...
We like to add two new Operations "CREATE_TOKENS", "DESCRIBE_TOKENS" on cluster resource, to allow users create token for other users and describe others tokens.
Owners Owners/renewers/token requester principals can always renew/expire/describe their own tokens.
Operation | Resource | API |
---|---|---|
CREATE_TOKENSCreateTokens | Cluster | createTokens for other users // New |
DESCRIBE_TOKENSDescribeTokens | Cluster | describeTokens for others tokens // New |
DESCRIBEDescribe | Token | describeTokens for a given tokenId //Existing |
...
Code Block | ||
---|---|---|
| ||
>> bin/kafka-delegation-token.sh --bootstrap-server broker1:9092 --create -owner-principal User:owner1 --renewer-principal User:renewer1 --max-life-time 1486750745585 |
Proposed Changes
Create Tokens:
Token request users with CreateTokens permission on Cluster Resource can create token for other users. The token requester must be authenticated using any of the available secure channels (Kerberos, SCRAM, SSL) to create tokens for other users. The token requester can not use delegation token based authentication for creating tokens.
Describe Tokens:
Users with DescribeTokens permission on Cluster resource can describe others tokens.
Token Details in Zookeeper
Token details properties storage format version will be updated version to 2.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
//Delegation Token Details for tokenID token123: Zookeeper persistence path /tokenauth/tokens/token123 { "version":2, // New "owner" : "owner", "tokenRequester": "tokenRequester" // New "renewer" : "renewer", "issueTimestamp" : "issueTimestamp", "maxTimestamp" : "maxTimestamp", "expiryTimestamp" : "expiryTimestamp", "tokenID" : "UUID", }; |
...