You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.

Status

Current state:  "Under Discussion"

Discussion thread: here 

JIRA: here 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

In KIP-48, we added support for delegation token based authentication mechanism. Currently, we only allow a user to create delegation token for that user only. This limits the usage of delegation token mechanism. This KIP proposes to allow users to create delegation tokens for other users. This allows the following use cases.

1.  A designated superuser can create tokens without requiring individual user credentials.
2. A designated superuser can run kafka clients on behalf of another user. 

In this use case, a superuser with username ‘super’ wants to run kafka clients on behalf of a user joe. The superuser has secure authentication credentials (kerberos, SSL, SCRAM) but user joe doesn’t have any. The clients are required to run as user joe and authorizations are required to be done as user joe.

In this case, superuser can get a delegation token for joe, and use the generated token to run the Kafka clients. This will mimic the impersonation functionality. This will help the stream processing frameworks/libs (Apache Spark, Storm, Kafka Streams) to run the jobs (Kafka clients) as submitted users.

In case of Storm, Storm’s master (nimbus) is the only node that needs a superuser keytab. Using this keytab Nimbus will authenticate with Kafka broker and acquire a delegation token for the submitted jobs. Nimbus can then distribute this delegation token to all of its worker hosts and all worker jobs (Kafka clients)) will be able to authenticate to kafka using tokens. Similar logic can be implemented on Spark jobs.

Public Interfaces

Protocol Changes

CreateTokenRequest

We will bump the version of the CreateTokenRequest API to include the owner details and "Token requester"  in reponse. For old versions, we will skip the owner and owner will be same as token request principal.

CreateDelegationTokenRequest => [Renewer] MaxDateMs
  Owner => Nullable string  // New
  Renewer => string
  MaxDateMs => INT64


Field

Description

Owner

Owner is an Kafka PrincipalType+name string, who is the owner of the token.  If owner string is null, then token request principal is treated as owner


CreateDelegationTokenResponse

CreateDelegationTokenResponse => ErrorCode TokenDetails
  ErrorCode => INT16
  TokenDetails =>  IssueDateMs ExpiryDateMs MaxDateMs TokenId HMAC 
    Owner => String
    Token requester => String //New 
    IssueDateMs  => INT64
    ExpiryDateMs => INT64
    MaxDateMs => INT64	
    TokenId => String 
    HMAC => bytes

Field

Description

Token requester

Token requester is an Kafka PrincipalType+name string, who requested this token.


CreateDelegationTokenResponse

We will bump the version of the DescribeTokensRequest API to include the "Token requester"  info in response details. 


DescribeDelegationTokenResponse => ErrorCode [TokenDetails]
  ErrorCode => INT16
  TokenDetails => Owner IssueDateMs ExpiryDateMs TokenId HMAC [Renewer]
    Owner => String
    Token requester => String //New 
    IssueDateMs  => INT64
    ExpiryDateMs => INT64
    MaxDateMs => INT64	
    TokenId => String 
    HMAC => bytes
    Renewer => String

Field

Description

Token requester

Token requester is an Kafka PrincipalType+name string, who requested this token.

AdminClient API Changes

CreateDelegationTokenOptions class will be updated to take "owner" principal as input.


AdminClient {
    //create delegation token with supplied options
	public abstract CreateDelegationTokenResult createDelegationToken(CreateDelegationTokenOptions options)
}

public class CreateDelegationTokenOptions extends AbstractOptions<CreateDelegationTokenOptions> {
    private long maxLifeTimeMs = -1;
    private List<KafkaPrincipal> renewers =  new LinkedList<>();
    private Optional<KafkaPrincipal> owner = Optional.empty(); // New

    public CreateDelegationTokenOptions owner(KafkaPrincipal owner) {  // New
        this.owner = Optional.of(owner);
        return this;
    }

    public CreateDelegationTokenOptions renewers(List<KafkaPrincipal> renewers) {
        this.renewers = renewers;
        return this;
    }

    public Optional<KafkaPrincipal> owner() {
        return owner;
    }

    public List<KafkaPrincipal> renewers() {
        return renewers;
    }

    public CreateDelegationTokenOptions maxlifeTimeMs(long maxLifeTimeMs) {
        this.maxLifeTimeMs = maxLifeTimeMs;
        return this;
    }

    public long maxlifeTimeMs() {
        return maxLifeTimeMs;
    }
}


Update TokenInformation class to include "token request" details.


public class TokenInformation {

    private KafkaPrincipal owner;
    private KafkaPrincipal tokenRequester; /// New
    private Collection<KafkaPrincipal> renewers;
    private long issueTimestamp;
    private long maxTimestamp;
    private long expiryTimestamp;
    private String tokenId;

    public TokenInformation(String tokenId, KafkaPrincipal owner, KafkaPrincipal tokenRequester,
        Collection<KafkaPrincipal> renewers, long issueTimestamp, long maxTimestamp, long expiryTimestamp) {
     ....
     ....
    }
    
}

ACL Changes:

We like to add two new Operations "CREATE_TOKENS", "DESCRIBE_TOKENS" on cluster resource, to allow users create token for other users and describe others tokens.

Owners/renewers/token requester principals can always renew/expire/describe their own tokens.  

 

Operation

Resource

API
CREATE_TOKENSClustercreateTokens for other users // New
DESCRIBE_TOKENSClusterdescribeTokens for others tokens // New

DESCRIBE

Token

describeTokens for a given tokenId //Existing

DelegationTokenCommand Changes:

Proposed Changes

The token requester must be authenticated using any of the available secure channels (Kerberos, SCRAM, SSL) to generate tokens for other users. The token requester can not use delegation token based authentication for generating tokens.


Compatibility, Deprecation, and Migration Plan

  • What impact (if any) will there be on existing users?
  • If we are changing behavior how will we phase out the older behavior?
  • If we need special migration tools, describe them here.
  • When will we remove the existing behavior?

Rejected Alternatives

  • No labels