RivenSun created KAFKA-13771: -------------------------------- Summary: Support to explicitly delete delegationTokens that have expired but have not been automatically cleaned up Key: KAFKA-13771 URL: https://issues.apache.org/jira/browse/KAFKA-13771 Project: Kafka Issue Type: Improvement Components: security Reporter: RivenSun
Quoting the official documentation {quote} Tokens can also be cancelled explicitly. If a token is not renewed by the token’s expiration time or if token is beyond the max life time, it will be deleted from all broker caches as well as from zookeeper. {quote} 1. The first point above means that after the `AdminClient` initiates the EXPIRE_DELEGATION_TOKEN request, in the DelegationTokenManager.expireToken() method on the KafkaServer side, if the user passes in expireLifeTimeMs less than 0, KafaServer will delete the corresponding delegationToken directly. 2. There is a thread named "delete-expired-tokens" on the KafkaServer side, which is responsible for regularly cleaning up expired tokens. The execution interval is `delegation.token.expiry.check.interval.ms`, and the default value is one hour. But carefully analyze the code logic in DelegationTokenManager.expireToken(), *now Kafka does not support users to delete an expired delegationToken that he no longer uses/renew. If the user wants to do this, they will receive a DelegationTokenExpiredException.* In the worst case, an expired delegationToken may still can be used normally within {*}an hour{*}, even if this configuration (delegation.token.expiry.check.interval.ms) broker can shorten the configuration as much as possible. The solution is very simple, simply adjust the `if` order of DelegationTokenManager.expireToken(). {code:java} if (!allowedToRenew(principal, tokenInfo)) { expireResponseCallback(Errors.DELEGATION_TOKEN_OWNER_MISMATCH, -1) } else if (expireLifeTimeMs < 0) { //expire immediately removeToken(tokenInfo.tokenId) info(s"Token expired for token: ${tokenInfo.tokenId} for owner: ${tokenInfo.owner}") expireResponseCallback(Errors.NONE, now) } else if (tokenInfo.maxTimestamp < now || tokenInfo.expiryTimestamp < now) { expireResponseCallback(Errors.DELEGATION_TOKEN_EXPIRED, -1) } else { //set expiry time stamp ...... } {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)