KIP-48 — Delegation token support for Kafka
Accepted Security
Introduces delegation tokens as lightweight, broker-shared secrets derived from Kerberos TGTs, enabling clients to authenticate without repeated KDC round-trips via a new CreateDelegationToken / RenewDelegationToken / ExpireDelegationToken / DescribeDelegationToken protocol. Kerberos-only setups forced every client to hold a keytab or TGT, creating performance bottlenecks on the KDC, large blast radius on credential compromise, and high operational overhead for distributed processing frameworks.
Protocol Impact
CreateDelegationToken · RenewDelegationToken · ExpireDelegationToken · DescribeDelegationToken
Details
| Author | Parth |
| Status | Accepted |
| JIRA | KAFKA-1696 |
| Wiki | View on Apache Wiki |
| Created | 2016-02-17 |
| Last Modified | 2018-01-13 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.