Status
Current state: ["Under Discussion"]
Discussion thread: here
JIRA: KAFKA-6447
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
KIP-48 added support for delegation token based authentication mechanism. KIP-48/KAFKA-4541 implemented protocol request and response for delegation token operations.
This KIP is about adding these delegation token operations to the new Admin Client API.
Public Interfaces
The AdminClient API will have the following new methods added
AdminClient {
//create delegation token with default options
public CreateDelegationTokenResult createDelegationToken()
//create delegation token with supplied options
public abstract CreateDelegationTokenResult createDelegationToken(CreateDelegationTokenOptions options)
//renew delegation token with default options
public RenewDelegationTokenResult renewDelegationToken(ByteBuffer hmac)
//renew delegation token token with supplied options
public abstract RenewDelegationTokenResult renewDelegationToken(ByteBuffer hmac, RenewDelegationTokenOptions options);
//expire delegation token immediately
public ExpireDelegationTokenResult expireDelegationToken(ByteBuffer hmac)
//expire delegation token with supplied options
public abstract ExpireDelegationTokenResult expireDelegationToken(ByteBuffer hmac, ExpireDelegationTokenOptions options);
//returns all the tokens owned and authorized to current user
public DescribeDelegationTokenResult describeDelegationToken()
//returns all the tokens for the given options
public abstract DescribeDelegationTokenResult describeDelegationToken(DescribeDelegationTokenOptions options);
}
CreateDelegationTokenResult's future objects can return the following exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED, INVALID_PRINCIPAL_TYPE DELEGATION_TOKEN_AUTH_DISABLED
RenewDelegationTokenResult and ExpireDelegationTokenResult's future objects can the throw the follwoing exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED, DELEGATION_TOKEN_AUTH_DISABLED DELEGATION_TOKEN_OWNER_MISMATCH DELEGATION_TOKEN_EXPIRED DELEGATION_TOKEN_NOT_FOUND
DescribeDelegationTokenResult's future object can the throw the follwoing exceptions:
DELEGATION_TOKEN_REQUEST_NOT_ALLOWED, DELEGATION_TOKEN_AUTH_DISABLED
Proposed Changes
The following classes will be added.
CreateDelegationTokenResult, CreateDelegationTokenOptions
RenewDelegationTokenResult, RenewDelegationTokenOptions
ExpireDelegationTokenResult, ExpireDelegationTokenOptions
DescribeDelegationTokenResult, DescribeDelegationTokenOptions
public class CreateDelegationTokenResult {
private final KafkaFuture<DelegationToken> delegationToken;
CreateDelegationTokenResult(KafkaFuture<DelegationToken> delegationToken) {
this.delegationToken = delegationToken;
}
/**
* Returns a future which yields a delegation token
*/
public KafkaFuture<DelegationToken> delegationToken() {
return delegationToken;
}
}
public class CreateDelegationTokenOptions extends AbstractOptions<CreateDelegationTokenOptions> {
private long maxLifeTimeMs = -1;
private List<KafkaPrincipal> renewers = new LinkedList<>();
public CreateDelegationTokenOptions renewers(List<KafkaPrincipal> renewers) {
this.renewers = renewers;
return this;
}
public List<KafkaPrincipal> renewers() {
return renewers;
}
public CreateDelegationTokenOptions maxlifeTimeMs(long maxLifeTimeMs) {
this.maxLifeTimeMs = maxLifeTimeMs;
return this;
}
public long maxlifeTimeMs() {
return maxLifeTimeMs;
}
}
public class RenewDelegationTokenResult {
private final KafkaFuture<Long> expiryTimestamp;
RenewDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
this.expiryTimestamp = expiryTimestamp;
}
/**
* Returns a future which yields expiry timestamp
*/
public KafkaFuture<Long> expiryTimestamp() {
return expiryTimestamp;
}
}
public class RenewDelegationTokenOptions extends AbstractOptions<RenewDelegationTokenOptions> {
private long renewTimePeriodMs = -1;
public RenewDelegationTokenOptions renewTimePeriodMs(long renewTimePeriodMs) {
this.renewTimePeriodMs = renewTimePeriodMs;
return this;
}
public long renewTimePeriodMs() {
return renewTimePeriodMs;
}
}
public class ExpireDelegationTokenResult {
private final KafkaFuture<Long> expiryTimestamp;
ExpireDelegationTokenResult(KafkaFuture<Long> expiryTimestamp) {
this.expiryTimestamp = expiryTimestamp;
}
/**
* Returns a future which yields expiry timestamp
*/
public KafkaFuture<Long> expiryTimestamp() {
return expiryTimestamp;
}
}
public class ExpireDelegationTokenOptions extends AbstractOptions<ExpireDelegationTokenOptions> {
private long expiryTimePeriodMs = -1;
public ExpireDelegationTokenOptions expiryTimePeriodMs(long expiryTimePeriodMs) {
this.expiryTimePeriodMs = expiryTimePeriodMs;
return this;
}
public long expiryTimePeriodMs() {
return expiryTimePeriodMs;
}
}
public class DescribeDelegationTokenResult {
private final KafkaFuture<List<DelegationToken>> delegationTokens;
DescribeDelegationTokenResult(KafkaFuture<List<DelegationToken>> delegationTokens) {
this.delegationTokens = delegationTokens;
}
/**
* Returns a future which yields list of delegation tokens
*/
public KafkaFuture<List<DelegationToken>> delegationTokens() {
return delegationTokens;
}
}
public class DescribeDelegationTokenOptions extends AbstractOptions<DescribeDelegationTokenOptions> {
private List<KafkaPrincipal> owners;
public DescribeDelegationTokenOptions owners(List<KafkaPrincipal> owners) {
this.owners = owners;
return this;
}
public List<KafkaPrincipal> owners() {
return owners;
}
Compatibility, Deprecation, and Migration Plan
This is a new API and won't affect existing users.
Rejected Alternatives