Streams Replication Manager security overview
Configuring SRM security involves enabling and setting security-related features and
properties for the SRM service and the
srm-control command line tool. This
permits SRM to access source and target clusters and replicate data between them. There are
multiple methods you can use to configure security, which methods you use will depend on your
Streams Replication Manager (SRM) can replicate data between secured and unsecured environments, as well as between environments that have differing security setups.
srm-controlcommand line tool with the required keys, certificates, and credentials needed to access the clusters that replication is happening between. This can be done by setting security-related configuration properties. There are three methods you can use to configure security properties. These are the following:
- Configure security with the SSL/TLS and Kerberos feature toggles available in Cloudera Manager
- Configure security with the Streams Replication Manager's Replication Configs Cloudera Manager property
- Configure security with environment variables
Configure security with the SSL/TLS and Kerberos feature toggles available in Cloudera Manager
This method can only be used to configure security for the SRM service (driver and service
roles). This method does not configure security for the
The Kafka and SRM services are all managed by the same instance of Cloudera Manager.
All Kafka services that replication is happening between have identical security configurations.
Auto-TLS is turned on, or TLS is set up in accordance with Cloudera recommendations.
If the Kafka services have differing security configurations, or are managed by different Cloudera Manager instances, you need to also use the Streams Replication Manager's Replication Configs property to manually set security properties. In other words, if the above requirements are not all met, using only this method of configuration is not sufficient.
Configure security with the Streams Replication Manager's Replication Configs Cloudera Manager property
This method of configuration can be used to configure security for the SRM service (driver
and service roles), as well as the
The Streams Replication Manager's Replication Configs property is used to configure properties that SRM accepts, but are not directly available for configuration in Cloudera Manager. For more information about its usage in general, see Configuring Properties Not Exposed in Cloudera Manager.
You can use Streams Replication Manager's Replication Configs to set security-related properties. Depending on your environment, it is likely that you need to add security properties that are prefixed with each cluster's alias. Prefixing security properties with aliases is needed when the clusters SRM is connecting to require different security configurations. Prefixing properties enables you to specify different security configurations for each cluster. Based on these prefixed properties SRM will know what configuration to use when accessing each cluster.
primarycluster is Kerberized (using keytabs) and SSL enabled. The
secondarycluster is SSL enabled. In a setup like this you need to add the following to the Streams Replication Manager's Replication Configs property:
primary.security.protocol = SASL_SSL primary.ssl.keystore.location = [KEYSTORE_PATH] primary.ssl.keystore.password = [PASSWORD] primary.ssl.key.password = [PASSWORD] primary.ssl.truststore.location = [TRUSTSTORE_PATH] primary.ssl.truststore.password = [PASSWORD] primary.sasl.kerberos.service.name = [SERVICE NAME] primary.sasl.mechanism = GSSAPI primary.sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="[PATH/TO/KEYTAB FILE]" storeKey=true useTicketCache=false principal="[PRINCIPAL]"; secondary.security.protocol = SSL secondary.ssl.keystore.location = [KEYSTORE_PATH] secondary.ssl.keystore.password = [PASSWORD] secondary.ssl.key.password = [PASSWORD] secondary.ssl.truststore.location = [TRUSTSTORE_PATH] secondary.ssl.truststore.password = [PASSWORD]
It is also possible to add non-prefixed security properties, SRM will accept these as well. However, in a case like this, it will use that configuration for all clusters that it is connecting to.
Lastly, it is also worth highlighting that out of the three security configuration methods,
this is the only one that configures both the SRM service and
Configure security with environment variables
This method is used to configure the
srm-controltool. In a scenario like this, you can use the following environment variables to specify security properties.
|Environment Variable||Corresponding Property|
|SRM_KERBEROS_OPTS||Used to set the JAAS configuration file that should be used. In addition, it can also be used to set other Java system properties related to Kerberos. For example: SRM_KERBEROS_OPTS=”-Djava.security.auth.login.config=/opt/streams-replication-manager/conf/srm-jaas.conf”|