Monday, March 27, 2023
HomeBig DataUtilizing Kafka Join Securely within the Cloudera Knowledge Platform

Utilizing Kafka Join Securely within the Cloudera Knowledge Platform

On this publish I’ll show how Kafka Join is built-in within the Cloudera Knowledge Platform (CDP), permitting customers to handle and monitor their connectors in Streams Messaging Supervisor whereas additionally referring to safety features reminiscent of role-based entry management and delicate data dealing with. In case you are a developer shifting knowledge in or out of Kafka, an administrator, or a safety professional this publish is for you. However earlier than I introduce the nitty-gritty first let’s begin with the fundamentals.

Kafka Join

For the aim of this text it’s enough to know that Kafka Join is a robust framework to stream knowledge out and in of Kafka at scale whereas requiring a minimal quantity of code as a result of the Join framework handles many of the life cycle administration of connectors already. As a matter of truth, for the most well-liked supply and goal techniques there are connectors already developed that can be utilized and thus require no code, solely configuration. 

The core constructing blocks are: connectors, which orchestrate the information motion between a single supply and a single goal (one in every of them being Kafka); duties which might be answerable for the precise knowledge motion; and staff that handle the life cycle of all of the connectors.

Kafka permits native assist for deploying and managing connectors, which signifies that after beginning a Join cluster submitting a connector configuration and/or managing the deployed connector may be completed by means of a REST API that’s uncovered by Kafka. Streams Messaging Supervisor (SMM) builds on prime of this and gives a user-friendly interface to exchange the REST API calls.

Streams Messaging Supervisor

Disclaimer: descriptions and screenshots on this article are made with CDP 7.2.15 as SMM is below energetic improvement; supported options would possibly change from model to model (like what number of kinds of connectors can be found). 

SMM is Cloudera’s answer to observe and work together with Kafka and associated providers. The SMM UI is made up of a number of tabs, every of which include completely different instruments, features, graphs, and so forth, that you need to use to handle and acquire clear insights about your Kafka clusters. This text focuses on the Join tab, which is used to work together with and monitor Kafka Join.

Creating and configuring connectors

Earlier than any monitoring can occur step one is to create a connector utilizing the New Connector button on the highest proper, which navigates to the next view:

On the highest left two kinds of connector templates are displayed:                     supply to ingest knowledge into, and sink to tug knowledge out of Kafka. By default the Supply Templates tab is chosen so the supply connector templates are displayed which might be out there in our cluster. Observe that the playing cards on this web page don’t signify the connector cases which might be deployed on the cluster, slightly they signify the kind of connectors which might be out there for deployment on the cluster. For instance, there’s a JDBC Supply connector template, however that doesn’t imply that there’s a JDBC Supply connector presently shifting knowledge into Kafka, it simply signifies that the required libraries are in place to assist deploying JDBC Supply connectors. 

After a connector is chosen the Connector Kind is introduced.

The Connector Kind is used to configure your connector. Most connectors included by default in CDP are shipped with a pattern configuration to ease configuration. The properties and values included within the templates rely on the chosen connector. Normally, every pattern configuration contains the properties which might be most definitely wanted for the connector to work, with some wise defaults already current. If a template is on the market for a particular connector, it’s routinely loaded into the Connector Kind when you choose the connector. The instance above is the prefilled type of the Debezium Oracle Supply connector.

Let’s take a look on the variety of options the Connector Kind gives when configuring a connector.

Including, eradicating, and configuring properties

Every line within the type represents a configuration property and its worth. Properties may be configured by populating the out there entries with a property identify and its configuration worth. New properties may be added and eliminated utilizing the plus/trash bin icons. 

Viewing and modifying giant configuration values

The values you configure for sure properties might not be a brief string or integer; some values can get fairly giant. For instance, Stateless NiFi connectors require the circulation.snapshot property, the worth of which is the complete contents of a JSON file (suppose lots of of strains). Properties like these may be edited in a modal window by clicking the Edit button.

Hiding delicate values

By default properties are saved in plaintext so they’re seen to anybody who has entry to SMM with acceptable authorization rights.

There is likely to be properties within the configurations like passwords and entry keys that customers wouldn’t wish to leak from the system; to safe delicate knowledge from the system these may be marked as secrets and techniques with the Lock icon, which achieves two issues:

  • The property’s worth will probably be hidden on the UI.
  • The worth will probably be encrypted and saved in a safe method on the backend.

Observe: Properties marked as secrets and techniques can’t be edited utilizing the Edit button.

