Which authentication mechanism is Kerberos-based in Kafka?

Kerberos-based authentication in Kafka is implemented via SASL with the GSSAPI mechanism. Kerberos uses a central Key Distribution Center to issue tickets that prove a client’s identity, and Kafka leverages this by configuring SASL to use the GSSAPI mechanism. When a client connects, it obtains a Kerberos ticket-granting ticket and then a service ticket for the Kafka service, which the broker validates to authenticate the client. This is why the correct choice maps directly to Kerberos: SASL/GSSAPI. The other options represent different authentication approaches. SASL/OAUTHBEARER relies on OAuth 2.0 tokens instead of Kerberos tickets. SSL (TLS) handles encryption and can include client certificates, but it isn’t Kerberos authentication. SASL/SCRAM-SHA-512 uses salted password-based SASL authentication, not Kerberos tickets.