Cluster Linking Security¶
Looking for Confluent Cloud Cluster Linking docs? You are currently viewing Confluent Platform documentation. If you are looking for Confluent Cloud docs, check out Cluster Linking on Confluent Cloud.
All security configurations used to connect to the source cluster can be configured on the cluster link when the link is created. Each link is associated with exactly one link credential that will be used for authentication of connections to the source cluster using that link. Different cluster links on the same cluster may use different security credentials. The link credential must be granted appropriate permissions on the source cluster.
Authentication¶
The following example shows how to configure SASL_SSL with GSSAPI as the SASL
mechanism for the cluster link to talk to the source cluster. You can set
these configurations using a config-file, as described in the section on
how to set properties on a cluster link.
security.protocol=SASL_SSL
ssl.truststore.location=/path/to/truststore.p12
ssl.truststore.password=truststore-password
ssl.truststore.type=PKCS12
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
useKeyTab=true \
storeKey=true \
keyTab="/path/to/link.keytab" \
principal="clusterlink1@EXAMPLE.COM";
Cluster Linking configurations should include client-side SSL and SASL/GSSAPI configuration options for connections to the source cluster in this scenario.
For details on creating SSL key and trust stores, see Encrypt and Authenticate with TLS. For details on
SASL/GSSAPI, see Configuring GSSAPI. Brokers must be configured with password.encoder.secret for encrypting
sensitive link configurations when security is enabled. See also, Updating Password Configurations Dynamically.
To configure cluster links to use other SASL mechanisms, include client-side security configurations for that mechanism. See Authentication with SASL using JAAS for other supported mechanisms. To use two-way SSL authentication with SSL as the security protocol, a key store should also be configured for the link. See Encrypt and Authenticate with TLS for details.
Note
The cluster links use source credentials configured on the link to communicate with the source cluster. These credentials must be valid in order for the link to function.
Authorization (ACLs)¶
In deployments where ACLs are enabled, additional ACLs must be added in both the source and destination clusters. For details on creating ACLs, see Authorization using ACLs. For a full list of associated operations, resources, and APIs, see the subtopic, Operations.
Caution
ACL migration, previously available in Confluent Platform 6.0.0 through 6.2.x, was removed due to a
security vulnerability. If you are using ACL migration (ACL sync) in your deployments,
please disable it by setting acl.sync.enable=false on your cluster links. This feature
will be re-introduced in an upcoming Confluent Platform release with the security issue resolved.
ACLs for User-Issued Cluster Link and Mirror Commands¶
The following destination cluster ACLs are available for the user executing cluster link or mirror commands.
| Operation | Resource | API |
|---|---|---|
| ALTER | Cluster | CreateClusterLinks |
| ALTER | Cluster | DeleteClusterLinks |
| ALTERCONFIGS | Cluster | AlterConfigs |
| DESCRIBE | Cluster | ListClusterLinks |
| ALTER | Cluster | CreateAcls, DeleteAcls, CreateTopics (to create mirrored topics) |
| CREATE | Topic | CreateTopics (to create mirrored topics) |
| ALTER | Topic | AlterTopicMirrors |
ACLs required to list and describe mirror topics¶
The list mirrors command lists the mirror topics on a cluster and/or a cluster link.
You can call this command through the API with `REST`: `GET /kafka/v3/clusters/<cluster-id>/links/<link-name>/mirrors`
or from the Confluent Platform CLI with kafka-mirrors --list.
The describe mirror command gives information about a specific mirror topic.
You can call this command through the API with `REST`: `GET /kafka/v3/clusters/<cluster-id>/links/<link-name>/mirrors/<mirror-topic>`
or from the Confluent Platform CLI with kafka-mirrors --describe --topics <mirror-topic>.
To list and describe mirror topics, you need one of the following ACLs:
- The DESCRIBE ACL on a Cluster resource, which provides access to both list and describe for all topics on the cluster.
- The DESCRIBE ACL on specific Topic(s), which provides access to both list and describe for the specified topics only.
ACLs for Brokers on Destination Cluster¶
If offset migration is not enabled, no additional permissions are required for the brokers.
If offset migration is enabled, additional ACLs are required for the brokers in the destination cluster.
| Operation | Resource | API |
|---|---|---|
| READ | Topic | APIs used for consumer offset migration |
| READ | Group | APIs used for consumer offset migration |
| ALTER | Topic (Mirror) | AlterTopicMirrors |
ACLs for Link on Source Cluster¶
Source cluster ACLs are required for the link credential as follows.
| Task | Operation | Resource | API |
|---|---|---|---|
| Mirroring | READ | Topic | Fetch |
| DESCRIBE_CONFIGS | Topic | DescribeConfigs | |
| Consumer offset migration | DESCRIBE | Topic | ListOffsets |
| DESCRIBE | Group | ListGroups |
ACLs for Source-Initiated Links¶
ACLs required by the cluster link principal on the Destination Cluster¶
For a source-initiated cluster link, the cluster link’s principal requires the
Cluster: Alter ACL on the Destination cluster.
Cluster: Alter is required on the Destination cluster to ensure that the user who
created the cluster link is authorized to create a cluster link to this destination cluster.
ACLs required by the cluster link principal on the Source Cluster¶
The cluster link’s source cluster principal requires the Cluster: Alter ACL
in addition to the normal ACLs required by a cluster link on a source cluster.
Cluster: Alter is required on the Source cluster because the cluster link needs to
create reverse connections on the cluster, which is considered a privileged action.
ACLs required by the user principal on the Source Cluster¶
To perform actions to a source-initiated cluster link on the source cluster, the user’s principal requires the same ACLs as if they were creating a destination-initiated cluster link on that cluster:
| Operation | Resource | API |
|---|---|---|
| ALTER | Cluster | CreateClusterLinks |
| ALTER | Cluster | DeleteClusterLinks |
| ALTERCONFIGS | Cluster | AlterConfigs |
| DESCRIBE | Cluster | ListClusterLinks |