You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "RivenSun (Jira)" <ji...@apache.org> on 2023/02/28 07:32:00 UTC

[jira] [Commented] (KAFKA-13771) Support to explicitly delete delegationTokens that have expired but have not been automatically cleaned up

    [ https://issues.apache.org/jira/browse/KAFKA-13771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17694380#comment-17694380 ] 

RivenSun commented on KAFKA-13771:
----------------------------------

Hi [~showuon] , PR is merged.
could you help change this Jira status to "resolved"?
Thanks.

> Support to explicitly delete delegationTokens that have expired but have not been automatically cleaned up
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-13771
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13771
>             Project: Kafka
>          Issue Type: Improvement
>          Components: security
>            Reporter: RivenSun
>            Assignee: RivenSun
>            Priority: Major
>
> Quoting the official documentation
> {quote}
> Tokens can also be cancelled explicitly. If a token is not renewed by the token’s expiration time or if token is beyond the max life time, it will be deleted from all broker caches as well as from zookeeper.
> {quote}
> 1. The first point above means that after the `AdminClient` initiates the EXPIRE_DELEGATION_TOKEN request, in the DelegationTokenManager.expireToken() method on the KafkaServer side, if the user passes in expireLifeTimeMs less than 0, KafaServer will delete the corresponding delegationToken directly.
> 2. There is a thread named "delete-expired-tokens" on the KafkaServer side, which is responsible for regularly cleaning up expired tokens. The execution interval is `delegation.token.expiry.check.interval.ms`, and the default value is one hour.
> But carefully analyze the code logic in DelegationTokenManager.expireToken(), *now Kafka does not support users to delete an expired delegationToken that he no longer uses/renew. If the user wants to do this, they will receive a DelegationTokenExpiredException.*
> In the worst case, an expired delegationToken may still can be used normally within {*}an hour{*}, even if this configuration (delegation.token.expiry.check.interval.ms) broker can shorten the configuration as much as possible.
> The solution is very simple, simply adjust the `if` order of DelegationTokenManager.expireToken().
> {code:java}
> if (!allowedToRenew(principal, tokenInfo)) {
>   expireResponseCallback(Errors.DELEGATION_TOKEN_OWNER_MISMATCH, -1)
> } else if (expireLifeTimeMs < 0) { //expire immediately
>   removeToken(tokenInfo.tokenId)
>   info(s"Token expired for token: ${tokenInfo.tokenId} for owner: ${tokenInfo.owner}")
>   expireResponseCallback(Errors.NONE, now)
> } else if (tokenInfo.maxTimestamp < now || tokenInfo.expiryTimestamp < now) {
>   expireResponseCallback(Errors.DELEGATION_TOKEN_EXPIRED, -1)
> } else {
>   //set expiry time stamp
>  ......
> } {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)