Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


Current state["DISCUSSION"]. Accepted

Discussion thread: here



getDelegationToken(request: DelegationTokenRequestCreateDelegationTokenRequest):  CreateDelegationTokenResponse

class DelegationTokenRequestCreateDelegationTokenRequest(renewer: Set[KafkaPrincipal] = Set.empty, maxLifeTime: long = -1)

class DelegationTokenResponseCreateDelegationTokenResponse(ownerissueTimeMillis:  KafkaPrincipallong expiryTimeMillisexpiryTimeMillis: long, renewer: Set[KafkaPrincipal], maxLifeTime:  maxLifeTime: long, tokenId: String, hmac: byte[])  

renewDelegationToken(request: RenewDelegationTokenRequest):  DelegationTokenResponseRenewDelegationTokenResponse

class RenewDelegationTokenRequest(hmac: byte[], expiryTimeMillis: long) 

expireToken(request: ExpireTokenRequestExpireDelegationTokenRequest): ExpireDelegationTokenResponse

class ExpireTokenRequestExpireDelegationTokenRequest(hmac: byte[], expireAt: long  = Systemtime.currentTimeMillis) 

Protocol changes


describeToken(request: DescribeDelegationTokenRequest): DescribeDelegationTokenResponse

class DescribeDelegationTokenRequest(owner: Set[KafkaPrincipal] ) 

Protocol changes

Code Block
Code Block
DelegationTokenRequest => [Renewer] MaxDateMs
  Renewer => string
  MaxDateMs => INT64




Renewer is an Kafka PrincipalType+name string, who is allowed to renew this token before the max lifetime expires.  If Renewer list is empty, then Renewer will default to the owner (Principal which requested this token).

Max lifetime for the token in milliseconds. If the value is -1, then MaxLifeTime will default to a server side config value (
Code Block
DelegationTokenResponseCreateDelegationTokenResponse => ErrorCode TokenDetails
  ErrorCode => INT16
  TokenDetails =>  IssueDateMs ExpiryDateMs MaxDateMs TokenId HMAC 
    IssueDateMs  => INT64
    ExpiryDateMs => INT64
    MaxDateMs => INT64	
    TokenId => String 
    HMAC => bytes




timestamp (in msec) when this token was generated. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

timestamp (in msec) at which this token expires. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

Sequence number to ensure uniqueness 


max life timestamp (in msec) of this token. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).


Sequence number to ensure uniqueness 

Keyed-hash message authentication code


* TokenNotFoundException 
Code Block
ExpireTokenRequestExpireDelegationTokenRequest => HMAC expiryDateMs
  HMAC => bytes
  ExpiryDateMs => INT64




HMAC of the delegation token to be renewed

Expiry time period in milliseconds. If the value is -1, then the token will get invalidated immediately.


Code Block
ExpireTokenResponseExpireDelegationTokenResponse => ErrorCode
  ErroCode => INT32
  ExpiryDateMs => INT64


* TokenNotFoundException 


Code Block
DescribeTokenRequestDescribeDelegationTokenRequest => [Owner]
    Owner => String




Kakfa Principal which requested the delegation token. If the Owner list is null (i.e., length is -1), the response contains all the allowed tokens

from all owners


. If Owner list is empty, the response is empty list.

Code Block
DescribeTokenResponseDescribeDelegationTokenResponse => ErrorCode [TokenDetails]
  ErrorCode => INT16
  TokenDetails => Owner IssueDateMs ExpiryDateMs TokenId HMAC [Renewer]
    Owner => String
    IssueDateMs  => INT64
    ExpiryDateMs => INT64
    MaxDateMs => INT64	
    TokenId => String 
    HMAC => bytes
    Renewer => String




Kakfa Principal which requested the delegation token


timestamp (in msec) when this token was generated. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

max life timestamp (in msec) of this token. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).

timestamp (in msec) at which this token expires. Unit is milliseconds since the beginning of the epoch (midnight Jan 1, 1970 (UTC)).


