Enable or disable authentication with delegation tokens

Learn how to enable or disable Kafka delegation tokens.

Delegation token based authentication requires that both the Enable Kerberos Authentication and Enable Delegation Tokens properties are set to true. The default value of the Enable Delegation Tokens property is true, but will have no effect until Kerberos is also enabled.

Although enabling delegation tokens enables authentication between clients and servers using the SASL/SCRAM mechanism, it is only as a vehicle for delegation tokens. Using SCRAM credentials is not supported otherwise.

Sensitive delegation token metadata is stored in Zookeeper. It is recommended to restrict access on Zookeeper nodes to prevent access to sensitive delegation token related data through Zookeeper. The connection between Kafka and Zookeeper is not encrypted, therefore, it is also recommended to use delegation tokens only if no unauthorized person can read and manipulate the traffic between these services.

Delegation tokens can be enabled separately for each Kafka service.

A secure Kafka cluster with Kerberos authentication enabled is required for delegation tokens to function.

  1. In Cloudera Manager select the Kafka service.
  2. Select Configuration and find the Enable Delegation Tokens property.
  3. Enable or disable delegation tokens for all required services by checking or unchecking the checkbox next to the name of the service.
  4. Click Save Changes.
  5. Perform a Rolling Restart:
    1. Return to the Home page by clicking the Cloudera Manager logo.
    2. Go to the Kafka service and select Actions > Rolling Restart.
    3. Check the Restart roles with stale configurations only checkbox and click Rolling restart.
    4. Click Close when the restart has finished.
Delegation tokens are enabled or disabled for the selected Kafka services. If delegation tokens were enabled, then the necessary secrets and settings are generated.