THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Status
Current state: ["Under Discussion"]
Discussion thread: here
JIRA: KAFKA-6447
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
KIP-48 added support for delegation token based authentication mechanism. KIP-48/KAFKA-4541 implemented protocol request and response for delegation token operations.
This KIP is about adding these delegation token operations to the new Admin Client API.
Public Interfaces
The AdminClient API will have the following new methods added
AdminClient {
//create delegation token with default options
public CreateDelegationTokenResult createDelegationToken()
//create delegation token with supplied options
public abstract CreateDelegationTokenResult createDelegationToken(CreateDelegationTokenOptions options)
//renew delegation token with default options
public RenewDelegationTokenResult renewDelegationToken(byte[] hmac)
//renew delegation token token with supplied options
public abstract RenewDelegationTokenResult renewDelegationToken(byte[] hmac, RenewDelegationTokenOptions options);
//expire delegation token immediately
public ExpireDelegationTokenResult expireDelegationToken(byte[] hmac)
//expire delegation token with supplied options
public abstract ExpireDelegationTokenResult expireDelegationToken(byte[] hmac, ExpireDelegationTokenOptions options);
//returns all the user owned tokens and other tokens where user have Describe permission
public DescribeDelegationTokenResult describeDelegationToken()
//returns all the tokens for the given options
public abstract DescribeDelegationTokenResult describeDelegationToken(DescribeDelegationTokenOptions options);
}
CreateDelegationTokenResult's future objects can return the following exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED, INVALID_PRINCIPAL_TYPE DELEGATION_TOKEN_AUTH_DISABLED
RenewDelegationTokenResult and ExpireDelegationTokenResult's future objects can the throw the follwoing exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED, DELEGATION_TOKEN_AUTH_DISABLED DELEGATION_TOKEN_OWNER_MISMATCH DELEGATION_TOKEN_EXPIRED DELEGATION_TOKEN_NOT_FOUND
DescribeDelegationTokenResult's future object can the throw the follwoing exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED, DELEGATION_TOKEN_AUTH_DISABLED
Proposed Changes
The following classes will be added.
CreateDelegationTokenResult, CreateDelegationTokenOptions
RenewDelegationTokenResult, RenewDelegationTokenOptions
ExpireDelegationTokenResult, ExpireDelegationTokenOptions
DescribeDelegationTokenResult, DescribeDelegationTokenOptions
public class CreateDelegationTokenResult {
private final KafkaFuture<DelegationToken> delegationToken;
CreateDelegationTokenResult(KafkaFuture<DelegationToken> delegationToken) {
this.delegationToken = delegationToken;
}
/**
* Returns a future which yields a delegation token
*/
public KafkaFuture<DelegationToken> delegationToken() {
return delegationToken;
}
}
public class CreateDelegationTokenOptions extends AbstractOptions<CreateDelegationTokenOptions> {
// default value is -1, This will default the token maxLifeTime to server side config value (delegation.token.max.lifetime.ms).
private long maxLifeTimeMs = -1;
private List<KafkaPrincipal> renewers = new LinkedList<>();
public CreateDelegationTokenOptions renewers(List<KafkaPrincipal> renewers) {
this.renewers = renewers;
return this;
}
public List<KafkaPrincipal> renewers() {
return renewers;
}
public CreateDelegationTokenOptions maxlifeTimeMs(long maxLifeTimeMs) {
this.maxLifeTimeMs = maxLifeTimeMs;
return this;
}
public long maxlifeTimeMs() {
return maxLifeTimeMs;
}
}
public class RenewDelegationTokenResult {
private final KafkaFuture<Long> expiryTimestamp;
RenewDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
this.expiryTimestamp = expiryTimestamp;
}
/**
* Returns a future which yields expiry timestamp
*/
public KafkaFuture<Long> expiryTimestamp() {
return expiryTimestamp;
}
}
public class RenewDelegationTokenOptions extends AbstractOptions<RenewDelegationTokenOptions> {
// default value is -1. This will default the Renew Time period to a server side config value (delegation.token.expiry.time.ms).
private long renewTimePeriodMs = -1;
public RenewDelegationTokenOptions renewTimePeriodMs(long renewTimePeriodMs) {
this.renewTimePeriodMs = renewTimePeriodMs;
return this;
}
public long renewTimePeriodMs() {
return renewTimePeriodMs;
}
}
public class ExpireDelegationTokenResult {
private final KafkaFuture<Long> expiryTimestamp;
ExpireDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
this.expiryTimestamp = expiryTimestamp;
}
/**
* Returns a future which yields expiry timestamp
*/
public KafkaFuture<Long> expiryTimestamp() {
return expiryTimestamp;
}
}
public class ExpireDelegationTokenOptions extends AbstractOptions<ExpireDelegationTokenOptions> {
//default value is -1. This token will get invalidated immediately
private long expiryTimePeriodMs = -1;
public ExpireDelegationTokenOptions expiryTimePeriodMs(long expiryTimePeriodMs) {
this.expiryTimePeriodMs = expiryTimePeriodMs;
return this;
}
public long expiryTimePeriodMs() {
return expiryTimePeriodMs;
}
}
public class DescribeDelegationTokenResult {
private final KafkaFuture<List<DelegationToken>> delegationTokens;
DescribeDelegationTokenResult(KafkaFuture<List<DelegationToken>> delegationTokens) {
this.delegationTokens = delegationTokens;
}
/**
* Returns a future which yields list of delegation tokens
*/
public KafkaFuture<List<DelegationToken>> delegationTokens() {
return delegationTokens;
}
}
public class DescribeDelegationTokenOptions extends AbstractOptions<DescribeDelegationTokenOptions> {
//default null vaule indicates to return all the allowed tokens
private List<KafkaPrincipal> owners;
public DescribeDelegationTokenOptions owners(List<KafkaPrincipal> owners) {
this.owners = owners;
return this;
}
public List<KafkaPrincipal> owners() {
return owners;
}
Compatibility, Deprecation, and Migration Plan
This is a new API and won't affect existing users.
Rejected Alternatives