Using Kafka Delegation Tokens
Use Kafka delegation tokens to enable and disable authentication.
Tokens can be generated through either the AdminClient APIs or the kafka-delegation-tokens
script. Requests for delegation tokens (creation, renewal, expiration, description) must occur over SASL or SSL-authenticated channels. If the initial authentication employs a delegation token, token requests are not permissible.
See Acquiring Kafka Delegation Token for Oozie Workflow for information on delegation tokens and Oozie workflows.
Creating a Delegation Token
The currently authenticated principal will the owner of the token.
kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --create --max-life-time-period -1 --command-config client.properties --renewer-principal User:<user1>
Renewing a Delegation Token
kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --renew --renew-time-period -1 --command-config client.properties --hmac <ABCDEFGHIJK>
Expiring a Delegation Token
kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --expire --expiry-time-period -1 --command-config client.properties --hmac <ABCDEFGHIJK>
Describing a Delegation Token
kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --describe --command-config client.properties --owner-principal User:<user1>
Creating a Kafka Client
You can create a Kafka client in Big Data Service using delegation tokens.
Include the following in the client properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required
tokenauth="true"
serviceName="kafka"
username="<TOKEN_ID>"
password="<TOKEN_PASS>";
Replace the "<TOKEN_ID>" and "<TOKEN_PASS>" with the token ID and token hmac.
We recommend you update
delegation.token.master.key
in Ambari under Kafka > Configs to a desired secret key. This key is used to generate and verify delegation tokens. If it's not set or is set to some empty value, the delegation token functionality is disabled.For additional information, see: