Enable security for Cruise Control
You can use SSL/TLS security protocols for securing Cruise Control. The security protocol should be the same as it is for Kafka. You can also choose between Spengo and Trusted Proxy as authentication method, and can assign admin, user and viewer roles to users to achieve further authorization over Cruise Control tasks.
You can find the security settings for Cruise Control at
.- PLAINTEXT
- SSL
- SASL_PLAINTEXT
- SASL_SSL
Keytabs are generated when using Kerberos. You need to provide the trust store file location and the trust store password.
You can enable TLS/SSL for the Cruise Control web server using the
webserver.ssl.enable
property. You must provide the TLS/SSL configuration
settings of the Kafka broker to the keystore. For more information about the security settings
for Kafka, see the Kafka documentation.
There are two authentication methods for Cruise Control Spengo and Trusted Proxy. Spengo uses Kerberos over HTTP. Trusted Proxy uses Knox through a gateway mechanism where Knox authenticates with Cruise Control over Spengo and forwards the real user ID.
- Admin role: has access to all endpoints
- User role: has access to all the GET endpoints except
bootstrap
andtrain
- Viewer role: has access to the most lightweight
kafka_cluster_state
,user_tasks
andreview_board
endpoints