Securing Streams Replication ManagerPDF version

SRM security example for a cluster environment managed by multiple Cloudera Manager instances

To run SRM in a secure environment with two clusters that have differing security setups and are managed by different instances of Cloudera Manager, you must configure security properties using Cloudera Manager in both clusters manually.

Consider the following replication environment.

There are two clusters, primary and secondary. Each managed by a unique instance of Cloudera Manager. Both clusters have a Kafka and a Streams Replication Manager (SRM) service deployed on it. The clusters and Kafka services have differing security setups. In the primary cluster TLS/SSL and Kerberos are enabled. The secondary cluster is unsecured. All SRM driver and service roles target the same cluster and Kafka service they are deployed in. Data replication is bidirectional.

The following example walks you through the steps to configure security for this replication environment. In this scenario, configuration of both the primary and secondary clusters is required. Both clusters are configured using Cloudera Manager.
  1. Configure the primary cluster.
    In the primary cluster you need to enable security feature toggles and configure additional security properties with the Streams Replication Manager's Replication Configs property.
    1. In the primary cluster's Cloudera Manager, select the Streams Replication Manager service.
    2. Go to Configuration.
    3. Enable TLS/SSL and Kerberos.
      In environments where the clusters have differing security setups, the configuration of the SSL/TLS and Kerberos feature toggles should match the security of the cluster that the SRM driver is targeting. In this example, the SRM driver in the primary cluster is targeting the primary cluster. Because the primary cluster has both SSL/TLS and Kerberos enabled, all feature toggles have to be enabled. You can do this by enabling the following properties:
      • Enable Kerberos Authentication

      • Enable TLS/SSL for SRM Driver

      • Enable TLS/SSL for SRM Service

    4. Find the Streams Replication Manager's Replication Configs property.
    5. Add the required prefixed security properties.
      primary.security.protocol = SASL_SSL
      primary.ssl.truststore.location = /path/to/truststore.jks
      primary.ssl.truststore.password = test1234
      primary.ssl.keystore.location = /path/to/keystore.jks
      primary.ssl.keystore.password = test1234
      primary.ssl.key.password = test1234
      primary.sasl.kerberos.service.name = kafka
      primary.sasl.mechanism = GSSAPI
      primary.sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/keytab file" storeKey=true useTicketCache=false principal="streamsrepmgr@STREAMANALYTICS.COM";
      secondary.security.protocol = PLAINTEXT
      
    6. Click Save Changes.
    7. Restart Streams Replication Manager.
  2. Configure the secondary cluster.

    Although the secondary cluster is unsecured, configuration is still required. The security properties of the primary cluster need to be specified. Otherwise, the SRM instance running in this cluster will not be able to connect to the primary cluster. Additionally, the security protocol for the secondary cluster needs to be set. Otherwise, you will not be able to initiate the srm-control tool on any of the secondary cluster hosts.

    1. In the secondary cluster's Cloudera Manager, select the Streams Replication Manager service.
    2. Go to Configuration.
    3. Find the Streams Replication Manager's Replication Configs property.
    4. Add the required prefixed security properties.
      primary.security.protocol = SASL_SSL
      primary.ssl.truststore.location = /path/to/truststore.jks
      primary.ssl.truststore.password = test1234
      primary.ssl.keystore.location = /path/to/keystore.jks
      primary.ssl.keystore.password = test1234
      primary.ssl.key.password = test1234
      primary.sasl.kerberos.service.name = kafka
      primary.sasl.mechanism = GSSAPI
      primary.sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/keytab file" storeKey=true useTicketCache=false principal="streamsrepmgr@STREAMANALYTICS.COM";
      secondary.security.protocol = PLAINTEXT
      
    5. Click Save Changes.
    6. Restart Streams Replication Manager.