Versions Compared

Old Version 26

changes.mady.by.user Viktor Somogyi

Saved on

compared with

New Version 27

changes.mady.by.user Viktor Somogyi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
linenumberstrue
{
  "apiKey": 38,
  "type": "response",
  "name": "CreateDelegationTokenResponse",
  // Starting in version 1, on quota violation, brokers send out responses before throttling.
  "validVersions": "0-12",
  "fields": [
    { "name": "ErrorCode", "type": "int16", "versions": "0+",
      "about": "The top-level error, or zero if there was no error."},
    { "name": "PrincipalType", "type": "string", "versions": "0+",
      "about": "The principal type of the token owner." },
    { "name": "PrincipalName", "type": "string", "versions": "0+",
      "about": "The name of the token owner." },
    { "name": "TokenRequesterPrincipalType", "type": "string", "versions": "2+",
      "about": "The principal type of the requester of the token." },
    { "name": "TokenRequesterPrincipalName", "type": "string", "versions": "2+",
      "about": "The principal type of the requester of the token." },
    { "name": "IssueTimestampMs", "type": "int64", "versions": "0+",
      "about": "When this token was generated." },
    { "name": "ExpiryTimestampMs", "type": "int64", "versions": "0+",
      "about": "When this token expires." },
    { "name": "MaxTimestampMs", "type": "int64", "versions": "0+",
      "about": "The maximum lifetime of this token." },
    { "name": "TokenId", "type": "string", "versions": "0+",
      "about": "The token UUID." },
    { "name": "Hmac", "type": "bytes", "versions": "0+",
      "about": "HMAC of the delegation token." },
    { "name": "ThrottleTimeMs", "type": "int32", "versions": "0+",
      "about": "The duration in milliseconds for which the request was throttled due to a quota violation, or zero if the request did not violate any quota." }
  ]
}

...

Code Block
linenumberstrue
{
  "apiKey": 41,
  "type": "response",
  "name": "DescribeDelegationTokenResponse",
  // Starting in version 1, on quota violation, brokers send out responses before throttling.
  "validVersions": "0-12",
  "fields": [
    { "name": "ErrorCode", "type": "int16", "versions": "0+",
      "about": "The error code, or 0 if there was no error." },
    { "name": "Tokens", "type": "[]DescribedDelegationToken", "versions": "0+",
      "about": "The tokens.", "fields": [
      { "name": "PrincipalType", "type": "string", "versions": "0+",
        "about": "The token principal type." },
      { "name": "PrincipalName", "type": "string", "versions": "0+",
        "about": "The token principal name." },
      { "name": "TokenRequesterPrincipalType", "type": "string", "versions": "2+",
        "about": "The principal type of the requester of the token." },
      { "name": "TokenRequesterPrincipalName", "type": "string", "versions": "2+",
        "about": "The principal type of the requester of the token." },
      { "name": "IssueTimestamp", "type": "int64", "versions": "0+",
        "about": "The token issue timestamp in milliseconds." },
      { "name": "ExpiryTimestamp", "type": "int64", "versions": "0+",
        "about": "The token expiry timestamp in milliseconds." },
      { "name": "MaxTimestamp", "type": "int64", "versions": "0+",
        "about": "The token maximum timestamp length in milliseconds." },
      { "name": "TokenId", "type": "string", "versions": "0+",
        "about": "The token ID." },
      { "name": "Hmac", "type": "bytes", "versions": "0+",
        "about": "The token HMAC." },
      { "name": "Renewers", "type": "[]DescribedDelegationTokenRenewer", "versions": "0+",
        "about": "Those who are able to renew this token before it expires.", "fields": [
        { "name": "PrincipalType", "type": "string", "versions": "0+",
          "about": "The renewer principal type" },
        { "name": "PrincipalName", "type": "string", "versions": "0+",
          "about": "The renewer principal name" }
      ]}
    ]},
    { "name": "ThrottleTimeMs", "type": "int32", "versions": "0+",
      "about": "The duration in milliseconds for which the request was throttled due to a quota violation, or zero if the request did not violate any quota." }
  ]
}

...

To represent the new User resource type we have to modify the AclCommand slightly and add a new option called --users . This would have a comma semicolon separated list of users as parameter. By specifying this parameter we would control (allow or deny) the principal to create or describe tokens of those owner users.

...

Code Block
linenumberstrue
>> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:tokenRequester --allow-host * --operation CreateTokens --users "owner1,;owner2"

Proposed Changes

Create/Renew Tokens:

...