Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current state["DISCUSSION"]. 

Discussion thread: here

JIRA: KAFKA-1696 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

Field

Description

Renewer

 Renewer is an Kafka Principal, which is allowed to renew this token before the max lifetime expires.  If Renewer list is empty, then Renewer will default to the owner (Principal which requested this token).

MaxLifeTime
Max lifetime for token in milli seconds. if value is -1, then MaxLifeTime will default to a server side config value.
MaxLifeTimeStamp = Token Issue TimeStamp + MaxLifeTime
DelegationTokenResponse
Code Block
DelegationTokenResponse => ErrorCode TokenDetails
  ErrorCode => INT16
  TokenDetails => Owner ExpiryTimeStamp MaxLifeTimeStamp TokenId HMAC [Renewer]
    Owner => String
    ExpiryTimeStamp => INT64
    MaxLifeTimeStamp => INT64
    TokenId => String 
    HMAC => bytes
    Renewer => String

...

Possible Error Codes
* AuthorizationException

 

 RenewDelegationTokenRequest
 
Code Block
RenewDelegationTokenRequest => HMAC ExpiryTime
  HMAC => bytes
  ExpiryTime => INT64
 

Field

Description

HMAC

HMAC of the delegation token to be renewed

ExpiryTime
Token Expiry time in milli seconds to future date.
 
RenewDelegationTokenResponse
 
Code Block
RenewDelegationTokenResponse => ErrorCode
   ErrorCode => INT32
 
Possible Error Codes
* AuthorizationException
* TokenExpiredException
* TokenRenewerMismatchException
* TokenNotFoundException
 
ExpireTokenRequest
 
Code Block
ExpireTokenRequest => HMAC
  HMAC => bytes

 ExpireTokenResponse

ExpireTokenResponse
  
Code Block
ExpireTokenResponse => ErrorCode
  ErroCode => INT32

Possible Error Codes
* AuthorizationException

Configuration options

The following options will be added to KafkaConfig.java and can be configured as properties for Kafka server:

  1. delegation.token.max.lifetime.sec : The token has a maximum lifetime beyond which it cannot be renewed any more. Default value 7 days.
  2. delegation.token.expiry.time.sec : The token validity time in seconds before the token needs to be renewed. Default value 1 day.
  3. delegation.token.master.key : Secret/masterKey to generate and verify delegation tokens. This masterKey needs to be configured with all the brokers.

...