THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: "Under Discussion"Accepted
Discussion thread: here
JIRA:
| Jira | ||||||
|---|---|---|---|---|---|---|
|
...
| Code Block | ||
|---|---|---|
| ||
{
"apiKey": 41,
"type": "response",
"name": "DescribeDelegationTokenResponse",
// Starting in version 1, on quota violation, brokers send out responses before throttling.
// Version 2 adds flexible version support
// Version 3 adds the token requester details
"validVersions": "0-3",
"flexibleVersions": "2+",
"fields": [
{ "name": "ErrorCode", "type": "int16", "versions": "0+",
"about": "The error code, or 0 if there was no error." },
{ "name": "Tokens", "type": "[]DescribedDelegationToken", "versions": "0+",
"about": "The tokens.", "fields": [
{ "name": "PrincipalType", "type": "string", "versions": "0+",
"about": "The token principal type." },
{ "name": "PrincipalName", "type": "string", "versions": "0+",
"about": "The token principal name." },
{ "name": "TokenRequesterPrincipalType", "type": "string", "versions": "23+",
"about": "The principal type of the requester of the token." },
{ "name": "TokenRequesterPrincipalName", "type": "string", "versions": "23+",
"about": "The principal type of the requester of the token." },
{ "name": "IssueTimestamp", "type": "int64", "versions": "0+",
"about": "The token issue timestamp in milliseconds." },
{ "name": "ExpiryTimestamp", "type": "int64", "versions": "0+",
"about": "The token expiry timestamp in milliseconds." },
{ "name": "MaxTimestamp", "type": "int64", "versions": "0+",
"about": "The token maximum timestamp length in milliseconds." },
{ "name": "TokenId", "type": "string", "versions": "0+",
"about": "The token ID." },
{ "name": "Hmac", "type": "bytes", "versions": "0+",
"about": "The token HMAC." },
{ "name": "Renewers", "type": "[]DescribedDelegationTokenRenewer", "versions": "0+",
"about": "Those who are able to renew this token before it expires.", "fields": [
{ "name": "PrincipalType", "type": "string", "versions": "0+",
"about": "The renewer principal type" },
{ "name": "PrincipalName", "type": "string", "versions": "0+",
"about": "The renewer principal name" }
]}
]},
{ "name": "ThrottleTimeMs", "type": "int32", "versions": "0+",
"about": "The duration in milliseconds for which the request was throttled due to a quota violation, or zero if the request did not violate any quota." }
]
}
|
...
To represent the new User resource type we have to modify the AclCommand slightly and add a new option called --usersuser-principal . This would have a semicolon separated list of users as parameterrepresents a user principal of principal type "User". By specifying this parameter we would control (allow or deny) the token requester principal to create or describe tokens of those owner usersfor the user-principal.
For instance:
| Code Block | ||
|---|---|---|
| ||
>> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:tokenRequester --allow-host * --operation CreateTokens --user-principal "owner1" |
...
The version of CreateAcl, DescribeAcl and DeleteAcl will be increased to avoid serialization errors in case of older brokers which can't handle the newly added User resource type. This way the client can reject a request that the broker doesn't support.
Proposed Changes
Create/Renew Tokens:
...