Versions Compared

Old Version 2

changes.mady.by.user Manikumar Reddy O.

Saved on

compared with

New Version Current

changes.mady.by.user Manikumar Reddy O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current state["Under Discussion"]

Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]

JIRA:here [Change the link from KAFKA-6447 1 to your own ticket]

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

The  KIP-48 added  added support for delegations delegation token based authentication mechanism.   This already implemented KIP-48/KAFKA-4541 implemented protocol request and response  response for Delegation delegation token operations. 

 This KIP is about adding these delegation token operations to the new Admin Client API.

...

The AdminClient API will have the following new methods added 

 
Code Block
AdminClient {
	//create delegation token with default options
	public CreateDelegationTokenResult createDelegationToken() 
 
    //create delegation token with supplied options
	public abstract CreateDelegationTokenResult createDelegationToken(CreateDelegationTokenOptions options)
 
    //renew delegation token with default options
	public RenewDelegationTokenResult renewDelegationToken(ByteBufferbyte[] hmac)
 
    //renew delegation token token with supplied options
	public abstract RenewDelegationTokenResult renewDelegationToken(ByteBufferbyte[] hmac, RenewDelegationTokenOptions options);
	
    //expire delegation token immediately
	public ExpireDelegationTokenResult expireDelegationToken(ByteBufferbyte[] hmac)
 
    //expire delegation token with supplied options
	public abstract ExpireDelegationTokenResult expireDelegationToken(ByteBufferbyte[] hmac, ExpireDelegationTokenOptions options);
	
    //returns all the user owned tokens and other tokens where user have Describe permission
	public DescribeDelegationTokenResult describeDelegationToken()
 
    //returns all the tokens for the given options
	public abstract DescribeDelegationTokenResult describeDelegationToken(DescribeDelegationTokenOptions options);
}
 

...

 

Proposed Changes

Describe the new thing you want to do in appropriate detail. This may be fairly extensive and have large subsections of its own. Or it may be a few sentences. Use judgement based on the scope of the change.

Compatibility, Deprecation, and Migration Plan

  • What impact (if any) will there be on existing users?
  • If we are changing behavior how will we phase out the older behavior?
  • If we need special migration tools, describe them here.
  • When will we remove the existing behavior?

Rejected Alternatives

CreateDelegationTokenResult's future objects can return the following exceptions:
 Code Block
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
INVALID_PRINCIPAL_TYPE
DELEGATION_TOKEN_AUTH_DISABLED

RenewDelegationTokenResult and ExpireDelegationTokenResult's future objects can the throw the follwoing exceptions:
 Code Block
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
DELEGATION_TOKEN_AUTH_DISABLED
DELEGATION_TOKEN_OWNER_MISMATCH
DELEGATION_TOKEN_EXPIRED
DELEGATION_TOKEN_NOT_FOUND

DescribeDelegationTokenResult's future object can the throw the follwoing exceptions:
 Code Block
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
DELEGATION_TOKEN_AUTH_DISABLED
Proposed Changes
The following classes will be added. 
CreateDelegationTokenResult, CreateDelegationTokenOptions
RenewDelegationTokenResult, RenewDelegationTokenOptions
ExpireDelegationTokenResult, ExpireDelegationTokenOptions
DescribeDelegationTokenResult, DescribeDelegationTokenOptions
 
 Code Block
public class CreateDelegationTokenResult {
    private final KafkaFuture<DelegationToken> delegationToken;

    CreateDelegationTokenResult(KafkaFuture<DelegationToken> delegationToken) {
        this.delegationToken = delegationToken;
    }

    /**
     * Returns a future which yields a delegation token
     */
    public KafkaFuture<DelegationToken> delegationToken() {
        return delegationToken;
    }
}
 
public class CreateDelegationTokenOptions extends AbstractOptions<CreateDelegationTokenOptions> {
    // default value is -1, This will default the token maxLifeTime to server side config value (delegation.token.max.lifetime.ms).
    private long maxLifeTimeMs = -1;
    private List<KafkaPrincipal> renewers =  new LinkedList<>();

    public CreateDelegationTokenOptions renewers(List<KafkaPrincipal> renewers) {
        this.renewers = renewers;
        return this;
    }

    public List<KafkaPrincipal> renewers() {
        return renewers;
    }

    public CreateDelegationTokenOptions maxlifeTimeMs(long maxLifeTimeMs) {
        this.maxLifeTimeMs = maxLifeTimeMs;
        return this;
    }

    public long maxlifeTimeMs() {
        return maxLifeTimeMs;
    }
}
 
public class RenewDelegationTokenResult {
    private final KafkaFuture<Long> expiryTimestamp;

    RenewDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
        this.expiryTimestamp = expiryTimestamp;
    }

    /**
     * Returns a future which yields expiry timestamp
     */
    public KafkaFuture<Long> expiryTimestamp() {
        return expiryTimestamp;
    }
}
 
public class RenewDelegationTokenOptions extends AbstractOptions<RenewDelegationTokenOptions> {
    // default value is -1. This will default the Renew Time period to a server side config value (delegation.token.expiry.time.ms).
    private long renewTimePeriodMs = -1;

    public RenewDelegationTokenOptions renewTimePeriodMs(long renewTimePeriodMs) {
        this.renewTimePeriodMs = renewTimePeriodMs;
        return this;
    }

    public long renewTimePeriodMs() {
        return renewTimePeriodMs;
    }
}
 
public class ExpireDelegationTokenResult {
    private final KafkaFuture<Long> expiryTimestamp;

    ExpireDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
        this.expiryTimestamp = expiryTimestamp;
    }

    /**
     * Returns a future which yields expiry timestamp
     */
    public KafkaFuture<Long> expiryTimestamp() {
        return expiryTimestamp;
    }
}


public class ExpireDelegationTokenOptions extends AbstractOptions<ExpireDelegationTokenOptions> {
	//default value is -1. This token will get invalidated immediately
    private long expiryTimePeriodMs = -1;

    public ExpireDelegationTokenOptions expiryTimePeriodMs(long expiryTimePeriodMs) {
        this.expiryTimePeriodMs = expiryTimePeriodMs;
        return this;
    }

    public long expiryTimePeriodMs() {
        return expiryTimePeriodMs;
    }
}


public class DescribeDelegationTokenResult {
    private final KafkaFuture<List<DelegationToken>> delegationTokens;

    DescribeDelegationTokenResult(KafkaFuture<List<DelegationToken>> delegationTokens) {
        this.delegationTokens = delegationTokens;
    }

    /**
     * Returns a future which yields list of delegation tokens
     */
    public KafkaFuture<List<DelegationToken>> delegationTokens() {
        return delegationTokens;
    }
}
 
public class DescribeDelegationTokenOptions extends AbstractOptions<DescribeDelegationTokenOptions> {
   //default null vaule indicates to return all the allowed tokens 
   private List<KafkaPrincipal> owners;

    public DescribeDelegationTokenOptions owners(List<KafkaPrincipal> owners) {
        this.owners = owners;
        return this;
    }

    public List<KafkaPrincipal> owners() {
        return owners;
    }


 
Compatibility, Deprecation, and Migration Plan
  • This is a new API and won't affect existing users.
Rejected Alternatives
 If there are alternative ways of accomplishing the same thing, what were they? The purpose of this section is to motivate why the design is the way it is and not some other way.