Manage individual delegation tokens

A list of example actions you can issue to manage individual delegation tokens.

The functionality that’s needed to manage and use delegation tokens is accessible using the AdminClient APIs or the kafka-delegation-tokens tool. All of their operations are allowed only via SASL authenticated channels.

Both the API and the script provide the following actions:
Issue, and store for verification
The owner of the token is the currently authenticated principal. A renewer can be specified when requesting the token.
kafka-delegation-tokens --bootstrap-server hostname:port  --create   --max-life-time-period -1 --command-config client.properties --renewer-principal User:user1
Renew
Only the owner and the principals that are renewers of the delegation token can extend its validity by renewing it before it expires. A successful renewal extends the Delegation Token’s expiration time for another renew-interval, until it reaches its max lifetime. Expired delegation tokens cannot be used to authenticate, the brokers will remove expired delegation tokens from the broker’s cache and from Zookeeper.
kafka-delegation-tokens --bootstrap-server hostname:port --renew    --renew-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
Remove
Delegation tokens are removed when they are canceled by the client or when they expire.
kafka-delegation-tokens --bootstrap-server hostname:port --expire   --expiry-time-period -1   --command-config client.properties  --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
Describe
Tokens can be described by owners, renewers or the Kafka super user.
kafka-delegation-tokens --bootstrap-server hostname:port --describe --command-config client.properties  --owner-principal User:user1