SSL certs - fairly standard and easy to implement assuming a root ca is available. Can have issues with certificates being stolen - no checks for revoked certificates. Need to restart clients to update certs. Certs always run out at the wrong time - it always surprises people.
Sasl plain - username and password. Stored in file by default. Sent over plain text by default
Sasl Scramm - avoids passwords being sent as plain text. Passwords are stored in zookeeper.
Sasl gssapi - Kerberos. Can integrate with Active Directory. Passwords or keytabs supported. Lots of tickets for large-scale, can put a lot of pressure on Active Directory servers.