Sequence number to ensure uniqueness 

Keyed-hash message authentication code
Renewers list



  • Owner ID -- Username that this token will authenticate as
  • Renewers ID -- designated renewers list
  • Issue date -- timestamp (in msec) when this token was generated
  • Expiry date -- timestamp (in msec) at which this token expires
  • Max Date - max life timestamp (in msec) of this token. 
  • TokenID – UUID to TokenID -- Sequence number to ensure uniqueness

TokenAuthenticator(HMAC) := HMAC_SHA1(master key, TokenID)

Authentication Token := (TokenDetails, TokenAuthenticator(HMAC))


The MasterKey/secret is used to generate and verify delegation tokens. This is supplied using config option. Same secret key must be configured across all the brokers. The current proposal does not support rotation of secret. If  If the secret is not set or set to empty string, brokers will disable the delegation token support. The current proposal does not support rotation of secret.

Procedure to manually rotate the secret:

We require a re-deployment when the secret needs to be rotated.

Token acquisition

During this process, already connected clients will continue to work. But any new connection requests and renew/expire requests with old tokens can fail.

  • expire all existing tokens
  • rotate the secret by rolling upgrade, and
  • generate new tokens

Token acquisition

Following steps describe how tokens Following steps describe how tokens can be acquired:

  • A  (Admin/DelegationToken) client connects with one of the kafka broker. Client must be authenticated using any of the available secure channels so it must have a way to authenticate, i.e. Kerberos keytab or TGT.

  • Once a client is authenticated, it will make a broker side call to issue a delegation token.  The request for delegation token will have to contain an optional renewer identity and max lifetime for token. The renewer is the user that is allowed to renew this token before the max lifetime expires. Renewer will default to the owner if not provided and Max life time will default to a server side config value (default  days) Brokers will allow a token to be renewed until maxLifeTime but a token will still expire if not renewed by the expiry time. The expiry time will be a broker side configuration and will default to min (24 hours, maxlifeTime) . A Delegation Token request can be represented as class DelegationTokenRequest(renewer: Set[KafkaPrincipal], maxLifeTime: long). The owner is implicit in the request connection as the user who requested the delegation token.

  • The broker generates a shared secret based on HMAC-SASM(a Password/Secret shared between all brokers, randomly generated tokenId). We can represent a token as scala case class DelegationToken(owner: KafkaPrincipal, renewer: Set[KafkaPrincipal], maxLifeTime: long, id: String, hmac: String, expirationTime: long)

  • Broker stores this token in its in memory cache. Broker also stores the DelegationToken without the hmac in the zookeeper. As all brokers share the Password/Secret to generate the HMAC-SASM, they can read the request info from zookeeper , generate the hmac and store the delegation token in local cache.

  • All brokers will have a cache backed by zookeeper so they will all get notified whenever a new token is generated and they will update their local cache whenever token state changes.

  • Broker returns the token to Client. Client is expected to only make delegation token request over an encrypted channel so the token in encrypted over the wire.

  • Client is free to distribute this token to other Kafka clients (Producer/Consumers). It is the client’s responsibility to distribute the token securely.


Token is stored in Zookeeper as properties in the path /tokenauthdelegation_token/tokens/<tokenUID>. S  During server startup and token creation, scram credentials are generated during token creation. We will use password=HMAC, iterations=4096 for scram credential generation.and stored in memory (TokenCache).  

Code Block
title Delegation Token Details
//Delegation Token Details for tokenID token123: Zookeeper persistence path /tokenauth/tokens/token123
   "owner" : "owner",
   "renewer" : "renewer",
   "issueDateissueTimestamp" : "issueDateissueTimestamp",
   "tokenIDmaxTimestamp" : "sequence-numbermaxTimestamp",
   //Store SCRAM credentials as per KIP-84
 "expiryTimestamp" : "expiryTimestamp",
   "credentialstokenID" : {
          "SCRAM-SHA-512" : "salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4S...==,server_key=...,iterations=4096",
          "SCRAM-SHA-256" : "salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096"

SCRAM Extensions

SCRAM messages have an optional extensions field which is a comma-separated list of key=value pairs.
After KIP-84 implementation , an extension will be added to the first client SCRAM message to indicate
that authentication is being requested for a delegation token. This will enable Kafka broker to obtain
credentials and principal using a different code path for delegation tokens.

