Cloudera Docs

Streams Replication Manager security overview

Configuring SRM security involves enabling and setting security-related features and properties for the SRM service and the srm-control command line tool. This permits SRM to access source and target clusters and replicate data between them. There are multiple methods you can use to configure security depending on your cluster environment.

Streams Replication Manager (SRM) can replicate data between secured and unsecured environments, as well as between environments that have differing security setups.

You configure security by providing the SRM service (driver and service roles) as well as the srm-control command line tool with the required keys, certificates, and credentials needed to access the clusters. This can be done by setting security-related configuration properties. The methods you can use to configure security properties are as follows:
  • Configure security using the SSL/TLS and Kerberos feature toggles available in Cloudera Manager
  • Configure security using the Streams Replication Manager's Replication Configs Cloudera Manager property
  • Configure security using environment variables
The configuration methods you use depends on your cluster environment. The following sections provide an overview of each method. In addition to reviewing the following sections, Cloudera recommends that you also review the security configuration examples to gain a better understanding of how you can set up security for your environment.

Configure security using the SSL/TLS and Kerberos feature toggles available in Cloudera Manager

This method can only be used to configure security for the SRM service (driver and service roles). This method does not configure security for the srm-control tool.

You can use the Enable Kerberos Authentication, Enable TLS/SSL for SRM Driver, and Enable TLS/SSL for SRM Service properties to enable or disable TLS/SSL and Kerberos for SRM. These properties can be configured in Cloudera Manager under Streams Replication Manager > Configuration. Setting these properties gives the SRM service access to the clusters and Kafka services that are managed by the same Cloudera Manager as SRM. It will not give access to clusters that are managed by a different instance of Cloudera Manager. As a result, using only this method to configure security for the SRM service can be applied if the following requirements are met:

  • The Kafka and SRM services are all managed by the same instance of Cloudera Manager.

  • All Kafka services that are taking part in the replication process have identical security configurations.

  • Auto-TLS is turned on, or TLS is set up in accordance with Cloudera recommendations.

If the Kafka services have differing security configurations, or are managed by different Cloudera Manager instances, you must also use the Streams Replication Manager's Replication Configs property to manually set security properties. If the above requirements are not met, using only this method of configuration is not sufficient.

Configure security using the Streams Replication Manager's Replication Configs Cloudera Manager property

This method of configuration can be used to configure security for the SRM service (driver and service roles), as well as the srm-control tool.

The Streams Replication Manager's Replication Configs property is used to configure properties that SRM accepts, but are not directly available for configuration in Cloudera Manager. For more information about its usage, see Configuring Properties Not Exposed in Cloudera Manager.

You can use Streams Replication Manager's Replication Configs to set security-related properties. Depending on your environment, it is likely that you need to add security properties that are prefixed with each cluster's alias. Prefixing properties enables you to specify different security configurations for each cluster. Based on these prefixed properties, SRM knows what configuration to use when accessing each cluster.

For example, consider that you have two clusters with the aliases primary and secondary. The primary cluster is Kerberized (using keytabs) and SSL enabled. The secondary cluster is SSL enabled. In a setup like this, you need to add the following to the Streams Replication Manager's Replication Configs property: 
primary.security.protocol = SASL_SSL
primary.ssl.keystore.location = [KEYSTORE_PATH]
primary.ssl.keystore.password = [PASSWORD]
primary.ssl.key.password = [PASSWORD]
primary.ssl.truststore.location = [TRUSTSTORE_PATH]
primary.ssl.truststore.password = [PASSWORD]
primary.sasl.kerberos.service.name = [SERVICE NAME]
primary.sasl.mechanism = GSSAPI
primary.sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="[PATH/TO/KEYTAB FILE]" storeKey=true useTicketCache=false principal="[PRINCIPAL]";

secondary.security.protocol = SSL
secondary.ssl.keystore.location = [KEYSTORE_PATH]
secondary.ssl.keystore.password = [PASSWORD]
secondary.ssl.key.password = [PASSWORD]
secondary.ssl.truststore.location = [TRUSTSTORE_PATH]
secondary.ssl.truststore.password = [PASSWORD]

Out of the three security configuration methods, this method is the only one that configures both the SRM service and the srm-control tool.

Configure security using environment variables

This method is used to configure the srm-control tool.

This method of configuration is used when you do not want to use the Streams Replication Manager's Replication Configs property to configure security properties for the srm-control tool. In a scenario like this, you can use the following environment variables to specify security properties.
Environment Variable Corresponding Property
security_protocol security.protocol
ssl_keystore_location ssl.keystore.location
ssl_keystore_password ssl.keystore.password
ssl_key_password ssl.key.password
ssl_truststore_location ssl.truststore.location
ssl_truststore_location ssl.truststore.location
ssl_truststore_password ssl.truststore.password
SRM_KERBEROS_OPTS Used to set the JAAS configuration file that should be used. In addition, it can also be used to set other Java system properties related to Kerberos. For example: SRM_KERBEROS_OPTS=”-Djava.security.auth.login.config=/opt/streams-replication-manager/conf/srm-jaas.conf”