Securing Streams Replication ManagerPDF version

SRM security example for a cluster environment managed by a single Cloudera Manager instance

To run SRM in a secure environment with two clusters that have identical security configuration and are managed by the same Cloudera Manager, you must configure security for the SRM service and the srm-control command line tool on both clusters.

Consider the following replication environment.

There are two clusters, each with a Kafka and a Streams Replication Manager (SRM) service deployed on it. Both clusters are managed by the same Cloudera Manager. The clusters have an identical security setup. TLS/SSL, Kerberos, and Auto-TLS are enabled on both clusters. In addition, the same Kerberos KDC and trusted CA is used by both clusters. Data replication is bidirectional. All SRM driver and service roles target the same cluster and Kafka service they are deployed in.

The following example walks you through the steps to configure security for this replication environment. There are two steps you need to complete. You have to configure security for the SRM service, as well as the srm-control command line tool on both clusters. In this scenario, the SRM service is configured with Cloudera Manager. The srm-control tool can be configured either with Cloudera Manager or environment variables.
  1. Configure security for the SRM service.
    Because data replication is bidirectional, this step needs to be completed for both primary and secondary clusters.
    1. In Cloudera Manager, select the Streams Replication Manager service.
    2. Go to Configuration.
    3. Find and enable the following properties:
      • Enable Kerberos Authentication

      • Enable TLS/SSL for SRM Driver

      • Enable TLS/SSL for SRM Service

    4. Click Save Changes.
    5. Restart Streams Replication Manager.
  2. Configure security for the srm-control tool.
    In addition to configuring the SRM service, you also need to configure security for the srm-control tool. Without configuration, the tool will not be able to run and you will not be able to kick off replication. There are two methods you can use to configure security for the tool, either with Cloudera Manager or with environment variables. Choose one of the following methods:
    1. Using Cloudera Manager  Show Me How
      Complete this step for all SRM services.
      1. In Cloudera Manager select Streams Replication Manager.
      2. Go to Configuration.
      3. Find the Streams Replication Manager's Replication Configs property.
      4. Add and configure the required security properties.

        In the case of this example, properties related to both SSL/TLS and Kerberos need to be added.

        security.protocol = SASL_SSL
        ssl.truststore.location = /path/to/truststore.jks
        ssl.truststore.password = test1234
        ssl.keystore.location = /path/to/keystore.jks
        ssl.keystore.password = test1234
        ssl.key.password = test1234
        sasl.kerberos.service.name = kafka
        sasl.mechanism = GSSAPI
        sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/keytab file" storeKey=true useTicketCache=false principal="streamsrepmgr@STREAMANALYTICS.COM";
        
      5. Click Save Changes.
      6. Restart Streams Replication Manager.
    2. Using environment variables  Show Me How
      Complete this step for all SRM driver hosts.
      1. Log in to the SRM driver host.
      2. Configure security properties with environment variables.

        In the case of this example, properties related to both SSL/TLS and Kerberos need to be added. As a result, all available environment variables need to be set. These are the following:

        export SRM_KERBEROS_OPTS="-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/path/to/jaas.conf"
        export security_protocol=SASL_SSL
        export ssl_truststore_location=/path/to/truststore.jks
        export ssl_truststore_password=password123
        export ssl_keystore_location=/path/to/keystore.jks
        export ssl_keystore_password=password123
        export ssl_key_password=password123