With the recent RedHat/CentOS 8 update on the cyrus-sasl-gssapi package, Kudu servers and C++ clients can no longer negotiate connections when GSSAPI is involved (that's so for secure clusters where Kerberos-based authentication is a must). In other words, when the cyrus-sasl-gssapi package is upgraded up to 2.1.27-5 version, secure Kudu clusters are no longer functional.
The issue manifests itself by failed RPC connection negotiation with the following error logged along with the full connection negotiation trace:
The breaking change is in the following pull request for cyrus-sasl which has been pulled into the cyrus-sasl-gssapi-2.1.27-5 package: https://github.com/cyrusimap/cyrus-sasl/pull/603 That patch is named as cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch in the SRPM for the cyrus-sasl package.
The workaround is to roll back the cyrus-sasl-gssapi package back to 2.1.27-1 or earlier versions.