Rotate the master key/secret

Learn how to rotate the delegation token Master Key/Secret.

The brokers generate and verify delegation tokens using a secret called delegation.token.master.key. This secret is generated by Cloudera Manager and securely passed to Kafka brokers when authentication with delegation tokens is enabled. You can change the secret with the Cloudera Manager API. This should be done if the secret becomes compromised, or simply as a precautionary measure.

  1. Expire existing tokens.
    kafka-delegation-tokens --bootstrap-server hostname:port --expire --expiry-time-period -1 --command-config --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
  2. Generate a new master key
    curl -X PUT -u "user" -H "content-type:application/json" -i "https://cloudera manager host:7183/api/v31/clusters/cluster name/services/kafka service name/config" -d '{"items" : [ {"name" : "delegation.token.master.key","value" : "'$(openssl rand -base64 24)'","sensitive" : true}]}'
  3. Perform a Rolling Restart:
    1. In Cloudera Manager go to the Kafka service and select Actions > Rolling Restart.
    2. Check the Restart roles with stale configurations only checkbox and click Rolling restart.
    3. Click Close when the restart has finished.
  4. Reauthenticate with all clients.
    This generates the new tokens.
The Master Key/Secret is rotated.