Versions Compared

Old Version 26

changes.mady.by.user Viktor Somogyi

Saved on

compared with

New Version Current

changes.mady.by.user Viktor Somogyi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.

Status

Current state:  "Under Discussion"Accepted

Discussion thread: here 

JIRA:

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyKAFKA-6945

...

Public Interfaces

Protocol Changes

CreateTokenRequestCreateDelegationTokenRequest

We will bump the version of the CreateTokenRequest API to include the owner details in CreateDelegationTokenRequest and "Token requester"  in CreateDelegationTokenResponse.  For old versions, we will skip the owner and owner will be same as token request principal.

Code Block
linenumberstrue
{
  "apiKey": 38,
  "type": "request",
  "name": "CreateDelegationTokenRequest",
  // Version 1 is the same as version 0.
  //
  // Version 2 is the first flexible version.
  //
  // Version 3 adds the owner principal
  "validVersions": "0-3",
  "flexibleVersions": "2+",
  "fields": [
    { "name": "OwnerPrincipalType", "type": "string", "versions": "23+", "nullableVersions": "23+",
      "about": "The principal type of the owner of the token. If it's null it defaults to the token request principal." },
    { "name": "OwnerPrincipalName", "type": "string", "versions": "23+", "nullableVersions": "23+",
      "about": "The principal name of the owner of the token. If it's null it defaults to the token request principal." },
    { "name": "Renewers", "type": "[]CreatableRenewers", "versions": "0+",
      "about": "A list of those who are allowed to renew this token before it expires.", "fields": [
      { "name": "PrincipalType", "type": "string", "versions": "0+",
        "about": "The type of the Kafka principal." },
      { "name": "PrincipalName", "type": "string", "versions": "0+",
        "about": "The name of the Kafka principal." }
    ]},
    { "name": "MaxLifetimeMs", "type": "int64", "versions": "0+",
      "about": "The maximum lifetime of the token in milliseconds, or -1 to use the server side default." }
  ]
}

...

Code Block
linenumberstrue
{
  "apiKey": 38,
  "type": "response",
  "name": "CreateDelegationTokenResponse",
  // Starting in version 1, on quota violation, brokers send out responses before throttling.
  //
  // Version 2 is the first flexible version.
  //
  // Version 3 adds the token requester principal
  "validVersions": "0-13",
  "fieldsflexibleVersions": ["2+",
    "fields": [
    { "name": "ErrorCode", "type": "int16", "versions": "0+",
      "about": "The top-level error, or zero if there was no error."},
    { "name": "PrincipalType", "type": "string", "versions": "0+",
      "about": "The principal type of the token owner." },
    { "name": "PrincipalName", "type": "string", "versions": "0+",
      "about": "The name of the token owner." },
    { "name": "TokenRequesterPrincipalType", "type": "string", "versions": "23+",
      "about": "The principal type of the requester of the token." },
    { "name": "TokenRequesterPrincipalName", "type": "string", "versions": "23+",
      "about": "The principal type of the requester of the token." },
    { "name": "IssueTimestampMs", "type": "int64", "versions": "0+",
      "about": "When this token was generated." },
    { "name": "ExpiryTimestampMs", "type": "int64", "versions": "0+",
      "about": "When this token expires." },
    { "name": "MaxTimestampMs", "type": "int64", "versions": "0+",
      "about": "The maximum lifetime of this token." },
    { "name": "TokenId", "type": "string", "versions": "0+",
      "about": "The token UUID." },
    { "name": "Hmac", "type": "bytes", "versions": "0+",
      "about": "HMAC of the delegation token." },
    { "name": "ThrottleTimeMs", "type": "int32", "versions": "0+",
      "about": "The duration in milliseconds for which the request was throttled due to a quota violation, or zero if the request did not violate any quota." }
  ]
}

...

Code Block
linenumberstrue
{
  "apiKey": 41,
  "type": "response",
  "name": "DescribeDelegationTokenResponse",
  // Starting in version 1, on quota violation, brokers send out responses before throttling.
  // Version 2 adds flexible version support
  // Version 3 adds the token requester details
  "validVersions": "0-13",
  "flexibleVersions": "2+",
  "fields": [
    { "name": "ErrorCode", "type": "int16", "versions": "0+",
      "about": "The error code, or 0 if there was no error." },
    { "name": "Tokens", "type": "[]DescribedDelegationToken", "versions": "0+",
      "about": "The tokens.", "fields": [
      { "name": "PrincipalType", "type": "string", "versions": "0+",
        "about": "The token principal type." },
      { "name": "PrincipalName", "type": "string", "versions": "0+",
        "about": "The token principal name." },
      { "name": "TokenRequesterPrincipalType", "type": "string", "versions": "23+",
        "about": "The principal type of the requester of the token." },
      { "name": "TokenRequesterPrincipalName", "type": "string", "versions": "23+",
        "about": "The principal type of the requester of the token." },
      { "name": "IssueTimestamp", "type": "int64", "versions": "0+",
        "about": "The token issue timestamp in milliseconds." },
      { "name": "ExpiryTimestamp", "type": "int64", "versions": "0+",
        "about": "The token expiry timestamp in milliseconds." },
      { "name": "MaxTimestamp", "type": "int64", "versions": "0+",
        "about": "The token maximum timestamp length in milliseconds." },
      { "name": "TokenId", "type": "string", "versions": "0+",
        "about": "The token ID." },
      { "name": "Hmac", "type": "bytes", "versions": "0+",
        "about": "The token HMAC." },
      { "name": "Renewers", "type": "[]DescribedDelegationTokenRenewer", "versions": "0+",
        "about": "Those who are able to renew this token before it expires.", "fields": [
        { "name": "PrincipalType", "type": "string", "versions": "0+",
          "about": "The renewer principal type" },
        { "name": "PrincipalName", "type": "string", "versions": "0+",
          "about": "The renewer principal name" }
      ]}
    ]},
    { "name": "ThrottleTimeMs", "type": "int32", "versions": "0+",
      "about": "The duration in milliseconds for which the request was throttled due to a quota violation, or zero if the request did not violate any quota." }
  ]
}

...

Operation

Resource

API
CreateTokensUsercreateTokens for other users // New
DescribeTokensUserdescribeTokens for others tokens // New

Describe

DelegationToken

describeTokens for a given tokenId // Existing

DelegationTokenCommand Changes

...

We will allow kafka-delegation-tokens.sh script with "--create" option to take owner principal from "--owner-principal" option.

...

To represent the new User resource type we have to modify the AclCommand slightly and add a new option called --user-usersprincipal . This would have a comma separated list of users as parameterrepresents a user principal of principal type "User". By specifying this parameter we would control (allow or deny) the token requester principal to create or describe tokens of those owner usersfor the user-principal.

For instance:

Code Block
linenumberstrue
>> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:tokenRequester --allow-host * --operation CreateTokens --user-usersprincipal "owner1,owner2""

Protocol Changes

The version of CreateAcl, DescribeAcl and DeleteAcl will be increased to avoid serialization errors in case of older brokers which can't handle the newly added User resource type. This way the client can reject a request that the broker doesn't support.

Proposed Changes

Create/Renew Tokens:

...