JAAS configuration

Username/password specified in jass config are  tokenID and token hmac. tokenId is used to retrieve the principal and token hmac on server side.
Code Block
titleJAAS configuration for Clients
KafkaClient { required

DelegationToken Client

We will be providing a DelegationToken Client using which users can generate, renew and expire the tokens. This may part of AdminClient implementation  (KIP-4).


SCRAM Extensions

SCRAM messages have an optional extensions field which is a comma-separated list of key=value pairs.
After KIP-84 implementation , an extension will be added to the first client SCRAM message to indicate
that authentication is being requested for a delegation token. This will enable Kafka broker to obtain
credentials and principal using a different code path for delegation tokens.

JAAS configuration

Username/password specified in jass config are  tokenID and token hmac. tokenId is used to retrieve the principal and token hmac on server side.
Code Block
titleJAAS configuration for Clients
KafkaClient { required

DelegationToken Client

We will be providing a DelegationToken Client using which users can generate, renew and expire the tokens. This may part of AdminClient implementation  (KIP-4).

Code Block
public class DelegationTokenClient  {

    public TokenDetails generateToken(List<String> renewers, long maxLifeTime);

    public boolean renewToken(bytes[] hmac,  long renewPeriod);

    public boolean expireToken(bytes[] hmac, long expireTimeStamp);
Code Block
public class DelegationTokenClient  {

    public TokenDetailsboolean generateToken(List<String> renewers, long maxLifeTime);

    public boolean renewToken(bytesinvalidateToken(bytes[] hmac,  long renewPeriod);
    public booleanList<TokenDetails> expireToken(bytes[] hmac, long expireTimeStampdescribeTokens();

    public booleanvoid invalidateTokenclose(bytes[] hmac);
    public List<TokenDetails> describeTokens();

    public void close();


Command line tool

 We will provide a CLI to acquire delegation tokens, renew tokens and to invalidate/expire tokens. 

Changes to Java Clients (producer/consumer)

KIP-85 allows dynamic JAAS configuration for Kafka clients. After this we can easily configure the
delegation token for SCRAM-SHA-256 authentication.

Below diagram shows the steps required to use the delegation tokens.



Command line tool

We will provide a commandline script to acquire delegation tokens, renew tokens, invalidate/expire and to describe tokens. 

bin/ --bootstrap-server broker1:9092 --create --renewer renewer1,renewer2 --max-life-time 1486750745585
bin/ --bootstrap-server broker1:9092 --renew --hmac hmacString --renew-time-period 50745585
bin/ --bootstrap-server broker1:9092 --expire --hmac hmacString --expiry-time-period 50745585
bin/ --bootstrap-server broker1:9092 --describe --owner owner1,owner2

Changes to Java Clients (producer/consumer)

KIP-85 allows dynamic JAAS configuration for Kafka clients. After this we can easily configure the
delegation token for SCRAM-SHA-256 authentication.

Below diagram shows the steps required to use the delegation tokens.

Image Added


Currently, we only allow a user to create delegation token for that user only. Renew and expire requests should come from owner or renewers of the token. So we don't need ACLs for create/renew/expire requests.  

Owners and the renewers can always describe their own tokens. To describe others tokens, we can add DESCRIBE operation on Token Resource.  In future, when we extend the support to allow a user to acquire delegation tokens for other users, then we can enable CREATE/DELETE operations.








createToken (Will be introduced in a future release)


deleteToken (Will be introduced in a future release)


Q1. Is there any dependency on Hadoop APIs/Libraries?
