SRM security example for a cluster environment managed by multiple Cloudera Manager
instances
To run SRM in a secure environment with two clusters that have differing security
setups and are managed by different instances of Cloudera Manager, you must configure security
properties using Cloudera Manager in both clusters manually.
Consider the following replication environment.
There are two clusters, primary and secondary. Each managed by a unique instance of
Cloudera Manager. Both clusters have a Kafka and a Streams Replication Manager (SRM) service
deployed on it. The clusters and Kafka services have differing security setups. In the
primary cluster TLS/SSL and Kerberos are enabled. The secondary cluster is unsecured. All
SRM driver and service roles target the same cluster and Kafka service they are deployed in.
Data replication is bidirectional.
The following example walks you through the steps to configure security for this
replication environment. In this scenario, configuration of both the primary and secondary
clusters is required. Both clusters are configured using Cloudera Manager.
Configure the primary cluster.
In the primary cluster you need to enable security feature toggles and configure
additional security properties with the Streams Replication Manager's
Replication Configs property.
In the primary cluster's Cloudera Manager, select the Streams Replication Manager
service.
Go to Configuration.
Enable TLS/SSL and Kerberos.
In environments where the clusters have differing security setups, the
configuration of the SSL/TLS and Kerberos feature toggles should match the security
of the cluster that the SRM driver is targeting. In this example, the SRM driver in
the primary cluster is targeting the primary cluster. Because the primary cluster
has both SSL/TLS and Kerberos enabled, all feature toggles have to be enabled. You
can do this by enabling the following properties:
Enable Kerberos Authentication
Enable TLS/SSL for SRM Driver
Enable TLS/SSL for SRM Service
Find the Streams Replication Manager's Replication Configs
property.
Although the secondary cluster is unsecured, configuration is still required. The
security properties of the primary cluster need to be specified. Otherwise, the SRM
instance running in this cluster will not be able to connect to the primary cluster.
Additionally, the security protocol for the secondary cluster needs to be set.
Otherwise, you will not be able to initiate the srm-control tool on any
of the secondary cluster hosts.
In the secondary cluster's Cloudera Manager, select the Streams Replication Manager
service.
Go to Configuration.
Find the Streams Replication Manager's Replication Configs
property.