Cloudera Enterprise 6.3.x | Other versions

Rotating the Master Key/Secret

The brokers generate and verify delegation tokens using a secret called delegation.token.master.key. This secret is generated by Cloudera Manager and securely passed to Kafka brokers when authentication with delegation tokens is enabled. You can change the secret with the Cloudera Manager API. This should be done if the secret becomes compromised, or simply as a precautionary measure.

To change the secret, complete these steps:
  Important: Clients that were already connected to brokers before starting the process, will continue to work even after the master key/secret is rotated. However, any new connections (authentication requests), as well as renew and expire requests with old tokens can fail.
  1. Expire existing tokens.

    kafka-delegation-tokens example command:

    kafka-delegation-tokens --bootstrap-server hostname:port --expire --expiry-time-period -1 --command-config client.properties --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==

  2. Generate a new master key

    curl -X PUT -u "user" -H "content-type:application/json" -i "https://cloudera manager host:7183/api/v31/clusters/cluster name/services/kafka service name/config" -d '{"items" : [ {"name" : "delegation.token.master.key","value" : "'$(openssl rand -base64 24)'","sensitive" : true}]}'

  3. Perform a Rolling Restart

    1. In Cloudera Manager go to the Kafka service and select Actions > Rolling Restart.
    2. Check the Restart roles with stale configurations only checkbox and click Rolling restart.
    3. Click Close when the restart has finished.

  4. Reauthenticate with all clients. This will generate the new tokens.

Page generated August 29, 2019.