...
Code Block | ||||
---|---|---|---|---|
| ||||
public class TokenInformation { private KafkaPrincipal owner; private KafkaPrincipal tokenRequester; // New private Collection<KafkaPrincipal> renewers; private long issueTimestamp; private long maxTimestamp; private long expiryTimestamp; private String tokenId; .... .... .... } |
ACL Changes
...
Resources
A new resource called "User" will be added that represents a user which is available to the Authorizer as a Resource.
Operations
We like to add two new Operations "CreateTokens", "DescribeTokens" on cluster User resource, to allow users create token for other users and describe others tokens.
Owners/renewers/token requester principals can always renew/expire/describe their own tokens.
Operation | Resource | API |
---|---|---|
CreateTokens | ClusterUser | createTokens for other users // New |
DescribeTokens | ClusterUser | describeTokens for others tokens // New |
Describe | DelegationToken | describeTokens for a given tokenId // Existing |
...
Code Block | ||
---|---|---|
| ||
>> bin/kafka-delegation-token.sh --bootstrap-server broker1:9092 --create -owner-principal User:owner1 --renewer-principal User:renewer1 --max-life-time 1486750745585 |
Proposed Changes
Create/Renew Tokens:
AclCommand Changes
To represent the new User resource type we have to modify the AclCommand slightly and add a new option called --users
. This would have a comma separated list of users as parameter. By specifying this parameter we would control (allow or deny) the principal to create or describe tokens of those owner users.
For instance:
Code Block | ||
---|---|---|
| ||
>> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:tokenRequester --allow-host * --operation CreateTokens --users "owner1,owner2" |
Proposed Changes
Create/Renew Tokens:
Token requester users with 'CreateTokens' permission on 'UserToken requester users with 'CreateTokens' permission on 'Cluster' Resource can create or renew tokens for other users . which are authorized by the ACL. The token requester must be authenticated using any of the available secure channels (Kerberos, SCRAM, SSL) to create or renew tokens for other users. The token requester can not use delegation token based authentication for creating or renewing tokens.
...
Users with 'DescribeTokens' permission on Cluster User resource can describe others tokens which are authorized by the ACL. A token can also be described if the user has a Describe permission on the DelegationToken resource.
Token Details in Zookeeper
...