Configuring a Nexus repository allow list

To harden the security of your Kafka Connect deployment, you can configure a Nexus repository allow list. If an allow list is configured, Stateless NiFi Source and Sink connectors are only able to fetch NiFi extensions from the specified list of Nexus repositories.

NiFi dataflows within Kafka Connect are deployed using the Stateless NiFi Source and Sink connectors. When you deploy your custom developed dataflows with the Stateless NiFi connectors, you can configure the nexus.url property. This property specifies the URL of a Nexus repository that hosts the NiFi extensions that are not bundled with the connectors but are required by the dataflow that is run within the connector.

By default connectors you deploy are allowed to connect to any Nexus repository that you specify. However, this may pose a security risk. Because of this, you can configure Kafka Connect to only allow its connectors to connect to specific Nexus repositories. That is, you can configure a Nexus server allow list. If an allow list is configured, connectors are only allowed to connect and fetch NiFi extensions from the servers that are included in the list.

The allow list is configured in Cloudera Manager using the List Of Allowed Nexus Repository Urls property.

In Cloudera Manager, select the Kafka service.
Go to Configuration.
Find and configure the List Of Allowed Nexus Repository Urls property.
Add the URLs of the Nexus repositories that you want to allow your connectors to fetch extensions from.
Click Save Changes.
Restart the Kafka service.

The Nexus URLs specified in the nexus.url property of the Stateless NiFi Source and Sink connectors are validated against the list of configured URLs. Connections are only allowed to the repositories configured in the list.