Configuring a Nexus repository allow list
To harden the security of your Kafka Connect deployment, you can configure a Nexus repository allow list. If an allow list is configured, Stateless NiFi Source and Sink connectors are only able to fetch NiFi extensions from the specified list of Nexus repositories.
NiFi dataflows within Kafka Connect are deployed using the Stateless NiFi Source and
Sink connectors. When you deploy your custom developed dataflows with the Stateless NiFi
connectors, you can configure the nexus.url
property. This property
specifies the URL of a Nexus repository that hosts the NiFi extensions that are not bundled
with the connectors but are required by the dataflow that is run within the connector.
By default connectors you deploy are allowed to connect to any Nexus repository that you specify. However, this may pose a security risk. Because of this, you can configure Kafka Connect to only allow its connectors to connect to specific Nexus repositories. That is, you can configure a Nexus server allow list. If an allow list is configured, connectors are only allowed to connect and fetch NiFi extensions from the servers that are included in the list.
The allow list is configured in Cloudera Manager using the List Of Allowed Nexus Repository Urls property.
nexus.url
property of the Stateless
NiFi Source and Sink connectors are validated against the list of configured URLs. Connections
are only allowed to the repositories configured in the list.