Versions Compared

Old Version 78

changes.mady.by.user Manikumar Reddy O.

Saved on

compared with

New Version 79

changes.mady.by.user Manikumar Reddy O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current state["DISCUSSION"]. 

Discussion thread: here

JIRA: KAFKA-1696 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

Field

Description

Renewer

Renewer is an Kafka Principal, which PrincipalType+name string, who is allowed to renew this token before the max lifetime expires.  If Renewer list is empty, then Renewer will default to the owner (Principal which requested this token).

MaxDateMs
Max lifetime for token in milli seconds. if value is -1, then MaxLifeTime will default to a server side config value.

...

Field

Description

Owner

Kakfa Principal which requested the delegation token

IssueDateMs

timestamp (in msec) when this token was generated. Unit is milliseconds since beginning of the epoch (midnight Jan 1, 1970 (UTC)).

ExpiryDateMs

timestamp (in msec) at which this token expires. Unit is milliseconds since beginning of the epoch (midnight Jan 1, 1970 (UTC)).

TokenId

Sequence number /UUID to ensure uniqueness 

HMAC
Keyed-hash message authentication code
Renewer
Renewers list

...

Code Block
RenewDelegationTokenResponse => ErrorCode TokenDetails
   ErrorCode => INT32 
   TokenDetails => Owner IssueDateMs ExpiryDateMs TokenId HMAC [Renewer]
     Owner => String
     IssueDateMs  => INT64
   	 ExpiryDateMs => INT64
     TokenId => String 
   	 HMAC => bytes
     Renewer => String
Possible Error Codes
* DelegationTokenDisabledException

...

The Kafka authentication token is modeled after the Hadoop user delegation token. The token will consist of:

 

TokenIDTokenDetails:

  • Owner ID -- Username that this token will authenticate as
  • Renewers ID -- designated renewers list
  • Issue date -- timestamp (in msec) when this token was generated
  • Expiry date -- timestamp (in msec) at which this token expires
  • TokenUID TokenID -- Sequence number /UUID to ensure uniqueness

TokenAuthenticator(HMAC) := HMAC_SHA1(master key, TokenUIDTokenID)

Authentication Token := (TokenIDTokenDetails, TokenAuthenticator(HMAC))

...

Code Block
languagejava
title Delegation Token Details
//Delegation Token Details for tokenID token123: Zookeeper persistence path /tokenauth/tokens/token123
{
   "version":1,
   "owner" : "owner",
   "renewer" : "renewer",
   "issueDate" : "issueDate",
   "tokenUIDtokenID" : "tokenUIDsequence-number",
   //Store SCRAM credentials also here as  per KIP-84
    "credentials": {
          "SCRAM-SHA-512" : "salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4S...==,server_key=...,iterations=4096",
          "SCRAM-SHA-256" : "salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096"
    }
};

SCRAM Extensions

SCRAM messages have an optional extensions field which is a comma-separated list of key=value pairs.
After KIP-84 implementation , an extension will be added to the first client SCRAM message to indicate
that authentication is being requested for a delegation token. This will enable Kafka broker to obtain
credentials and principal using a different code path for delegation tokens.

...