Child pages
  • KIP-249: Add Delegation Token Operations to KafkaAdminClient
Skip to end of metadata
Go to start of metadata

Status

Current state["Under Discussion"]

Discussion thread: here

JIRA: KAFKA-6447 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

 KIP-48 added support for delegation token based authentication mechanism. KIP-48/KAFKA-4541 implemented protocol request and response for delegation token operations. 

 This KIP is about adding these delegation token operations to the new Admin Client API.

Public Interfaces

The AdminClient API will have the following new methods added 

 
AdminClient {
	//create delegation token with default options
	public CreateDelegationTokenResult createDelegationToken() 
 
    //create delegation token with supplied options
	public abstract CreateDelegationTokenResult createDelegationToken(CreateDelegationTokenOptions options)
 
    //renew delegation token with default options
	public RenewDelegationTokenResult renewDelegationToken(byte[] hmac)
 
    //renew delegation token token with supplied options
	public abstract RenewDelegationTokenResult renewDelegationToken(byte[] hmac, RenewDelegationTokenOptions options);
	
    //expire delegation token immediately
	public ExpireDelegationTokenResult expireDelegationToken(byte[] hmac)
 
    //expire delegation token with supplied options
	public abstract ExpireDelegationTokenResult expireDelegationToken(byte[] hmac, ExpireDelegationTokenOptions options);
	
    //returns all the user owned tokens and other tokens where user have Describe permission
	public DescribeDelegationTokenResult describeDelegationToken()
 
    //returns all the tokens for the given options
	public abstract DescribeDelegationTokenResult describeDelegationToken(DescribeDelegationTokenOptions options);
}
 
CreateDelegationTokenResult's future objects can return the following exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
INVALID_PRINCIPAL_TYPE
DELEGATION_TOKEN_AUTH_DISABLED

RenewDelegationTokenResult and ExpireDelegationTokenResult's future objects can the throw the follwoing exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
DELEGATION_TOKEN_AUTH_DISABLED
DELEGATION_TOKEN_OWNER_MISMATCH
DELEGATION_TOKEN_EXPIRED
DELEGATION_TOKEN_NOT_FOUND

DescribeDelegationTokenResult's future object can the throw the follwoing exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED,
DELEGATION_TOKEN_AUTH_DISABLED

Proposed Changes

The following classes will be added. 
CreateDelegationTokenResult, CreateDelegationTokenOptions
RenewDelegationTokenResult, RenewDelegationTokenOptions
ExpireDelegationTokenResult, ExpireDelegationTokenOptions
DescribeDelegationTokenResult, DescribeDelegationTokenOptions

 

public class CreateDelegationTokenResult {
    private final KafkaFuture<DelegationToken> delegationToken;

    CreateDelegationTokenResult(KafkaFuture<DelegationToken> delegationToken) {
        this.delegationToken = delegationToken;
    }

    /**
     * Returns a future which yields a delegation token
     */
    public KafkaFuture<DelegationToken> delegationToken() {
        return delegationToken;
    }
}
 
public class CreateDelegationTokenOptions extends AbstractOptions<CreateDelegationTokenOptions> {
    // default value is -1, This will default the token maxLifeTime to server side config value (delegation.token.max.lifetime.ms).
    private long maxLifeTimeMs = -1;
    private List<KafkaPrincipal> renewers =  new LinkedList<>();

    public CreateDelegationTokenOptions renewers(List<KafkaPrincipal> renewers) {
        this.renewers = renewers;
        return this;
    }

    public List<KafkaPrincipal> renewers() {
        return renewers;
    }

    public CreateDelegationTokenOptions maxlifeTimeMs(long maxLifeTimeMs) {
        this.maxLifeTimeMs = maxLifeTimeMs;
        return this;
    }

    public long maxlifeTimeMs() {
        return maxLifeTimeMs;
    }
}
 
public class RenewDelegationTokenResult {
    private final KafkaFuture<Long> expiryTimestamp;

    RenewDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
        this.expiryTimestamp = expiryTimestamp;
    }

    /**
     * Returns a future which yields expiry timestamp
     */
    public KafkaFuture<Long> expiryTimestamp() {
        return expiryTimestamp;
    }
}
 
public class RenewDelegationTokenOptions extends AbstractOptions<RenewDelegationTokenOptions> {
    // default value is -1. This will default the Renew Time period to a server side config value (delegation.token.expiry.time.ms).
    private long renewTimePeriodMs = -1;

    public RenewDelegationTokenOptions renewTimePeriodMs(long renewTimePeriodMs) {
        this.renewTimePeriodMs = renewTimePeriodMs;
        return this;
    }

    public long renewTimePeriodMs() {
        return renewTimePeriodMs;
    }
}
 
public class ExpireDelegationTokenResult {
    private final KafkaFuture<Long> expiryTimestamp;

    ExpireDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
        this.expiryTimestamp = expiryTimestamp;
    }

    /**
     * Returns a future which yields expiry timestamp
     */
    public KafkaFuture<Long> expiryTimestamp() {
        return expiryTimestamp;
    }
}


public class ExpireDelegationTokenOptions extends AbstractOptions<ExpireDelegationTokenOptions> {
	//default value is -1. This token will get invalidated immediately
    private long expiryTimePeriodMs = -1;

    public ExpireDelegationTokenOptions expiryTimePeriodMs(long expiryTimePeriodMs) {
        this.expiryTimePeriodMs = expiryTimePeriodMs;
        return this;
    }

    public long expiryTimePeriodMs() {
        return expiryTimePeriodMs;
    }
}


public class DescribeDelegationTokenResult {
    private final KafkaFuture<List<DelegationToken>> delegationTokens;

    DescribeDelegationTokenResult(KafkaFuture<List<DelegationToken>> delegationTokens) {
        this.delegationTokens = delegationTokens;
    }

    /**
     * Returns a future which yields list of delegation tokens
     */
    public KafkaFuture<List<DelegationToken>> delegationTokens() {
        return delegationTokens;
    }
}
 
public class DescribeDelegationTokenOptions extends AbstractOptions<DescribeDelegationTokenOptions> {
   //default null vaule indicates to return all the allowed tokens 
   private List<KafkaPrincipal> owners;

    public DescribeDelegationTokenOptions owners(List<KafkaPrincipal> owners) {
        this.owners = owners;
        return this;
    }

    public List<KafkaPrincipal> owners() {
        return owners;
    }

 

Compatibility, Deprecation, and Migration Plan

  • This is a new API and won't affect existing users.

Rejected Alternatives

 

  • No labels