Managing Individual Delegation Tokens

The functionality that’s needed to manage and use delegation tokens is accessible using the AdminClient APIs or the kafka-delegation-tokens tool. All of their operations are allowed only via SASL authenticated channels.

Both the API and the script provide the following actions:
Issue, and store for verification
The owner of the token is the currently authenticated principal. A renewer can be specified when requesting the token.
kafka-delegation-tokens --bootstrap-server hostname:port  --create   --max-life-time-period -1 --command-config --renewer-principal User:user1
Only the owner and the principals that are renewers of the delegation token can extend its validity by renewing it before it expires. A successful renewal extends the Delegation Token’s expiration time for another renew-interval, until it reaches its max lifetime. Expired delegation tokens cannot be used to authenticate, the brokers will remove expired delegation tokens from the broker’s cache and from Zookeeper.
kafka-delegation-tokens --bootstrap-server hostname:port --renew    --renew-time-period -1 --command-config --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
Delegation tokens are removed when they are canceled by the client or when they expire.
kafka-delegation-tokens --bootstrap-server hostname:port --expire   --expiry-time-period -1   --command-config  --hmac lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==
Tokens can be described by owners, renewers or the Kafka super user.
kafka-delegation-tokens --bootstrap-server hostname:port --describe --command-config  --owner-principal User:user1