Page History

...

* AuthorizationException

Code Block
RenewDelegationTokenRequest => HMAC ExpiryTime HMAC => bytes ExpiryTime => INT64

Field	Description
HMAC	HMAC of the delegation token to be renewed
ExpiryTime	Token Expiry time in milli seconds to future date.

...

* TokenRenewerMismatchException

* TokenNotFoundException

Code Block
ExpireTokenRequest => HMAC HMAC => bytes

Code Block
ExpireTokenResponse => ErrorCode ErroCode => INT32

* AuthorizationException

The following options will be added to KafkaConfig.java and can be configured as properties for Kafka server:

delegation.token.max.lifetime.sec : The token has a maximum lifetime beyond which it cannot be renewed any more. Default value 7 days.

delegation.token.expiry.time.sec : The token validity time in seconds before the token needs to be renewed. Default value 1 day.

delegation.token.master.key : Secret/masterKey to generate and verify delegation tokens. This masterKey needs to be configured with all the brokers.

...

The client authenticates using Kerberos or any other available authentication scheme. A token can not be renewed if the initial authentication is done through delegation token, client must use a different auth scheme.
Client sends a request to renew a token with an optional renew life time which must be < max life time of token.
Broker looks up the token, if token is expired or if the renewer’s identity does not match with the token’s renewers, or if token renewal is beyond the Max life time of token, broker disallows the operation by throwing an appropriate exception.
If none of the above conditions are matched, broker updates token’s expiry. Note that the HMAC-SASM is unchanged so the token on client side is unchanged. Broker updates the expiration in its local cache and on zookeeper so other brokers also get notified and their cache statuses are updated as well.

Image Modified

...