Cluster Linking Security

Looking for Confluent Cloud Cluster Linking docs? You are currently viewing Confluent Platform documentation. If you are looking for Confluent Cloud docs, check out Cluster Linking on Confluent Cloud.

All security configurations used to connect to the source cluster can be configured on the cluster link when the link is created. Each link is associated with exactly one link credential that will be used for authentication of connections to the source cluster using that link. Different cluster links on the same cluster may use different security credentials. The link credential must be granted appropriate permissions on the source cluster.

Authentication

The following example shows how to configure SASL_SSL with GSSAPI as the SASL mechanism for the cluster link to talk to the source cluster. You can set these configurations using a config-file, as described in the section on how to set properties on a cluster link.

security.protocol=SASL_SSL
ssl.truststore.location=/path/to/truststore.p12
ssl.truststore.password=truststore-password
ssl.truststore.type=PKCS12
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
    useKeyTab=true \
    storeKey=true \
    keyTab="/path/to/link.keytab" \
    principal="clusterlink1@EXAMPLE.COM";

Cluster Linking configurations should include client-side SSL and SASL/GSSAPI configuration options for connections to the source cluster in this scenario.

For details on creating SSL key and trust stores, see Encrypt and Authenticate with TLS. For details on SASL/GSSAPI, see Configuring GSSAPI. Brokers must be configured with password.encoder.secret for encrypting sensitive link configurations when security is enabled. See also, Updating Password Configurations Dynamically.

To configure cluster links to use other SASL mechanisms, include client-side security configurations for that mechanism. See Authentication with SASL using JAAS for other supported mechanisms. To use two-way SSL authentication with SSL as the security protocol, a key store should also be configured for the link. See Encrypt and Authenticate with TLS for details.

Note

The cluster links use source credentials configured on the link to communicate with the source cluster. These credentials must be valid in order for the link to function.

Authorization (ACLs)

In deployments where ACLs are enabled, additional ACLs must be added in both the source and destination clusters. For details on creating ACLs, see Authorization using ACLs. For a full list of associated operations, resources, and APIs, see the subtopic, Operations.

Caution

ACL migration, previously available in Confluent Platform 6.0.0 through 6.2.x, was removed due to a security vulnerability. If you are using ACL migration (ACL sync) in your deployments, please disable it by setting acl.sync.enable=false on your cluster links. This feature will be re-introduced in an upcoming Confluent Platform release with the security issue resolved.

ACLs for Brokers on Destination Cluster

If offset migration is not enabled, no additional permissions are required for the brokers.

If offset migration is enabled, additional ACLs are required for the brokers in the destination cluster.

Operation Resource API
READ Topic APIs used for consumer offset migration
READ Group APIs used for consumer offset migration
ALTER Topic (Mirror) AlterTopicMirrors