Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current state["DISCUSSION"]. 

Discussion thread: here

JIRA: KAFKA-1696 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

Possible Error Codes
* AuthorizationException
RenewDelegationTokenRequest
Code Block
RenewDelegationTokenRequest => HMAC ExpiryTime
  HMAC => bytes
  ExpiryTime => INT64
 

Field

Description

HMAC

HMAC of the delegation token to be renewed

ExpiryTime
Token Expiry time in milli seconds to future date.

...

* TokenRenewerMismatchException
* TokenNotFoundException
 
ExpireTokenRequest
Code Block
ExpireTokenRequest => HMAC
  HMAC => bytes
ExpireTokenResponse
Code Block
ExpireTokenResponse => ErrorCode
  ErroCode => INT32
Possible Error Codes
* AuthorizationException

Configuration options

The following options will be added to KafkaConfig.java and can be configured as properties for Kafka server:

  1. delegation.token.max.lifetime.sec : The token has a maximum lifetime beyond which it cannot be renewed any more. Default value 7 days.
  2. delegation.token.expiry.time.sec : The token validity time in seconds before the token needs to be renewed. Default value 1 day.
  3. delegation.token.master.key : Secret/masterKey to generate and verify delegation tokens. This masterKey needs to be configured with all the brokers.

...

  • The client authenticates using Kerberos or any other available authentication scheme. A token can not be renewed if the initial authentication is done through delegation token, client must use a different auth scheme. 

  • Client sends a request to renew a token with an optional renew life time which must be < max life time of token.

  • Broker looks up the token, if token is expired or if the renewer’s identity does not match with the token’s renewers, or if token renewal is beyond the Max life time of token,  broker disallows the operation by throwing an appropriate exception.

  • If none of the above conditions are matched, broker updates token’s expiry. Note that the HMAC-SASM is unchanged so the token on client side is unchanged. Broker updates the expiration in its local cache and on zookeeper so other brokers also get notified and their cache statuses are updated as well.

Image Modified

Token expiration and cancellation

...