kafka-delegation-tokens

Learn how to use the kafka-delegation-tokens tool.

The kafka-delegation-tokens provides the user with the functionality required for using and managing delegation tokens.

The tool can be used to issue, renew, expire, or describe delegation tokens.

Issue, and store for verification

The owner of the token is the currently authenticated principal. A renewer can be specified when requesting the token.

kafka-delegation-tokens --bootstrap-server hostname:port  --create   --max-life-time-period -1 --command-config client.properties --renewer-principal User:user1

Renew

Only the owner and the principals that are renewers of the delegation token can extend its validity by renewing it before it expires. A successful renewal extends the Delegation Token’s expiration time for another renew-interval, until it reaches its max lifetime. Expired delegation tokens cannot be renewed. The brokers remove expired delegation tokens from the broker’s cache and from Zookeeper.

kafka-delegation-tokens --bootstrap-server hostname:port --renew    --renew-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==

Remove

Delegation tokens are removed when they are canceled by the client or when they expire.

kafka-delegation-tokens --bootstrap-server hostname:port --expire   --expiry-time-period -1   --command-config client.properties  --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==

Describe

Tokens can be described by owners, renewers or the Kafka super user.

kafka-delegation-tokens --bootstrap-server hostname:port --describe --command-config client.properties  --owner-principal User:user1