pprovenzano commented on code in PR #14083:
URL: https://github.com/apache/kafka/pull/14083#discussion_r1296005323
##########
core/src/main/scala/kafka/server/ControllerApis.scala:
##########
@@ -842,6 +847,75 @@ class ControllerApis(val requestChannel: RequestChannel,
}
}
+ def handleCreateDelegationTokenRequest(request: RequestChannel.Request):
CompletableFuture[Unit] = {
Review Comment:
In the Zk case we will always have to do the checks in the broker
(`KafkaApis.scala` or `DelegationTokenManagerZk.scala`)
In the KRaft case where the client talks directly to the kcontroller we will
have to do the checks in the controller (`ControllerApis.scala` or
`DelegationTokenControlManager.java`)
In the KRaft case where the client talks to the broker and the broker
forwards the request to the kcontroller we have to do the check on the
connection authentication in the broker because the information about how the
client to broker connection is authenticated is not forwarded. We cannot allow
clients authenticated with delegation tokens to create, renew or expire
delegation tokens.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
