Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ExpireTokenRequest
 
Code Block
ExpireTokenRequest => HMAC
  HMAC => bytes

 

ExpireTokenResponse
  
Code Block
ExpireTokenResponse => ErrorCode
  ErroCode => INT32

Possible Error Codes
* AuthorizationException ()

Configuration options

The following options will be added to KafkaConfig.java and can be configured as properties for Kafka server:

  1. delegation.token.max.lifetime.sec : The token has a maximum lifetime beyond which it cannot be renewed any more. Default value 7 days.
  2. delegation.token.expiry.time.sec : The token validity time in seconds before the token needs to be renewed. Default value 1 day.
  3. delegation.token.master.key : secret/masterKey to generate and verify delegation tokens. This masterkey needs to be configured with all the brokers.

Proposed Changes

Token acquisition

...

KIP-85 allows dynamic JAAS configuration for Kafka clients. After this we can easily configure the
delegation token for SCRAM-SHA-256 authentication.

Example Usage

Below diagram shows the steps required to use the delegation tokens.

Image Added 

Alternatives

Originally we considered to not have any shared Secret at config level. This required us to chose one of the 3 options:

...