Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • A client connects with one of the kafka broker. Client must be authenticated using any of the available secure channels so it must have a way to authenticate, i.e. Kerberos keytab or TGT.

  • Once a client is authenticated, it will make a broker side call to issue a delegation token.  The request for delegation token will have to contain an optional renewer identity and max lifetime for token. The renewer is the user that is allowed to renew this token before the max lifetime expires. Renewer will default to the owner if not provided and Max life time will allow a token to be renewed for ever if no value is provided but a token will still expire if not renewed by the expiry time. The expiry time will be a broker side configuration and will default to min (24 hours, max lifetime) . A Delegation Token request can be represented as class DelegationTokenRequest(renewer: option(KafkaPrincipal) = None, maxLifeTime: long = -1). The owner is implicit in the request connection as the user who requested the delegation token.

  • The broker generates a shared secret based on HMAC-SHA256(a Password/Secret shared between all brokers, randomly generated tokenId). We can represent a token as scala case class DelegationToken(owner: KafkaPrincipal, renewer: KafkaPrincipal, maxLifeTime: long, id: String, hmac: String, expirationTime: long)

  • Broker stores this token in its in memory cache. Broker also stores the DelegationToken in the zookeeper. This is unsafe as zookeeper does not support SSL so the token itself will be transferred on wire without encryption. An alternative is to store DelegationToken without the hmac in the zookeeper. As all brokers share the Password/Secret to generate the HMAC-SHA256, they can read the request info from zookeeper , generate the hmac and store the delegation token in local cache.

  • All brokers will have a cache backed by zookeeper so they will all get notified whenever a new token is generated and they will update their local cache whenever token state changes.

  • Broker returns the token to Client. Client is expected to only make delegation token request over an encrypted channel so the token in encrypted over the wire.

  • Client is free to distribute this token to other clients. It is the client’s responsibility to distribute the token securely.

...