate`). It would be nice to drop this as well, but > it > > looks like kafka-python may not implement it. > > > > Thanks, > > Jason > > > > > > > > On Fri, Nov 24, 2023 at 12:07 PM Ismael Juma <m...@ismaeljuma.com> wrote: > > > >> Hi all, > >> > >> I also vote +1. > >> > >> The vote passes with 4 binding +1s: > >> > >> 1. Colin McCabe > >> 2. Jun Rao > >> 3. Jose Sancio > >> 4. Ismael Juma > >> > >> Thanks, > >> Ismael > >> > >> On Tue, Nov 21, 2023 at 12:06 PM Ismael Juma <m...@ismaeljuma.com> wrote: > >> > >> > Hi all, > >> > > >> > I would like to start a vote on KIP-896. Please take a look and let us > >> > know what you think. > >> > > >> > Even though most of the changes in this KIP will be done for Apache > >> Kafka > >> > 4.0, I would like to introduce a new metric and new request log > >> attribute > >> > in Apache 3.7 to help users identify usage of deprecated protocol api > >> > versions. > >> > > >> > Link: > >> > > >> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-896%3A+Remove+old+client+protocol+API+versions+in+Kafka+4.0 > >> > > >> > Thanks, > >> > Ismael > >> > > >> > > >