...
Current state: ["DISCUSSION"].
Discussion thread: here
JIRA: KAFKA-1696
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
Possible Error Codes
* AuthorizationException
RenewDelegationTokenRequest
Code Block |
---|
RenewDelegationTokenRequest => HMAC ExpiryTime HMAC => bytes ExpiryTime => INT64 |
Field | Description |
---|---|
HMAC | HMAC of the delegation token to be renewed |
ExpiryTime | Token Expiry time in milli seconds to future date. |
...
* TokenRenewerMismatchException
* TokenNotFoundException
ExpireTokenRequest
Code Block |
---|
ExpireTokenRequest => HMAC HMAC => bytes |
ExpireTokenResponse
Code Block |
---|
ExpireTokenResponse => ErrorCode ErroCode => INT32 |
Possible Error Codes
* AuthorizationException
Configuration options
The following options will be added to KafkaConfig.java
and can be configured as properties for Kafka server:
delegation.token.max.lifetime.sec : The token has a maximum lifetime beyond which it cannot be renewed any more. Default value 7 days.
delegation.token.expiry.time.sec : The token validity time in seconds before the token needs to be renewed. Default value 1 day.
delegation.token.master.key : Secret/masterKey to generate and verify delegation tokens. This masterKey needs to be configured with all the brokers.
...
The client authenticates using Kerberos or any other available authentication scheme. A token can not be renewed if the initial authentication is done through delegation token, client must use a different auth scheme.
Client sends a request to renew a token with an optional renew life time which must be < max life time of token.
Broker looks up the token, if token is expired or if the renewer’s identity does not match with the token’s renewers, or if token renewal is beyond the Max life time of token, broker disallows the operation by throwing an appropriate exception.
If none of the above conditions are matched, broker updates token’s expiry. Note that the HMAC-SASM is unchanged so the token on client side is unchanged. Broker updates the expiration in its local cache and on zookeeper so other brokers also get notified and their cache statuses are updated as well.
Token expiration and cancellation
...