Enable security for Cruise Control
When AutoTLS is disabled, you need to configure the security properties in Cloudera Manager to use Cruise Control in a secure environment. You can also choose between SPENGO and Trusted Proxy as an authentication method, and can assign admin, user and viewer roles to users to achieve further authorization over Cruise Control tasks.
There are two authentication methods for Cruise Control: SPENGO and Trusted Proxy. SPENGO uses Kerberos over HTTP. Trusted Proxy uses Knox through a gateway mechanism where Knox authenticates with Cruise Control over SPENGO and forwards the real user ID.
Ensure that you have set up TLS for Cloudera Manager:
- Generate TLS certificates
- Configure TLS for Admin Console and Agents
- Enable server certificate verification on Agents
- Configure agent certificate authentication
-
Access Cloudera Manager for the Cruise Control configurations.
- Go to your cluster in Cloudera Manager.
- Select Cruise Control from the list of Services.
- Click on Configuration tab.
- Navigate to Management Console > Environments, and select the environment where you have created your cluster.
- Select the Streams Messaging cluster from the list of Data Hub clusters.
- Select Cloudera Manager from the services.
- Select Clusters > Cruise Control.
- Click Configuration.
- Select Category > Main.
- Edit the authorization and Kafka security properties according to the cluster
configuration.You need the following authorization and security properties from the Main category.
Security property Description Kafka Client Security Protocol security.protocol
Protocol to be used for communicating with Kafka. Select the same protocol as you use for Kafka. Authentication Method auth_method
Authentication method that Cruise Control uses to authenticate clients. Trusted Proxy Authentication Service trusted_auth_service_user
The username part of the trusted proxy authentication service's principal. The default service is Knox for Cruise Control. ADMIN Level Users auth_admins
The list of ADMIN level users to have access to all endpoints. USER Level Users auth_users
The list of USER level users to have access to all the GET endpoints except bootstrap
andtrain
.VIEWER Level Users auth_viewers
The list of VIEWER level users to have access to the most lightweight kafka_cluster_state
,user_tasks
andreview_board
endpoints. - Click Save Changes.
- Click Clear next to the Category Filter.
- Select Category > Security.All the security related properties are displayed.
- Edit the security properties according to the cluster configuration.
Security property Description Enable TLS/SSL for Cruise Control Server webserver.ssl.enable
Encrypting communication between clients and Cruise Control Server using TLS. Cruise Control Server TLS/SSL Server Keystore File Location webserver.ssl.keystore.location
The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Cruise Control Server is acting as a TLS/SSL server. Cruise Control Server TLS/SSL Server Keystore File Password webserver.ssl.keystore.password
The password for the Cruise Control Server keystore file. Cruise Control Server TLS/SSL Server Keystore Key Password webserver.ssl.key.password
The password that protects the private key contained in the keystore used when Cruise Control Server is acting as a TLS/SSL server. HTTP Strict Transport Security Enabled webserver.ssl.sts.enabled
Enables the Strict Transport Security header in the web server responses. By default the configuration is enabled. Cruise Control Server TLS/SSL Client Trust Store File ssl.truststore.location
The location on disk of the trust store, used to confirm the authenticity of TLS/SSL servers that Cruise Control Server might connect to. This is used when Cruise Control Server is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead. Cruise Control Server TLS/SSL Client Trust Store Password ssl.truststore.password
The password for the Cruise Control Server TLS/SSL Certificate Trust Store File. This password is not required to access the trust store, the field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information. - Click Save Changes.
- Click Clear next to the Category Filter.
- Type ssl.properties to the Search field.The Cruise Control Server Advanced Configuration Snippet (Safety Valve) for ssl.properties field is displayed. You can define additional confiuration parameters for Cruise Control in the Safety Valve field. You also need to add properties that are inherited from Kafka clients, if needed for the secured communication. The values for the inherited properties should match with the values defined in Kafka.
-
Add the webserver keystore type, if needed, by adding the following property and
its value to the Advanced Configuration Snippetfield.
Security property Description webserver.ssl.keystore.type
The file format of the key store file. This configuration is optional. If the keystore type for the webserver is not set, it falls back to Jetty's default behavior. -
Add the following additional security properties to the Advanced Configuration
Snippet.
Security property Description ssl.provider
The name of the security provider used for SSL connections. Default value is the default security provider of the JVM. ssl.cipher.suites
A cipher suite is a named combination of authentication, encryption, MAC, and a key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. ssl.enabled.protocols
This property should list at least one of the protocols ( TLSv1.2,TLSv1.1,TLSv1
) configured on the broker side.ssl.truststore.type
The file format of the trust store file. ssl.keystore.type
The file format of the key store file.
-
Add the webserver keystore type, if needed, by adding the following property and
its value to the Advanced Configuration Snippetfield.
-
Adding the following properties to the Advanced Configuration Snippet helps customizing
the default TLS configurations defined for the Cruise Control web server:
Security property Description webserver.ssl.include.ciphers
Sets the included ciphers for the webserver. webserver.ssl.exclude.ciphers
Sets the excluded ciphers for the webserver. webserver.ssl.include.protocols
Sets the included protocols for the webserver. webserver.ssl.exclude.protocols
Sets the excluded protocols for the webserver. - Click Save Changes.