Oracle Cloud Infrastructure Documentation

Using Kafka Delegation Tokens

Use Kafka delegation tokens to enable and disable authentication.

Tokens can be generated through either the AdminClient APIs or the kafka-delegation-tokens script. Requests for delegation tokens (creation, renewal, expiration, description) must occur over SASL or SSL-authenticated channels. If the initial authentication employs a delegation token, token requests are not permissible.

See Acquiring Kafka Delegation Token for Oozie Workflow for information on delegation tokens and Oozie workflows.

Creating a Delegation Token

The currently authenticated principal will the owner of the token.

kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --create --max-life-time-period -1 --command-config client.properties --renewer-principal User:<user1>

Renewing a Delegation Token

kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --renew --renew-time-period -1 --command-config client.properties --hmac <ABCDEFGHIJK>

Expiring a Delegation Token

kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --expire --expiry-time-period -1 --command-config client.properties  --hmac <ABCDEFGHIJK>

Describing a Delegation Token

kafka-delegation-tokens --bootstrap-server <brokerhostname>:6667 --describe --command-config client.properties  --owner-principal User:<user1>

Creating a Kafka Client

You can create a Kafka client in Big Data Service using delegation tokens.

Include the following in the client properties:

security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required
                    tokenauth="true"
                    serviceName="kafka"
                    username="<TOKEN_ID>"
                    password="<TOKEN_PASS>";

Replace the "<TOKEN_ID>" and "<TOKEN_PASS>" with the token ID and token hmac.

Note

We recommend you update delegation.token.master.key in Ambari under Kafka > Configs to a desired secret key. This key is used to generate and verify delegation tokens. If it's not set or is set to some empty value, the delegation token functionality is disabled.

For additional information, see: