DSE 5.0 will have a new authenticator called DseAuthenticator. This has the ability to support multiple authentication schemes (internal, ldap, kerberos).
Schemes can be selected by the driver by sending desired SASL mechanism as the initial SASL response. If the mechanism is supported then the authenticator will respond with a success response and the normal SASL exchange can continue. If the mechanism isn't supported then the authenticator will respond with an error.
To maintain backward compatibility the AuthProvider should check that the calling authenticator () is com.datastax.bdp.cassandra.auth.DseAuthenticator before sending a mechanism challenge. For any other authenticator it should skip this step and send the initial SASL response.
One small thing I noticed while testing is that the underlying puresasl library requires kerberos in order to support GSSAPI, however that is not an explicit dependency.
Instead you end up with a somewhat cyrptic error that looks like this.
I think we should provide the user with a more helpful message that indiciates they need to install kerberos to support GSSAPI, This could be done in our authenticator, or in the underlying puresasl library,
+1 for 's suggestion of improving the error message
merged. Thanks, Mike.