kafka-delegation-tokens
Learn how to use the kafka-delegation-tokens
tool.
The kafka-delegation-tokens
provides the user with the functionality
required for using and managing delegation tokens.
The tool can be used to issue, renew, expire, or describe delegation tokens.
- Issue, and store for verification
- The owner of the token is the currently authenticated principal. A renewer can be
specified when requesting the token.
kafka-delegation-tokens --bootstrap-server hostname:port --create --max-life-time-period -1 --command-config client.properties --renewer-principal User:user1
- Renew
- Only the owner and the principals that are renewers of the delegation token can extend
its validity by renewing it before it expires. A successful renewal extends the Delegation
Token’s expiration time for another renew-interval, until it reaches its max lifetime.
Expired delegation tokens cannot be renewed. The brokers remove expired delegation tokens
from the broker’s cache and from Zookeeper.
kafka-delegation-tokens --bootstrap-server hostname:port --renew --renew-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
- Remove
- Delegation tokens are removed when they are canceled by the client or when they expire.
kafka-delegation-tokens --bootstrap-server hostname:port --expire --expiry-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
- Describe
- Tokens can be described by owners, renewers or the Kafka super
user.
kafka-delegation-tokens --bootstrap-server hostname:port --describe --command-config client.properties --owner-principal User:user1