Versions Compared

Old Version 15

changes.mady.by.user Manikumar Reddy O.

Saved on

compared with

New Version 16

changes.mady.by.user Manikumar Reddy O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We like to add two new Operations "CREATE_TOKENS", "DESCRIBE_TOKENS" on cluster resource, to allow users create token for other users and describe others tokens. 

Owners Owners/renewers/token requester principals can always renew/expire/describe their own tokens.  

 

Operation

Resource

API
CREATE_TOKENSCreateTokensClustercreateTokens for other users // New
DESCRIBE_TOKENSDescribeTokensClusterdescribeTokens for others tokens // New

DESCRIBEDescribe

Token

describeTokens for a given tokenId //Existing

...

Code Block
linenumberstrue
>> bin/kafka-delegation-token.sh --bootstrap-server broker1:9092 --create -owner-principal User:owner1 --renewer-principal User:renewer1 --max-life-time 1486750745585

Proposed Changes

Create Tokens:

Token request users with CreateTokens permission on Cluster Resource can create token for other users.  The token requester must be authenticated using any of the available secure channels (Kerberos, SCRAM, SSL) to create tokens for other users. The token requester can not use delegation token based authentication for creating tokens.

Describe Tokens:

Users with DescribeTokens permission on Cluster resource can describe others tokens.  

Token Details in Zookeeper

Token details properties storage format version will be updated version to 2.

Code Block
languagejava
title Delegation Token Details
linenumberstrue
//Delegation Token Details for tokenID token123: Zookeeper persistence path /tokenauth/tokens/token123
{
   "version":2,  // New
   "owner" : "owner",
   "tokenRequester": "tokenRequester" // New
   "renewer" : "renewer",
   "issueTimestamp" : "issueTimestamp",
   "maxTimestamp" : "maxTimestamp",
   "expiryTimestamp" : "expiryTimestamp",
   "tokenID" : "UUID",
};

...