Manage individual delegation tokens
A list of example actions you can issue to manage individual delegation tokens.
The functionality that’s needed to manage and use delegation tokens is accessible using the
AdminClient APIs or the kafka-delegation-tokens tool. All of their operations
are allowed only via SASL authenticated channels.
Both the API and the script provide the following actions:
- Issue, and store for verification
- The owner of the token is the currently authenticated principal. A renewer can be
specified when requesting the token.
kafka-delegation-tokens --bootstrap-server hostname:port --create --max-life-time-period -1 --command-config client.properties --renewer-principal User:user1 - Renew
- Only the owner and the principals that are renewers of the delegation token can
extend its validity by renewing it before it expires. A successful renewal extends the
Delegation Token’s expiration time for another renew-interval, until it reaches its max
lifetime. Expired delegation tokens cannot be used to authenticate, the brokers will
remove expired delegation tokens from the broker’s cache and from
Zookeeper.
kafka-delegation-tokens --bootstrap-server hostname:port --renew --renew-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA== - Remove
- Delegation tokens are removed when they are canceled by the client or when they
expire.
kafka-delegation-tokens --bootstrap-server hostname:port --expire --expiry-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA== - Describe
- Tokens can be described by owners, renewers or the Kafka super
user.
kafka-delegation-tokens --bootstrap-server hostname:port --describe --command-config client.properties --owner-principal User:user1
