Configuring Token Authentication Information for Kafka Users
Scenario
Operations need to be performed on tokens when the token authentication mechanism is used.
This section applies to Kerberos authentication-enabled clusters of MRS 3.x or later.
Prerequisites
- The MRS cluster administrator has understood service requirements and prepared a system user.
- The token authentication mechanism has been enabled. For details, see Sample Code Running Guide for the Kafka Token Authentication Mechanism.
- The Kafka client has been installed.
Procedure
- Log in as a client installation user to the node on which the Kafka client is installed.
- Switch to the Kafka client installation directory, for example, /opt/client.
cd /opt/client
- Run the following command to configure environment variables:
source bigdata_env
- Run the following command to perform user authentication:
kinit Component service user
- Run the following command to switch to the Kafka client installation directory:
cd Kafka/kafka/bin
- Use kafka-delegation-tokens.sh to perform operations on tokens.
- Generate a token for a user.
./kafka-delegation-tokens.sh --create --bootstrap-server <IP1:PORT, IP2:PORT,...> --max-life-time-period <Long: max life period in milliseconds> --command-config <config file> --renewer-principal User:<user name>
Example: ./kafka-delegation-tokens.sh --create --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --command-config ../config/producer.properties --max-life-time-period -1 --renewer-principal User:username
- List information about all tokens of a specified user.
./kafka-delegation-tokens.sh --describe --bootstrap-server <IP1:PORT, IP2:PORT,...> --command-config <config file> --owner-principal User:<user name>
Example: ./kafka-delegation-tokens.sh --describe --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --command-config ../config/producer.properties --owner-principal User:username
- Update the token validity period.
./kafka-delegation-tokens.sh --renew --bootstrap-server <IP1:PORT, IP2:PORT,...> --renew-time-period <Long: renew time period in milliseconds> --command-config <config file> --hmac <String: HMAC of the delegation token>
Example: ./kafka-delegation-tokens.sh --renew --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --renew-time-period -1 --command-config ../config/producer.properties --hmac ABCDEFG
- Destroy a token.
./kafka-delegation-tokens.sh --expire --bootstrap-server <IP1:PORT, IP2:PORT,...> --expiry-time-period <Long: expiry time period in milliseconds> --command-config <config file> --hmac <String: HMAC of the delegation token>
Example: ./kafka-delegation-tokens.sh --expire --bootstrap-server 192.168.1.1:21007,192.168.1.2:21007,192.168.1.3:21007 --expiry-time-period -1 --command-config ../config/producer.properties --hmac ABCDEFG
- Generate a token for a user.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
