Rotating the Master Key/Secret

The brokers generate and verify delegation tokens using a secret called delegation.token.master.key. This secret is generated by Cloudera Manager and securely passed to Kafka brokers when authentication with delegation tokens is enabled. You can change the secret with the Cloudera Manager API. This should be done if the secret becomes compromised, or simply as a precautionary measure.

To change the secret, complete these steps:
  1. Expire existing tokens.

    kafka-delegation-tokens example command:

    kafka-delegation-tokens --bootstrap-server hostname:port --expire --expiry-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
  2. Generate a new master key

    curl -X PUT -u "user" -H "content-type:application/json" -i "https://cloudera manager host:7183/api/v31/clusters/cluster name/services/kafka service name/config" -d '{"items" : [ {"name" : "delegation.token.master.key","value" : "'$(openssl rand -base64 24)'","sensitive" : true}]}'
  3. Perform a Rolling Restart

    1. In Cloudera Manager go to the Kafka service and select Actions > Rolling Restart.
    2. Check the Restart roles with stale configurations only checkbox and click Rolling restart.
    3. Click Close when the restart has finished.
  4. Reauthenticate with all clients. This will generate the new tokens.