I like the overall goal, but feel it's a bit rigid in only providing support for only one additional authentication method. This change dovetails with the stalled SASL work I've been doing in the subtasks for HADOOP-8779. I keep meaning to get back to it. Many of the changes were nudging the authentication scheme towards a pluggable design - you've even taken advantage of some of those changes!
The new hadoop SASL related interfaces shouldn't be necessary. The javax SASL framework uses a factory pattern to create clients and servers via SecurityProviders. SaslPlainServer does this, although there's probably a cleaner way to do it.
The good news is the patch should be significantly smaller if leveraging the javax framework.