Running MirrorMaker on Kerberos-Enabled Clusters
To run MirrorMaker on a Kerberos/SASL-enabled cluster, configure producer and consumer properties as follows:
- Choose or add a new principal for MirrorMaker. Do not use
kafkaor any other service accounts. The following example uses principalmirrormaker. - Create client-side Kerberos keytabs for your MirrorMaker principal. For example:
sudo kadmin.local -q "ktadd -k /tmp/mirrormaker.keytab mirrormaker/HOSTNAME@EXAMPLE.COM"
- Add a new Jaas configuration file to the node where you plan to run MirrorMaker:
-Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/config/kafka_mirrormaker_jaas.conf
- Add the following settings to the KafkaClient section of the new Jaas configuration file. Make
sure the principal has permissions on both the source
cluster and the target cluster.
KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/tmp/mirrormaker.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="mirrormaker/HOSTNAME@EXAMPLE.COM"; }; - Run the following ACL command on the source and destination Kafka clusters:
bin/kafka-acls.sh --topic test-topic --add --allow-principal user:mirrormaker --operation ALL --config /usr/hdp/current/kafka-broker/config/server.properties
- In your MirrorMaker
consumer.configandproducer.configfiles, specifysecurity.protocol=SASL_PLAINTEXT. - Start MirrorMaker. Specify the
new.consumeroption in addition to your other options. For example:/usr/hdp/current/kafka-broker/bin/kafka-run-class.sh kafka.tools.MirrorMaker --consumer.config consumer.properties --producer.config target-cluster-producer.properties --whitelist my-topic --new.consumer