Cloudera Docs

Configuring security for clusters with differing security setups

Learn how to set up SRM security for clusters with differing security setups.

In a complex system you might have clusters that require no encryption or authentication while others do. SRM is capable of operating in environments where the security setup of each cluster SRM is connecting to is different. Configuring security is achieved by adding the appropriate configuration properties to your srm.properties configuration file. When connecting SRM to clusters with non-uniform security setups, you have to add each configuration property separately for each cluster in your system. This can be done by prepending the configuration property with the cluster name. For example, primary.security.protocol specifies the security protocol for the cluster named “primary”.

  1. Specify the security protocols for each cluster: 
    primary.security.protocol = SSL
backup.security.protocol = SASL_SSL
  2. Add truststore information:
    Truststore information is only required if you are using SSL encryption.
    backup.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
backup.ssl.truststore.password=test1234
primary.ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks
primary.ssl.truststore.password=test1234
  3. Add keystore information:
    Keystore information is only required if you are using SSL authentication.
    primary.ssl.keystore.location=/var/private/ssl/kafka.client.keystore.jks
primary.ssl.keystore.password=test1234
primary.ssl.key.password=test1234
  4. Specify the authentication mechanism:
    Specifying the authentication mechanism is only required if you are using SASL.
    backup.sasl.mechanism = GSSAPI
  5. Specify the service name:
    Service name information is only required if you are using Kerberos.
    primary.sasl.kerberos.service.name = kafka
backup.sasl.kerberos.service.name = srm
  6. Configure the JAAS.
    JAAS configuration is only required if you are using SASL.

    If one or more of your clusters operates in a different kerberos realm, you have to specify a unique JAAS configuration for each. Configuring multiple kerberos realms is only possible by embedding the JAAS configuration in the srm.properties file. Passing JAAS configuration files with the SRM_KERBEROS_OPTS environment variable is not supported in this scenario.

    primary.sasl.jaas.config = \
 com.sun.security.auth.module.Krb5LoginModule required \ 
     useKeyTab=true \
     keyTab="path/to/keytab file" \
     storeKey=true \
     useTicketCache=false \
     principal="streamsrepmgr@STREAMANALYTICS.COM";
    

 backup.sasl.jaas.config = \
  com.sun.security.auth.module.Krb5LoginModule required \   
  	useKeyTab=true \
     keyTab="path/to/keytab file" \
     storeKey=true \
     useTicketCache=false \
     principal="streamsrepmgr@EXAMPLE.COM";