THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Current state: ["Under Discussion"]
Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]
JIRA: KAFKA-6447
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
KIP-48 added support for delegation token based authentication mechanism. KIP-48 already implemented 48/KAFKA-4541 implemented protocol request and response for delegation token operations.
...
| Code Block |
|---|
AdminClient {
//create delegation token with default options
public CreateDelegationTokenResult createDelegationToken()
//create delegation token with supplied options
public abstract CreateDelegationTokenResult createDelegationToken(CreateDelegationTokenOptions options)
//renew delegation token with default options
public RenewDelegationTokenResult renewDelegationToken(ByteBufferbyte[] hmac)
//renew delegation token token with supplied options
public abstract RenewDelegationTokenResult renewDelegationToken(ByteBufferbyte[] hmac, RenewDelegationTokenOptions options);
//expire delegation token immediately
public ExpireDelegationTokenResult expireDelegationToken(ByteBufferbyte[] hmac)
//expire delegation token with supplied options
public abstract ExpireDelegationTokenResult expireDelegationToken(ByteBufferbyte[] hmac, ExpireDelegationTokenOptions options);
//describe delegation tokensreturns all the user owned tokens and other tokens where user have Describe permission
public DescribeDelegationTokenResult describeDelegationToken()
//returns all the tokens for the given options
public abstract DescribeDelegationTokenResult describeDelegationToken(DescribeDelegationTokenOptions options);
} |
CreateDelegationTokenResult's future objects can return the following exceptions:| Code Block |
|---|
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
INVALID_PRINCIPAL_TYPE
DELEGATION_TOKEN_AUTH_DISABLED |
RenewDelegationTokenResult and ExpireDelegationTokenResult's future objects can the throw the follwoing exceptions:
| Code Block |
|---|
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
DELEGATION_TOKEN_AUTH_DISABLED
DELEGATION_TOKEN_OWNER_MISMATCH
DELEGATION_TOKEN_EXPIRED
DELEGATION_TOKEN_NOT_FOUND |
DescribeDelegationTokenResult's future object can the throw the follwoing exceptions:
| Code Block |
|---|
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
DELEGATION_TOKEN_AUTH_DISABLED |
Proposed Changes
The following classes will be added.
...
| Code Block |
|---|
public class CreateDelegationTokenResult {
private final KafkaFuture<DelegationToken> delegationToken;
CreateDelegationTokenResult(KafkaFuture<DelegationToken> delegationToken) {
this.delegationToken = delegationToken;
}
/**
* Returns a future which yields a delegation token
*/
public KafkaFuture<DelegationToken> delegationToken() {
return delegationToken;
}
}
public class CreateDelegationTokenOptions extends AbstractOptions<CreateDelegationTokenOptions> {
// default value is -1, This will default the token maxLifeTime to server side config value (delegation.token.max.lifetime.ms).
private long maxLifeTimeMs = -1;
private List<KafkaPrincipal> renewers = new LinkedList<>();
public CreateDelegationTokenOptions renewers(List<KafkaPrincipal> renewers) {
this.renewers = renewers;
return this;
}
public List<KafkaPrincipal> renewers() {
return renewers;
}
public CreateDelegationTokenOptions maxlifeTimeMs(long maxLifeTimeMs) {
this.maxLifeTimeMs = maxLifeTimeMs;
return this;
}
public long maxlifeTimeMs() {
return maxLifeTimeMs;
}
}
public class RenewDelegationTokenResult {
private final KafkaFuture<Long> expiryTimestamp;
RenewDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
this.expiryTimestamp = expiryTimestamp;
}
/**
* Returns a future which yields expiry timestamp
*/
public KafkaFuture<Long> expiryTimestamp() {
return expiryTimestamp;
}
}
public class RenewDelegationTokenOptions extends AbstractOptions<RenewDelegationTokenOptions> {
// default value is -1. This will default the Renew Time period to a server side config value (delegation.token.expiry.time.ms).
private long renewTimePeriodMs = -1;
public RenewDelegationTokenOptions renewTimePeriodMs(long renewTimePeriodMs) {
this.renewTimePeriodMs = renewTimePeriodMs;
return this;
}
public long renewTimePeriodMs() {
return renewTimePeriodMs;
}
}
public class ExpireDelegationTokenResult {
private final KafkaFuture<Long> expiryTimestamp;
ExpireDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
this.expiryTimestamp = expiryTimestamp;
}
/**
* Returns a future which yields expiry timestamp
*/
public KafkaFuture<Long> expiryTimestamp() {
return expiryTimestamp;
}
}
public class ExpireDelegationTokenOptions extends AbstractOptions<ExpireDelegationTokenOptions> {
//default value is -1. This token will get invalidated immediately
private long expiryTimePeriodMs = -1;
public ExpireDelegationTokenOptions expiryTimePeriodMs(long expiryTimePeriodMs) {
this.expiryTimePeriodMs = expiryTimePeriodMs;
return this;
}
public long expiryTimePeriodMs() {
return expiryTimePeriodMs;
}
}
public class DescribeDelegationTokenResult {
private final KafkaFuture<List<DelegationToken>> delegationTokens;
DescribeDelegationTokenResult(KafkaFuture<List<DelegationToken>> delegationTokens) {
this.delegationTokens = delegationTokens;
}
/**
* Returns a future which yields list of delegation tokens
*/
public KafkaFuture<List<DelegationToken>> delegationTokens() {
return delegationTokens;
}
}
public class DescribeDelegationTokenOptions extends AbstractOptions<DescribeDelegationTokenOptions> {
//default null vaule indicates to return all the allowed tokens
private List<KafkaPrincipal> owners;
public DescribeDelegationTokenOptions owners(List<KafkaPrincipal> owners) {
this.owners = owners;
return this;
}
public List<KafkaPrincipal> owners() {
return owners;
}
|
Compatibility, Deprecation, and Migration Plan
...