Cluster Linking Security¶
Looking for Confluent Cloud Cluster Linking docs? You are currently viewing Confluent Platform documentation. If you are looking for Confluent Cloud docs, check out Cluster Linking on Confluent Cloud.
Important
This feature is available as a preview feature. A preview feature is a component of Confluent Platform that is being introduced to gain early feedback from developers. This feature can be used for evaluation and non-production testing purposes or to provide feedback to Confluent.
All security configurations used to connect to the source cluster can be configured on the cluster link when the link is created. Each link is associated with exactly one link credential that will be used for authentication of connections to the source cluster using that link. Different cluster links on the same cluster may use different security credentials. The link credential must be granted appropriate permissions on the source cluster.
Authentication¶
The following example shows how to configure SASL_SSL with GSSAPI as the SASL mechanism for the cluster link to talk to the source cluster.
security.protocol=SASL_SSL
ssl.truststore.location=/path/to/truststore.p12
ssl.truststore.password=truststore-password
ssl.truststore.type=PKCS12
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
useKeyTab=true
storeKey=true \
keyTab="/path/to/link.keytab" \
principal="clusterlink1@EXAMPLE.COM";
Cluster Linking configurations should include client-side SSL and SASL/GSSAPI configuration options for connections to the source cluster in this scenario.
For details on creating SSL key and trust stores, see Encryption and Authentication with SSL. For details on
SASL/GSSAPI, see Configuring GSSAPI. Brokers must be configured with password.encoder.secret
for encrypting
sensitive link configurations when security is enabled.
To configure cluster links to use other SASL mechanisms, include client-side security configurations for that mechanism. See Authentication with SASL using JAAS for other supported mechanisms. To use two-way SSL authentication with SSL as the security protocol, a key store should also be configured for the link. See Encryption and Authentication with SSL for details.
Note
The cluster links use source credentials configured on the link to communicate with the source cluster. These credentials must be valid in order for the link to function.
Authorization (ACLs)¶
In deployments where ACLs are enabled, additional ACLs must be added in both the source and destination clusters. For details on creating ACLs, see Authorization using ACLs. For a full list of associated operations, resources, and APIs, see the subtopic, Operations.
Caution
ACL migration, previously available in Confluent Platform 6.0.0 through 6.2.x, was removed due to a
security vulnerability. If you are using ACL migration (ACL sync) in your deployments,
please disable it by setting acl.sync.enable=false
on your cluster links. This feature
will be re-introduced in an upcoming Confluent Platform release with the security issue resolved.
ACLs for User-Issued Cluster Link and Mirror Commands¶
The following destination cluster ACLs are available for the user executing cluster link or mirror commands.
Operation | Resource | API |
---|---|---|
ALTER | Cluster | CreateClusterLinks |
ALTER | Cluster | DeleteClusterLinks |
DESCRIBE | Cluster | ListClusterLinks |
ALTER | Cluster | CreateTopics (to create mirrored topic) |
CREATE | Topic | CreateTopics (to create mirrored topic) |
ALTER | Topic | AlterTopicMirrors |
ACLs for Brokers on Destination Cluster¶
If offset migration is not enabled, no additional permissions are required for the brokers.
If offset migration is enabled, additional ACLs are required for the brokers in the destination cluster.
Operation | Resource | API |
---|---|---|
READ | Topic | APIs used for consumer offset migration |
READ | Group | APIs used for consumer offset migration |
ALTER | Topic (Mirror) | AlterTopicMirrors |
ACLs for Link on Source Cluster¶
Source cluster ACLs are required for the link credential as follows.
Task | Operation | Resource | API |
---|---|---|---|
Mirroring | READ | Topic | Fetch |
DESCRIBE_CONFIGS | Topic | DescribeConfigs | |
Consumer offset migration | DESCRIBE | Topic | ListOffsets |
DESCRIBE | Group | ListGroups |