To enter the technical particulars for a bit, not solely is the worth merely encrypted, however the encryption key used to encrypt the worth can also be wrapped with a worldwide encryption key for an added layer of safety. Even when the worldwide encryption secret is leaked, the encrypted configurations may be simply re-encrypted, changing the previous world key with a Cloudera offered software. For extra data, see Kafka Join Secrets and techniques Storage.

Importing and enhancing configurations

In case you have already ready native Kafka Join configurations you need to use the Import Connector Configuration button to repeat and paste it or browse it from the file system utilizing a modal window.

This characteristic can show particularly helpful for migrating Kafka Join workloads into CDP as current connector configurations may be imported with a click on of a button. 

Whereas importing there may be even an choice to boost the configuration utilizing the Import and Improve button. Enhancing will add the properties which might be most definitely wanted, for instance: 

  • Properties which might be lacking in comparison with the pattern configuration.
  • Properties from the circulation.snapshot of StatelessNiFi connectors.

Validating configurations

On the highest proper you may see the Validate button. Validating a configuration is necessary earlier than deploying a connector. In case your configuration is legitimate, you’ll see a “Configuration is legitimate” message and the Subsequent button will probably be enabled to proceed with the connector deployment. If not, the errors will probably be highlighted inside the Connector Kind. Normally, you’ll encounter 4 kinds of errors:

  • Normal configuration errors
    Errors that aren’t associated to a particular property seem above the shape within the Errors part.
  • Lacking properties
    Errors relating to lacking configurations additionally seem within the Errors part with the utility button Add Lacking Configurations, which does precisely that: provides the lacking configurations to the beginning of the shape.
  • Property particular errors
    Errors which might be particular to properties (displayed below the suitable property).
  • Multiline errors
    If a single property has a number of errors, a multiline error will probably be displayed below the property.


To show SMM’s monitoring capabilities for Kafka Join I’ve arrange two MySql connectors: “gross sales.product_purchases” and “monitoring.raw_metrics”. Now the aim of this text is to point out off how Kafka Join is built-in into the Cloudera ecosystem, so I can’t go in depth on the right way to arrange these connectors, however if you wish to observe alongside you will discover detailed steerage in these articles: 

MySQL CDC with Kafka Join/Debezium in CDP Public Cloud

The utilization of safe Debezium connectors in Cloudera environments 

Now let’s dig extra into the Join web page, the place I beforehand began creating connectors. On the Connector web page there’s a abstract of the connectors with some total statistics, like what number of connectors are operating and/or failed; this may also help decide if there are any errors at a look.

Under the general statistics part there are three columns, one for Supply Connectors, one for Subjects, and one for Sink Connectors. The primary and the final signify the deployed connectors, whereas the center one shows the subjects that these connectors work together with. 

To see which connector is linked to which subject simply click on on the connector and a graph will seem.

Aside from filtering based mostly on connector standing/identify and viewing the kind of the connectors some customers may even do fast actions on the connectors by hovering over their respective tiles.

The sharp eyed have already seen that there’s a Connectors/Cluster Profile navigation button between the general statistics part and the connectors part.

By clicking on the Cluster Profile button, worker-level data may be considered reminiscent of what number of connectors are deployed on a employee, success/failure charges on a connector/activity degree, and extra.


On the Connector tab there may be an icon with a cogwheel, urgent that may navigate to the Connector Profile web page, the place detailed data may be considered for that particular connector.

On the prime data wanted to guage the connector’s standing may be considered at a look, reminiscent of standing, operating/failed/paused duties, and which host the employee is positioned on. If the connector is in a failed state the inflicting exception message can also be displayed.

Managing the connector or creating a brand new one can also be doable from this web page (for sure customers) with the buttons positioned on the highest proper nook.

Within the duties part task-level metrics are seen, for instance: what number of bytes have been written by the duty, metrics associated to information, and the way a lot a activity has been in operating or paused state, and in case of an error the stack hint of the error.

The Connector Profile web page has one other tab known as Connector Settings the place customers can view the configuration of the chosen connector, and a few customers may even edit it.

Securing Kafka Join

Securing Connector administration

As I’ve been hinting beforehand there are some actions that aren’t out there to all customers. Let’s think about that there’s a firm promoting some sort of items by means of an internet site. In all probability there’s a staff monitoring the server the place the web site is deployed, a staff who screens the transactions and will increase the worth of a product based mostly on rising demand or set coupons in case of declining demand. These two groups have very completely different specialised talent units, so it’s cheap to anticipate that they can not tinker with one another’s connectors. That is the place Apache Ranger comes into play.

Apache Ranger permits authorization and audit over numerous assets (providers, recordsdata, databases, tables, and columns) by means of a graphical person interface and ensures that authorization is constant throughout CDP stack parts. In Kafka Join’s case it permits finegrained management over which person or group can execute which operation for a particular connector (these particular connectors may be decided with common expressions, so no have to checklist them one after the other).

