The security.authenticationMechanisms parameter (as documented here) requires that "If you specify multiple values, use a comma-separated list and no spaces."

If you put a space like for example:

authenticationMechanisms: "SCRAM-SHA-256, GSSAPI"

SCRAM-SHA-256 will be enabled and GSSAPI not in a silent way. This can trick users and who needs to troubleshoot this.

It would be nice to have a warning message that warns you that you have a space in the authenticationMechanisms parameter string and all the auth mechanisms specified may have not been enabled because of that.