THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
In this use case, a superuser with username ‘super’ ‘superuser’ wants to run kafka clients on behalf of a user 'joe'. The 'superuser' has secure authentication credentials (kerberos, SSL, SCRAM) but user 'joe' doesn’t have any. The clients are required to run as user 'joe' and authorizations are required to be done as user 'joe.' In this case, 'superuser' can get a delegation token for user 'joe', and use the generated token to run the Kafka clients. This will mimic the impersonation functionality. This will help the stream processing frameworks/libs (Apache Spark, Storm, Kafka Streams) to run the jobs (Kafka clients) as submitted users.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
public class TokenInformation {
private KafkaPrincipal owner;
private KafkaPrincipal tokenRequester; /// New
private Collection<KafkaPrincipal> renewers;
private long issueTimestamp;
private long maxTimestamp;
private long expiryTimestamp;
private String tokenId;
....
....
....
} |
...
Create Tokens:
Token request users with with 'CreateTokens' permission on 'Cluster' Resource can create token for other users. The token requester must be authenticated using any of the available secure channels (Kerberos, SCRAM, SSL) to create tokens for other users. The token requester can not use delegation token based authentication for creating tokens.
Describe Tokens:
Users with DescribeTokens with 'DescribeTokens' permission on Cluster resource can describe others tokens.
...