This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-44 - Allow Kafka to have a customized security protocol

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


At the moment Kafka supports 3 main types of security protocol: Plain, SSL, SASL and its variant SASL_SSL and SASL_PLAINTEXT. Behind-the-scenes Kerberos is the only supported authentication mechanism and SSL is the only supported transport protocol. Anyone who is willing to enable authentication security in Kafka they need to properly config Kerberos and SSL. This is sometimes not desirable for users who already have their own authentication security mechanism installed e.g. token based authentication or other SASL mechs. Due to current design of Kafka users with their own choice of authentication mechanism have no way to reuse what they have but have to employ Kerberos. It will be good for Kafka to provide a plug-able way for users to implement their own authentication security mechanism.

Public Interfaces


With above changes users who want to include their own authentication logic can set security.protocol to CUSTOMIZED, to XYZChannelBuilder where the authentication and SSL secure transport logic resides and add a new listener CUSTOMIZED://host:port in broker.