[jira] [Created] (KAFKA-13771) Support to explicitly delete delegationTokens that have expired but have not been automatically cleaned up

Thu, 24 Mar 2022 20:18:04 -0700 

RivenSun created KAFKA-13771:
--------------------------------

             Summary: Support to explicitly delete delegationTokens that have 
expired but have not been automatically cleaned up
                 Key: KAFKA-13771
                 URL: https://issues.apache.org/jira/browse/KAFKA-13771
             Project: Kafka
          Issue Type: Improvement
          Components: security
            Reporter: RivenSun


Quoting the official documentation
{quote}
Tokens can also be cancelled explicitly. If a token is not renewed by the 
token’s expiration time or if token is beyond the max life time, it will be 
deleted from all broker caches as well as from zookeeper.



{quote}
1. The first point above means that after the `AdminClient` initiates the 
EXPIRE_DELEGATION_TOKEN request, in the DelegationTokenManager.expireToken() 
method on the KafkaServer side, if the user passes in expireLifeTimeMs less 
than 0, KafaServer will delete the corresponding delegationToken directly.

2. There is a thread named "delete-expired-tokens" on the KafkaServer side, 
which is responsible for regularly cleaning up expired tokens. The execution 
interval is `delegation.token.expiry.check.interval.ms`, and the default value 
is one hour.


But carefully analyze the code logic in DelegationTokenManager.expireToken(), 
*now Kafka does not support users to delete an expired delegationToken that he 
no longer uses/renew. If the user wants to do this, they will receive a 
DelegationTokenExpiredException.*

In the worst case, an expired delegationToken may still can be used normally 
within {*}an hour{*}, even if this configuration 
(delegation.token.expiry.check.interval.ms) broker can shorten the 
configuration as much as possible.


The solution is very simple, simply adjust the `if` order of 
DelegationTokenManager.expireToken().
{code:java}
if (!allowedToRenew(principal, tokenInfo)) {
  expireResponseCallback(Errors.DELEGATION_TOKEN_OWNER_MISMATCH, -1)
} else if (expireLifeTimeMs < 0) { //expire immediately
  removeToken(tokenInfo.tokenId)
  info(s"Token expired for token: ${tokenInfo.tokenId} for owner: 
${tokenInfo.owner}")
  expireResponseCallback(Errors.NONE, now)
} else if (tokenInfo.maxTimestamp < now || tokenInfo.expiryTimestamp < now) {
  expireResponseCallback(Errors.DELEGATION_TOKEN_EXPIRED, -1)
} else {
  //set expiry time stamp
 ......
} {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to