Cluster Linking Security¶
Looking for Confluent Cloud Cluster Linking docs? You are currently viewing Confluent Platform documentation. If you are looking for Confluent Cloud docs, check out Cluster Linking on Confluent Cloud.
This feature is available as a preview feature. A preview feature is a component of Confluent Platform that is being introduced to gain early feedback from developers. This feature can be used for evaluation and non-production testing purposes or to provide feedback to Confluent.
All security configurations used to connect to the source cluster can be configured on the cluster link when the link is created. Each link is associated with exactly one link credential that will be used for authentication of connections to the source cluster using that link. Different cluster links on the same cluster may use different security credentials. The link credential must be granted appropriate permissions on the source cluster.
The following example shows how to configure SASL_SSL with GSSAPI as the SASL mechanism for the cluster link to talk to the source cluster.
security.protocol=SASL_SSL ssl.truststore.location=/path/to/truststore.p12 ssl.truststore.password=truststore-password ssl.truststore.type=PKCS12 sasl.mechanism=GSSAPI sasl.kerberos.service.name=kafka sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \ useKeyTab=true storeKey=true \ keyTab="/path/to/link.keytab" \ principal="clusterlink1@EXAMPLE.COM";
Cluster Linking configurations should include client-side SSL and SASL/GSSAPI configuration options for connections to the source cluster in this scenario.
For details on creating SSL key and trust stores, see Encryption and Authentication with SSL. For details on
SASL/GSSAPI, see Configuring GSSAPI. Brokers must be configured with
password.encoder.secret for encrypting
sensitive link configurations when security is enabled.
To configure cluster links to use other SASL mechanisms, include client-side security configurations for that mechanism. See Authentication with SASL using JAAS for other supported mechanisms. To use two-way SSL authentication with SSL as the security protocol, a key store should also be configured for the link. See Encryption and Authentication with SSL for details.
The cluster links use source credentials configured on the link to communicate with the source cluster. These credentials must be valid in order for the link to function.