Kafka Token Authentication Mechanism Tool Usage

Scenario

Operations need to be performed on tokens when the token authentication mechanism is used.

This section applies to security clusters of MRS 3.x or later.

Prerequisites

  • The system administrator has understood service requirements and prepared a system user.

  • The Kafka client has been installed.

Procedure

  1. Log in as a client installation user to the node on which the Kafka client is installed.

  2. Switch to the Kafka client installation directory, for example, /opt/kafkaclient.

    cd /opt/kafkaclient

  3. Run the following command to configure environment variables:

    source bigdata_env

  4. Run the following command to perform user authentication:

    kinit Component service user

  5. Run the following command to switch to the Kafka client installation directory:

    cd Kafka/kafka/bin

  6. Use kafka-delegation-tokens.sh to perform operations on tokens.

    • Generate a token for a user.

      ./kafka-delegation-tokens.sh --create --bootstrap-server <IP1:PORT, IP2:PORT,...> --max-life-time-period <Long: max life period in milliseconds> --command-config <config file> --renewer-principal User:<user name>

      Example: ./kafka-delegation-tokens.sh --create --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --command-config ../config/producer.properties --max-life-time-period -1 --renewer-principal User:username

    • List information about all tokens of a specified user.

      ./kafka-delegation-tokens.sh --describe --bootstrap-server <IP1:PORT, IP2:PORT,...> --command-config <config file> --owner-principal User:<user name>

      Example: ./kafka-delegation-tokens.sh --describe --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --command-config ../config/producer.properties --owner-principal User:username

    • Update the token validity period.

      ./kafka-delegation-tokens.sh --renew --bootstrap-server <IP1:PORT, IP2:PORT,...> --renew-time-period <Long: renew time period in milliseconds> --command-config <config file> --hmac <String: HMAC of the delegation token>

      Example: ./kafka-delegation-tokens.sh --renew --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --renew-time-period -1 --command-config ../config/producer.properties --hmac ABCDEFG

    • Destroy a token.

      ./kafka-delegation-tokens.sh --expire --bootstrap-server <IP1:PORT, IP2:PORT,...> --expiry-time-period <Long: expiry time period in milliseconds> --command-config <config file> --hmac <String: HMAC of the delegation token>

      Example: ./kafka-delegation-tokens.sh --expire --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --expiry-time-period -1 --command-config ../config/producer.properties --hmac ABCDEFG