From both the official Kafka docs, as well as an ocean of blogs that churned up during the course of my travels, it looks like I can spin up a Kafka broker whose server.properties config file contains:
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:Bob;User:Alice
This defines two superusers (Bob + Alice) who can then produce messages to, and consume messages from, my broker's topics.
But how do I to leverage these users from the client-side? If I have a Java client that needs to send messages to my Kafka broker, how does that client "authenticate" itself as 'Bob' (or 'Alice', or any other superuser)?
And where are the super user passwords defined/used?!?
I did some digging this week and it looks like "basic auth"-style (username + password) credentials are not supported in Kafka proper.
It looks like you can set up Kerberos or a similar solution (JAAS/SASL, etc.) to create a ticket service that works with Kafka, which is what these ACLs seem to be for. I think the gist is that you would first authenticate against, say, Kerberos, at which point you would be granted a ticket/token. You would then present your username/principle along with your ticket to Kafka, and Kafka would work with Kerberos to ensure the ticket was still valid. I think that's how it works, based on some obscure/vague blogs I was able to get my hands on.
I also see evidence that Kafka currently, or plans on, having some kind of integration-layer support with LDAP, and so you might be able to hook your Kafka cluster up to AD or similar.
The best way to manage Kafka authentication, weirdly enough, seems to be the Yahoo! Kafka Manager tool, which seems to be a very popular, well-maintained project rife with recent updates and community support. This is likely what I will run with, at least for the time being. HTH.