Hi Chris, Thanks for the KIP. Could you also add details/use-cases for having X509 certificate based authentication in the context SASL_SSL. The reason that we disabled the SSL auth for SASL_SSL is the intent behind using SASL auth over SSL encryption and user can enforce a role based auth and have wire encryption for data transfer. If users just want SSL based authentication they have option to do so via SSL. I think we are providing too many options of authentication in SASL_SSL mode and can be bit confusing.
Thanks, Harsha On Tue, Feb 21, 2017 at 11:23 AM Christopher Shannon < christopher.l.shan...@gmail.com> wrote: Hi everyone I have just created KIP-127 to introduce custom JAAS configuration for the SSL channel: * https://cwiki.apache.org/confluence/display/KAFKA/KIP-127%3A+Pluggable+JAAS+LoginModule+configuration+for+SSL < https://cwiki.apache.org/confluence/display/KAFKA/KIP-127%3A+Pluggable+JAAS+LoginModule+configuration+for+SSL >* The idea here is to be able to do custom authentication based off of a user's X509 credentials in addition to the SSL handshake. I have created a rough draft of a commit to give an idea of what my plan is which matches the KIP: https://github.com/cshannon/kafka/tree/KAFKA-4784 It still needs some work (needs more tests for example) but I wanted to get some feedback before I went any farther on this and do a pull request. Thanks, Chris