Streams Replication Manager security overview

Configuring SRM security involves enabling and setting security-related features and properties for the SRM service and the srm-control command line tool. This permits SRM to access source and target clusters and replicate data between them. There are multiple methods you can use to configure security, which methods you use will depend on your cluster environment.

Streams Replication Manager (SRM) can replicate data between secured and unsecured environments, as well as between environments that have differing security setups.

You configure security by providing the SRM service (driver and service roles) as well as the srm-control command line tool with the required keys, certificates, and credentials needed to access the clusters that replication is happening between. This can be done by setting security-related configuration properties. There are three methods you can use to configure security properties. These are the following:
  • Configure security with the SSL/TLS and Kerberos feature toggles available in Cloudera Manager
  • Configure security with the Streams Replication Manager's Replication Configs Cloudera Manager property
  • Configure security with environment variables
Which configuration methods you use depends on your cluster environment. The following sections provide an overview of each method. In addition to reviewing the following sections, Cloudera recommends that you also review the security configuration examples to gain a better understanding of how you can set up security for your environment.

Configure security with the SSL/TLS and Kerberos feature toggles available in Cloudera Manager

This method can only be used to configure security for the SRM service (driver and service roles). This method does not configure security for the srm-control tool.

You can use the Enable Kerberos Authentication, Enable TLS/SSL for SRM Driver, and Enable TLS/SSL for SRM Service properties to enable or disable TLS/SSL and Kerberos for SRM. These properties can be configured in Cloudera Manager under Streams Replication Manager > Configuration. Setting these properties will give the SRM service access to the clusters and Kafka services that are managed by the same Cloudera Manager as SRM. It will not give access to clusters that are managed by a different instance of Cloudera Manager. As a result, using only this method to configure security for the SRM service can be applied if the following requirements are met:
  • The Kafka and SRM services are all managed by the same instance of Cloudera Manager.

  • All Kafka services that replication is happening between have identical security configurations.

  • Auto-TLS is turned on, or TLS is set up in accordance with Cloudera recommendations.

If the Kafka services have differing security configurations, or are managed by different Cloudera Manager instances, you need to also use the Streams Replication Manager's Replication Configs property to manually set security properties. In other words, if the above requirements are not all met, using only this method of configuration is not sufficient.

Configure security with the Streams Replication Manager's Replication Configs Cloudera Manager property

This method of configuration can be used to configure security for the SRM service (driver and service roles), as well as the srm-control tool.

The Streams Replication Manager's Replication Configs property is used to configure properties that SRM accepts, but are not directly available for configuration in Cloudera Manager. For more information about its usage in general, see Configuring Properties Not Exposed in Cloudera Manager.

You can use Streams Replication Manager's Replication Configs to set security-related properties. Depending on your environment, it is likely that you need to add security properties that are prefixed with each cluster's alias. Prefixing security properties with aliases is needed when the clusters SRM is connecting to require different security configurations. Prefixing properties enables you to specify different security configurations for each cluster. Based on these prefixed properties SRM will know what configuration to use when accessing each cluster.

For example, if you have two clusters with the aliases primary and secondary that both have SSL enabled, you need to add the following to the Streams Replication Manager's Replication Configs property:
primary.security.protocol = SSL
primary.ssl.keystore.location = [KEYSTORE_PATH]
primary.ssl.keystore.password = [PASSWORD]
primary.ssl.key.password = [PASSWORD]
primary.ssl.truststore.location = [TRUSTSTORE_PATH]
primary.ssl.truststore.password = [PASSWORD]

secondary.security.protocol = SSL
secondary.ssl.keystore.location = [KEYSTORE_PATH]
secondary.ssl.keystore.password = [PASSWORD]
secondary.ssl.key.password = [PASSWORD]
secondary.ssl.truststore.location = [TRUSTSTORE_PATH]
secondary.ssl.truststore.password = [PASSWORD]

It is also possible to add non-prefixed security properties, SRM will accept these as well. However, in a case like this, it will use that configuration for all clusters that it is connecting to.

Lastly, it is also worth highlighting that out of the three security configuration methods, this is the only one that configures both the SRM service and srm-control tool.

Configure security with environment variables

This method is used to configure the srm-control tool.

This method of configuration is used in scenarios when you do not want to use the Streams Replication Manager's Replication Configs property to configure security properties for the srm-control tool. In a scenario like this, you can use the following environment variables to specify security properties.
Environment Variable Corresponding Property
security_protocol security.protocol
ssl_keystore_location ssl.keystore.location
ssl_keystore_password ssl.keystore.password
ssl_key_password ssl.key.password
ssl_truststore_location ssl.truststore.location
ssl_truststore_location ssl.truststore.location
ssl_truststore_password ssl.truststore.password
SRM_KERBEROS_OPTS Used to set the JAAS configuration file that should be used. In addition, it can also be used to set other Java system properties related to Kerberos. For example: SRM_KERBEROS_OPTS=”-Djava.security.auth.login.config=/opt/streams-replication-manager/conf/srm-jaas.conf”