Cloudera Docs

Enable authentication with delegation tokens

Learn how to enable Kafka delegation tokens.

Although enabling delegation tokens enables authentication between clients and servers using the SASL/SCRAM mechanism, it is only as a vehicle for delegation tokens. Using SCRAM credentials is not supported otherwise.

Sensitive delegation token metadata is stored in Zookeeper. It is recommended to restrict access on Zookeeper nodes to prevent access to sensitive delegation token related data through Zookeeper. The connection between Kafka and Zookeeper is not encrypted, therefore, it is also recommended to use delegation tokens only if no unauthorized person can read and manipulate the traffic between these services.

Delegation tokens can be enabled separately for each Kafka service.

A secure Kafka cluster with Kerberos authentication enabled is required for delegation tokens to function.

  1. In Cloudera Manager select the Kafka service.
  2. Select Configuration and find the Enable Delegation Tokens property.
  3. Enable delegation tokens for all required services by checking the checkbox next to the name of the service.
  4. Click Save Changes.
  5. Perform a Rolling Restart:
    1. Return to the Home page by clicking the Cloudera Manager logo.
    2. Go to the Kafka service and select Actions > Rolling Restart.
    3. Check the Restart roles with stale configurations only checkbox and click Rolling restart.
    4. Click Close when the restart has finished.
Delegation tokens are enabled for the selected Kafka services. The necessary secrets and settings are generated.