Major Description
Quoting the official documentation
Tokens can also be cancelled explicitly. If a token is not renewed by the token’s expiration time or if token is beyond the max life time, it will be deleted from all broker caches as well as from zookeeper.
1. The first point above means that after the `AdminClient` initiates the EXPIRE_DELEGATION_TOKEN request, in the DelegationTokenManager.expireToken() method on the KafkaServer side, if the user passes in expireLifeTimeMs less than 0, KafaServer will delete the corresponding delegationToken directly.
2. There is a thread named "delete-expired-tokens" on the KafkaServer side, which is responsible for regularly cleaning up expired tokens. The execution interval is `delegation.token.expiry.check.interval.ms`, and the default value is one hour.
But carefully analyze the code logic in DelegationTokenManager.expireToken(), now Kafka does not support users to delete an expired delegationToken that he no longer uses/renew. If the user wants to do this, they will receive a DelegationTokenExpiredException.
In the worst case, an expired delegationToken may still can be used normally within an hour, even if this configuration (delegation.token.expiry.check.interval.ms) broker can shorten the configuration as much as possible.
The solution is very simple, simply adjust the `if` order of DelegationTokenManager.expireToken().
if (!allowedToRenew(principal, tokenInfo)) { expireResponseCallback(Errors.DELEGATION_TOKEN_OWNER_MISMATCH, -1) } else if (expireLifeTimeMs < 0) { //expire immediately removeToken(tokenInfo.tokenId) info(s"Token expired for token: ${tokenInfo.tokenId} for owner: ${tokenInfo.owner}") expireResponseCallback(Errors.NONE, now) } else if (tokenInfo.maxTimestamp < now || tokenInfo.expiryTimestamp < now) { expireResponseCallback(Errors.DELEGATION_TOKEN_EXPIRED, -1) } else { //set expiry time stamp ...... }
Attachments
Attachments
Issue Links
- links to