[
https://issues.apache.org/jira/browse/KAFKA-13771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
RivenSun reassigned KAFKA-13771:
--------------------------------
Assignee: RivenSun
> Support to explicitly delete delegationTokens that have expired but have not
> been automatically cleaned up
> ----------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-13771
> URL: https://issues.apache.org/jira/browse/KAFKA-13771
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Reporter: RivenSun
> Assignee: RivenSun
> Priority: Major
>
> Quoting the official documentation
> {quote}
> Tokens can also be cancelled explicitly. If a token is not renewed by the
> token’s expiration time or if token is beyond the max life time, it will be
> deleted from all broker caches as well as from zookeeper.
> {quote}
> 1. The first point above means that after the `AdminClient` initiates the
> EXPIRE_DELEGATION_TOKEN request, in the DelegationTokenManager.expireToken()
> method on the KafkaServer side, if the user passes in expireLifeTimeMs less
> than 0, KafaServer will delete the corresponding delegationToken directly.
> 2. There is a thread named "delete-expired-tokens" on the KafkaServer side,
> which is responsible for regularly cleaning up expired tokens. The execution
> interval is `delegation.token.expiry.check.interval.ms`, and the default
> value is one hour.
> But carefully analyze the code logic in DelegationTokenManager.expireToken(),
> *now Kafka does not support users to delete an expired delegationToken that
> he no longer uses/renew. If the user wants to do this, they will receive a
> DelegationTokenExpiredException.*
> In the worst case, an expired delegationToken may still can be used normally
> within {*}an hour{*}, even if this configuration
> (delegation.token.expiry.check.interval.ms) broker can shorten the
> configuration as much as possible.
> The solution is very simple, simply adjust the `if` order of
> DelegationTokenManager.expireToken().
> {code:java}
> if (!allowedToRenew(principal, tokenInfo)) {
> expireResponseCallback(Errors.DELEGATION_TOKEN_OWNER_MISMATCH, -1)
> } else if (expireLifeTimeMs < 0) { //expire immediately
> removeToken(tokenInfo.tokenId)
> info(s"Token expired for token: ${tokenInfo.tokenId} for owner:
> ${tokenInfo.owner}")
> expireResponseCallback(Errors.NONE, now)
> } else if (tokenInfo.maxTimestamp < now || tokenInfo.expiryTimestamp < now) {
> expireResponseCallback(Errors.DELEGATION_TOKEN_EXPIRED, -1)
> } else {
> //set expiry time stamp
> ......
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
