Versions Compared

Old Version 120

changes.mady.by.user Manikumar Reddy O.

Saved on

compared with

New Version 121

changes.mady.by.user Manikumar Reddy O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current stateAccepted

Discussion thread: here

JIRA: KAFKA-1696 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

Code Block
CreateDelegationTokenResponse => ErrorCode TokenDetails
  ErrorCode => INT16
  TokenDetails =>  IssueDateMs ExpiryDateMs MaxDateMs TokenId HMAC 
    IssueDateMs  => INT64
    ExpiryDateMs => INT64
    MaxDateMs => INT64	
    TokenId => String 
    HMAC => bytes

Field

Description

IssueDateMs

timestamp (in msec) when this token was generated. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

ExpiryDateMs
MaxDateMs
timestamp (in msec) at which this token expires. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).
ExpiryDateMs

max life timestamp (in msec) of this token. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

TokenId

Sequence number to ensure uniqueness 

HMAC
Keyed-hash message authentication code

...

Code Block
DescribeDelegationTokenResponse => ErrorCode [TokenDetails]
  ErrorCode => INT16
  TokenDetails => Owner IssueDateMs ExpiryDateMs TokenId HMAC [Renewer]
    Owner => String
    IssueDateMs  => INT64
    ExpiryDateMs => INT64
    MaxDateMs => INT64	
    TokenId => String 
    HMAC => bytes
    Renewer => String

Field

Description

Owner

Kakfa Principal which requested the delegation token

IssueDateMs

timestamp (in msec) when this token was generated. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

MaxDateMs
max life timestamp (in msec) of this token. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).
ExpiryDateMs

timestamp (in msec) at which this token expires. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

TokenId

Sequence number to ensure uniqueness 

HMAC
Keyed-hash message authentication code
Renewer
Renewers list

...

TokenDetails:

  • Owner ID -- Username that this token will authenticate as
  • Renewers ID -- designated renewers list
  • Issue date -- timestamp (in msec) when this token was generated
  • Expiry date -- timestamp (in msec) at which this token expires
  • Max Date - max life timestamp (in msec) of this token. 
  • TokenID – UUID to ensure uniqueness

TokenAuthenticator(HMAC) := HMAC_SHA1(master key, TokenID)

Authentication Token := (TokenDetails, TokenAuthenticator(HMAC))

...

Token is stored in Zookeeper as properties in the path /tokenauth/tokens/<tokenUID>.  During server startup and token creation, scram credentials are generated and stored in memory (TokenCache).  

...