Kafka Error DELEGATION_TOKEN_OWNER_MISMATCH
Error code 63 · Non-retriable Security
Specified Principal is not valid Owner/Renewer.
Common Causes
- A user attempts to renew or expire a token that was created by a different principal (tokens can only be managed by their owner or designated renewers)
- Service account changed (rename or re-creation) but old tokens still reference the previous principal name
- Admin tool running under a different SASL identity than the one that created the token
Solutions
- Re-authenticate as the token owner principal and retry the renew/expire operation
- Add the new principal as a renewer when creating tokens: `kafka-delegation-tokens.sh --bootstrap-server localhost:9092 --create --renewer-principal User:<renewerUser>`
- Use a super-user to describe all tokens and expire orphaned tokens with the token HMAC: `kafka-delegation-tokens.sh --bootstrap-server localhost:9092 --expire --hmac <token-hmac> --expiry-time-period -1`
Diagnostic Commands
# List tokens and check ownership
kafka-delegation-tokens.sh --bootstrap-server localhost:9092 --describe | grep -E 'owner|renewers'
# Look for delegation token events in logs
grep 'TokenOwnerMismatch\|DELEGATION_TOKEN_OWNER' /path/to/kafka/logs/server.log | tail -10Related APIs
This error can be returned by: ExpireDelegationToken · RenewDelegationToken
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.