Looking for Confluent Cloud Cluster Linking docs? This page describes Cluster Linking on Confluent Platform. If you are looking for Confluent Cloud documentation, check out Cluster Linking on Confluent Cloud.

Cluster Linking Security

All security configurations used to connect to the source cluster can be configured on the cluster link when the link is created. Each link is associated with exactly one link credential that will be used for authentication of connections to the source cluster using that link. Different cluster links on the same cluster may use different security credentials. The link credential must be granted appropriate permissions on the source cluster.


The following example shows how to configure SASL_SSL with GSSAPI as the SASL mechanism for the cluster link to talk to the source cluster. You can set these configurations using a config-file, as described in the section on how to set properties on a cluster link.

sasl.kerberos.service.name=kafka sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
    storeKey=true \
    keyTab="/path/to/link.keytab" \

Cluster Linking configurations should include client-side SSL and SASL/GSSAPI configuration options for connections to the source cluster in this scenario.

For details on creating SSL key and trust stores, see Encryption and Authentication with SSL. For details on SASL/GSSAPI, see Configuring GSSAPI. Brokers must be configured with password.encoder.secret for encrypting sensitive link configurations when security is enabled. See also, Updating Password Configurations Dynamically.

To configure cluster links to use other SASL mechanisms, include client-side security configurations for that mechanism. See Authentication with SASL using JAAS for other supported mechanisms. To use two-way SSL authentication with SSL as the security protocol, a key store should also be configured for the link. See Encryption and Authentication with SSL for details.


The cluster links use source credentials configured on the link to communicate with the source cluster. These credentials must be valid in order for the link to function.

Authorization (ACLs)

In deployments where ACLs are enabled, additional ACLs must be added in both the source and destination clusters. For details on creating ACLs, see Authorization using ACLs. For a full list of associated operations, resources, and APIs, see the subtopic, Operations.

ACLs for Brokers on Destination Cluster

If offset migration is not enabled, no additional permissions are required for the brokers.

If offset migration is enabled, additional ACLs are required for the brokers in the destination cluster.

Operation Resource API
READ Topic APIs used for consumer offset migration
READ Group APIs used for consumer offset migration
ALTER Topic (Mirror) AlterTopicMirrors