Distinguish between the two ways to enable SASL #1562

vuldin · 2026-01-28T02:12:36Z

Description

This PR makes it clear there are two ways to enable SASL, explains what they are, when to choose one or the other, and why we even have two ways to begin with (why not just one?), and which is the recommended path for new clusters.

Page previews

https://deploy-preview-1562--redpanda-docs-preview.netlify.app/current/manage/security/authentication/

Checks

New feature
Content gap
Support Follow-up
Small fix (typos, links, copyedits, etc)

netlify · 2026-01-28T02:12:41Z

❌ Deploy Preview for redpanda-docs-preview failed. Why did it fail? →

Built without sensitive environment variables

Name	Link
🔨 Latest commit	`ea64105`
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6984beb64f8075000890171d

coderabbitai · 2026-01-28T02:13:20Z

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🔍 Trigger a full review

📝 Walkthrough

Walkthrough

This change updates the authentication documentation in modules/manage/partials/authentication.adoc. It restructures the SASL authentication section to explicitly present two distinct methods with separate prerequisites, commands, and warnings. A new troubleshooting chapter is added to address Schema Registry 403 Forbidden errors with diagnosis and resolution steps. The OIDC and HTTP API authentication sections are expanded with conditional guidance based on deployment environment and additional examples. A security reporting section is appended referencing a cluster-wide reporting endpoint.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

rpdevmp
kbatuigas

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description addresses the content gap and provides clear context about the changes, but lacks the JIRA ticket reference and page preview URL.	Fill in the JIRA ticket ID (currently placeholder) and confirm the page preview URL is accurate for the authentication documentation changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly matches the main change: clarifying two distinct methods to enable SASL authentication, which is the central focus of the documentation rework.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

PREVIEW-487: Request failed with status code 404

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@modules/manage/partials/authentication.adoc`:
- Around line 548-554: The cross-reference to enable-sasl-authentication is
broken because that anchor isn’t present; fix it by either adding the missing
anchor id "enable-sasl-authentication" immediately above the relevant heading
(so the xref resolves) or update the xref to point to an existing anchor/ID used
in this document (for example the actual heading ID for SASL enablement or the
authentication section); ensure the xref text remains
"enable-sasl-authentication" or change it to the correct existing ID and verify
the xref renders.

modules/manage/partials/authentication.adoc

Feediver1 · 2026-01-28T21:33:11Z

modules/manage/partials/authentication.adoc

+
+*Why two methods?*
+
+* *Method 1* (`enable_sasl`) is the original approach, maintained for backwards compatibility. It applies SASL globally to all Kafka listeners with a single command.


Suggested change

* *Method 1* (`enable_sasl`) is the original approach, maintained for backwards compatibility. It applies SASL globally to all Kafka listeners with a single command.

* *`enable_sasl`* - is the original approach, which is maintained for backwards compatibility. It applies SASL globally to all Kafka listeners with a single command.

@vuldin
I'm not sure "the original approach" will resonate so much with users. Original from when? Is there any other distinguishing quality other than it is an "original approach"? Legacy approach?

The problem with legacy approach seems to be that it isn't actually deprecated. I guess "legacy" doesn't actually mean "deprecated" though. Maybe instead of "original" but "first implemented approach"?

mulling it over--i'll come up with something.

modules/manage/partials/authentication.adoc

Feediver1 · 2026-02-02T21:13:33Z

Hi @vuldin,
Are you okay with me pushing these updates from the review? Thinking I need to do another pass, but would like to see the first pass comments resolved first. thx

vuldin · 2026-02-05T16:15:58Z

Hi @Feediver1 , I think I've handled all feedback up to this point (with one minor question in a comment above).

vuldin requested a review from a team as a code owner January 28, 2026 02:12

coderabbitai bot reviewed Jan 28, 2026

View reviewed changes

modules/manage/partials/authentication.adoc Show resolved Hide resolved

vuldin force-pushed the distinguish-two-sasl-enable-routes branch from 2a62d06 to 08de78d Compare January 28, 2026 02:17

Feediver1 reviewed Jan 28, 2026

View reviewed changes