Enable Authentication with Delegation Tokens

Although the following steps enable authentication between clients and servers using the SASL/SCRAM mechanism, it is only as a vehicle for delegation tokens. Using SCRAM credentials is not supported otherwise. Sensitive delegation token metadata is stored in Zookeeper. It is recommended to restrict access on Zookeeper nodes to prevent access to sensitive delegation token related data through Zookeeper. As the connection between Kafka and Zookeeper is not encrypted, it is also recommended to use delegation tokens only if no unauthorized person can read and manipulate the traffic between these services.

For more information on restricting Zookeeper access, see Kafka Security Hardening with Zookeeper ACLs.


A secure Kafka cluster with Kerberos authentication enabled is required. For more information, see Enabling Kerberos Authentication.


Enable Authentication with delegation tokens by completing the following steps:
  1. In Cloudera Manager go to the Kafka service.

  2. Select Configuration and find the Enable Delegation Tokens property.

  3. Enable delegation tokens for all required services by checking the checkbox next to the name of the service.

  4. Click Save Changes.

  5. Perform a Rolling Restart.

    1. Return to the Home page by clicking the Cloudera Manager logo.

    2. Go to the Kafka service and select Actions > Rolling Restart.

    3. Check the Restart roles with stale configurations only checkbox and click Rolling restart.

    4. Click Close when the restart has finished.

Completing these steps generates the necessary secrets and settings for delegation tokens.