Streams Replication Manager security overview
Configuring SRM security involves enabling and setting security-related features and
properties for the SRM service and the
srm-control command line tool. This
permits SRM to access source and target clusters and replicate data between them. There are
multiple methods you can use to configure security depending on your cluster
Streams Replication Manager (SRM) can replicate data between secured and unsecured environments, as well as between environments that have differing security setups.
srm-controlcommand line tool with the required keys, certificates, and credentials needed to access the clusters. This can be done by setting security-related configuration properties. The methods you can use to configure security properties are as follows:
- Configure security using the SSL/TLS and Kerberos feature toggles available in Cloudera Manager
- Configure security using the Streams Replication Manager's Replication Configs Cloudera Manager property
- Configure security using environment variables
Configure security using the SSL/TLS and Kerberos feature toggles available in Cloudera Manager
This method can only be used to configure security for the SRM service (driver and service
roles). This method does not configure security for the
The Kafka and SRM services are all managed by the same instance of Cloudera Manager.
All Kafka services that are taking part in the replication process have identical security configurations.
Auto-TLS is turned on, or TLS is set up in accordance with Cloudera recommendations.
If the Kafka services have differing security configurations, or are managed by different Cloudera Manager instances, you must also use the Streams Replication Manager's Replication Configs property to manually set security properties. If the above requirements are not met, using only this method of configuration is not sufficient.
Configure security using the Streams Replication Manager's Replication Configs Cloudera Manager property
This method of configuration can be used to configure security for the SRM service (driver
and service roles), as well as the
The Streams Replication Manager's Replication Configs property is used to configure properties that SRM accepts, but are not directly available for configuration in Cloudera Manager. For more information about its usage, see Configuring Properties Not Exposed in Cloudera Manager.
You can use Streams Replication Manager's Replication Configs to set security-related properties. Depending on your environment, it is likely that you need to add security properties that are prefixed with each cluster's alias. Prefixing properties enables you to specify different security configurations for each cluster. Based on these prefixed properties, SRM knows what configuration to use when accessing each cluster.
primarycluster is Kerberized (using keytabs) and SSL enabled. The
secondarycluster is SSL enabled. In a setup like this, you need to add the following to the Streams Replication Manager's Replication Configs property:
primary.security.protocol = SASL_SSL primary.ssl.keystore.location = [KEYSTORE_PATH] primary.ssl.keystore.password = [PASSWORD] primary.ssl.key.password = [PASSWORD] primary.ssl.truststore.location = [TRUSTSTORE_PATH] primary.ssl.truststore.password = [PASSWORD] primary.sasl.kerberos.service.name = [SERVICE NAME] primary.sasl.mechanism = GSSAPI primary.sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="[PATH/TO/KEYTAB FILE]" storeKey=true useTicketCache=false principal="[PRINCIPAL]"; secondary.security.protocol = SSL secondary.ssl.keystore.location = [KEYSTORE_PATH] secondary.ssl.keystore.password = [PASSWORD] secondary.ssl.key.password = [PASSWORD] secondary.ssl.truststore.location = [TRUSTSTORE_PATH] secondary.ssl.truststore.password = [PASSWORD]
Out of the three security configuration methods, this method is the only one that
configures both the SRM service and the
Configure security using environment variables
This method is used to configure the
srm-controltool. In a scenario like this, you can use the following environment variables to specify security properties.
|Environment Variable||Corresponding Property|
|SRM_KERBEROS_OPTS||Used to set the JAAS configuration file that should be used. In addition, it can also be used to set other Java system properties related to Kerberos. For example: SRM_KERBEROS_OPTS=”-Djava.security.auth.login.config=/opt/streams-replication-manager/conf/srm-jaas.conf”|