...
ExpireTokenRequest
Code Block |
---|
ExpireTokenRequest => HMAC HMAC => bytes |
ExpireTokenResponse
Code Block |
---|
ExpireTokenResponse => ErrorCode ErroCode => INT32 |
Possible Error Codes
* AuthorizationException ()
Configuration options
The following options will be added to KafkaConfig.java
and can be configured as properties for Kafka server:
delegation.token.max.lifetime.sec : The token has a maximum lifetime beyond which it cannot be renewed any more. Default value 7 days.
delegation.token.expiry.time.sec : The token validity time in seconds before the token needs to be renewed. Default value 1 day.
delegation.token.master.key : secretSecret/masterKey to generate and verify delegation tokens. This masterkeymasterKey needs to be configured with all the brokers.
...
In case of a password compromise scenario all the tokens can be deleted from zookeeper and this will result in all the tokens to be invalidated. We can provide a simple CLI tool for this.
Secret
...
/Master Key
Secret/masterKey is used to generate and verify delegation tokens. This is supplied using config option. This masterKey needs to be configured with all the brokers. The current proposal does not support rotation of masterKey. We a requires a re-deployment when the masterKey needs to be rotated
...
The current approach requires a deployment when the secret needs to be rotated. If we want to make it automated and more frequent we can offload the responsibility of secret generation to controller.
SCRAM Extensions
SCRAM messages have an optional extensions field which is a comma-separated list of key=value pairs.
After KIP-84 implementation , an extension will be added to the first client SCRAM message to indicate
that authentication is being requested for a delegation token. This will enable Kafka broker to obtain
credentials and principal using a different code path for delegation tokens.
...