Streams Replication Manager security overview

Configuring Streams Replication Manager (SRM) security involves enabling and setting security-related features and properties for the SRM service (Driver and Service roles) and the srm-control command line tool. This permits SRM to access source and target clusters and replicate data between them. In addition, it also enables the subcomponents of SRM that act as servers to function in a secure way.

Streams Replications Manager functions both as a client and a server. When SRM replicates data and connects to Kafka clusters it functions as a client. In addition however, some processes and components of SRM act as servers. For example the SRM Service role spins up a REST server. Similarly, the SRM Driver role has replication specific Connect REST servers which provide background functionality.

As a result of this, configuring security for SRM has two distinct aspects as you can configure security for SRM not only when it acts as client, but also when it acts as a server.

Server configuration

Security for SRM processes and components that act as servers can be configured by enabling the TLS/SSL and/or Kerberos feature toggles as well as configuring key and truststore related properties available in Cloudera Manager. For more information see, Enable TLS/SSL for the SRM serviceor Enable Kerberos authentication for the SRM service

Client configuration

Configuring security for SRM when it functions as a client involves enabling and setting security-related features and properties for the SRM service and the srm-control command line tool. This permits both the service and the tool to access your source and target clusters and replicate data between them. The configuration workflow and the steps you need to take differ for the service and tool.

SRM service

Before you can start replicating data with SRM, you must define the clusters that take part in the replication process and add them to SRM’s configuration. When you define a cluster, you also specify the required keys, certificates, and credentials needed to access the clusters that you define. This means that when you define a cluster for replication, at the same time, you also configure the necessary security-related properties needed for SRM to connect as a client.

The clusters and their security properties can be defined in multiple ways. What method you use depends on the clusters in your deployment and the type of security these clusters use. For more information regarding the workflow and the available options for configuration, see Defining and adding clusters for replication.

srm-control tool
In addition to configuring security for the SRM service, you also need to configure security related properties for the srm-control tool. This is because the srm-control tool also functions as a client and must have access to the clusters in the deployment. The exact configuration steps you need to take depends on how your deployment is set up, how you configured the service, and the type of security used on the clusters. For more information regarding the workflow and the available options for configuration, see Configuring srm-control.