Enabling Basic Authentication for the SRM Service

Basic Authentication (BA) can be enabled for the Streams Replication Manager (SRM) Service in Cloudera Manager. After BA is enabled, the REST API of the SRM Service becomes secured. Any clients or services accessing the REST API will need to present valid credentials for access.

BA is set up for the SRM Service by creating Basic Authentication Credentials. A Basic Authentication Credential is an item that securely stores a username/password pair that can be used by the SRM Service for BA. Once the credential is defined, you must turn on BA for the SRM Service and reference the credentials you created in SRM’s configuration. After configuration is complete, the SRM Service and its Rest API will only be accessible by clients and services that present valid credentials.

In addition to the credentials configured with Basic Authentication Credentials, another username/password pair is generated automatically. This username and password pair is used by other services that depend on SRM and are deployed in the same cluster. These credentials are automatically passed to the dependent services. This way, any co-located dependent service automatically has access to the SRM REST API when BA is enabled. For example, Streams Messaging Manager is a service like this. It provides replication monitoring by accessing and gathering metrics from the SRM REST API. As a result it requires access to the REST API. If required, the automatically generated credentials can be updated. However their configuration is optional.

  1. Create Basic Authentication Credentials:

    SRM supports BA for multiple users. This means that you can create more than one credential. Cloudera recommends that you create at least two. One for any external services and clients, and one that can be used by SRM internally.

    1. In Cloudera Manager go to Administration > External Accounts > Basic Authentication Credentials.
    2. Click Add Basic Authentication Credentials.
    3. Configure the following properties:
      • Name

        Add a unique and easily identifiable name. Note down the name you configure, you will need to provide it in a later step.

      • Username and Password

        Add a username and password. These credentials will be accepted by SRM when an external client or service tries to access the REST API. Take note of the username and password that you configure. Depending on your cluster and setup, you might need to provide these credentials when configuring other SRM features or external clients and services that access the SRM REST API.

  2. Enable BA for the SRM Service:
    1. Go to Clusters and select the Streams Replication Manager Service.
    2. Go to Configuration.
    3. Find and enable the SRM Service Use Basic Authentication property.
    4. Find and configure the External Basic Authentication Accounts Accepted By SRM Service property.
      Add the names of all Basic Authentication Credentials that you created in Step 1. For example:
      external_1
      external_2
      internal_1
      
    5. Find and configure the SRM Service Intra Cluster Account Name property.
      This property controls which credential should be used by the individual SRM Service roles within the cluster to communicate with each other. Add one of the Basic Authentication Credential names that you added to the External Basic Authentication Accounts Accepted By SRM Service property. For example:
      internal_1
  3. Optional: Configure the automatically generated credentials used by dependent services.
    The automatically generated username and password can be configured with the following properties:
    • SRM Service Co-Located Service Username
    • SRM Service Co-Located Service User Password
  4. Click Save Changes.
  5. Restart Streams Replication Manager.
BA is configured for the SRM Service
  • If you have previously enabled Remote Querying for a separate SRM Service that targets this SRM Service (the one that you enabled BA for) with Remote Querying, complete Configuring Basic Authentication for Remote Querying for the SRM Service that has Remote Querying enabled.
  • Query metrics. You can do either of the following:

    • Access the Replications page on the SMM UI. Replications will be visible in the UI.
    • Query metrics using the SRM REST API. For example:
      1. Go to Streams Replication Manager > Web UI > SRM Service Swagger UI.
      2. Find and open the /v2/replications endpoint.
      3. Click Try it out then click Execute.

        You are prompted to enter a username and password.

      4. Enter the credentials you configured using Basic Authentication Credentials.

        The response includes all discovered replications, replicated topics, and various other metrics.