Your best bet would to use sentry to provide the authorization with kerberos and AD. You can use sssd on the linux nodes to make the AD users and groups available to kafka: https://www.cloudera.com/documentation/enterprise/latest/topics/sg_auth_overview.html https://www.cloudera.com/documentation/kafka/latest/topics/kafka_security.html -pd ... View more

You are correct, SASL_PLAINTEXT only provides authentication, not encryption. You'll want SASL_SSL if you need encrypted traffic as well. You can set inter.broker.protocol to a different value if you'd like to only encrypt client/server traffic, but if you leave that to inferred in CM, it will use whatever your listener value is set to. -pd ... View more