The permission mannequin for Kafka Join is described within the following desk:

Useful resource Permission Permits the person to…
Cluster View Retrieve details about the server, and the kind of connector that may be deployed to the cluster
Handle Work together with the runtime loggers
Validate Validate connector configurations
Connector View Retrieve details about connectors and duties
Handle Pause/resume/restart connectors and duties or reset energetic subjects (that is what’s displayed within the center column of the Join overview web page)
Edit Change the configuration of a deployed connector
Create Deploy connectors
Delete Delete connectors


Each permission in Ranger implies the Cluster-view permission, so that doesn’t have to be set explicitly.

Within the earlier examples I used to be logged in with an admin person who had permissions to do every part with each connector, so now let’s create a person with person ID mmichelle who’s a part of the monitoring group, and in Ranger configure the monitoring group to have each permission for the connectors with identify matching common expression monitoring.*.

Now after logging in as mmichelle and navigating to the Connector web page I can see that the connectors named gross sales.* have disappeared, and if I attempt to deploy a connector with the identify beginning with one thing aside from monitoring. the deploy step will fail, and an error message will probably be displayed. 

Let’s go a step additional: the gross sales staff is rising and now there’s a requirement to distinguish between analysts who analyze the information in Kafka, assist individuals who monitor the gross sales connectors and assist analysts with technical queries, backend assist who can handle the connectors, and admins who can deploy and delete gross sales connectors based mostly on the wants of the analysts.

To assist this mannequin I’ve created the next customers:

Group Person Connector matching regex Permissions
gross sales+analyst ssamuel * None
gross sales+assist ssarah gross sales.* Connector – View
gross sales+backend ssebastian gross sales.* Connector – View/ Handle
gross sales+admin sscarlett gross sales.* Connector – View/ Handle/ Edit/ Create/ Delete

Cluster – Validate

If I had been to log in with sscarlett I’d see an identical image as mmichelle; the one distinction can be that she will be able to work together with connectors which have a reputation beginning with “gross sales.”. 

So let’s log in as ssebastian as an alternative and observe that the next buttons have been eliminated:

  1. New Connector button from the Connector overview and Connector profile web page.
  2. Delete button from the Connector profile web page.
  3. Edit button on the Connector settings web page.

That is additionally true for ssarah, however on prime of this she additionally doesn’t see:

  1. Pause/Resume/Restart buttons on the Connector overview web page’s connector hover popup or on the Connector profile web page.
  2. Restart button is completely disabled on the Connector profile’s duties part.

To not point out ssamuel who can login however can’t even see a single connector. 

And this isn’t solely true for the UI; if a person from gross sales would go across the SMM UI and check out manipulating a connector of the monitoring group (or some other that’s not permitted) immediately by means of Kafka Join REST API, that particular person would obtain authorization errors from the backend.

Securing Kafka subjects

At this level not one of the customers have entry on to Kafka subject assets if a Sink connector stops shifting messages from Kafka backend assist and admins cannot verify if it’s as a result of there are not any extra messages produced into the subject or one thing else. Ranger has the facility to grant entry rights over Kafka assets as properly. 

Let’s go into the Kafka service on the Ranger UI and set the suitable permissions for the gross sales admins and gross sales backend teams beforehand used for the Kafka Join service. I might give entry rights to the subjects matching the * regex, however in that case sscarlet and ssebastian might additionally by accident work together with the subjects of the monitoring group, so let’s simply give them entry over the production_database.gross sales.* and gross sales.* subjects.

Now the subjects that the gross sales connectors work together with seem on the subjects tab of the SMM UI they usually can view the content material of them with the Knowledge Explorer.

Securing Connector entry to Kafka

SMM (and Join) makes use of authorization to limit the group of customers who can handle the Connectors. Nevertheless, the Connectors run within the Join Employee course of and use credentials completely different from the customers’ credentials to entry subjects in Kafka.

By default connectors use the Join employee’s Kerberos principal and JAAS configuration to entry Kafka, which has each permission for each Kafka useful resource. Due to this fact with default configuration a person with a permission to create a Connector can configure that connector to learn from or write to any subject within the cluster.

To manage this Cloudera has launched the kafka.join.jaas.coverage.limit.connector.jaas property, which if set to “true” forbids the connectors to make use of the join employee’s principal.

After enabling this within the Cloudera Supervisor, the beforehand working connectors have stopped working, forcing connector directors to override the connector employee principal utilizing the sasl.jaas.config property:

To repair this exception I created a shared person for the connectors (sconnector) and enabled PAM authentication on the Kafka cluster utilizing the next article: 

configure purchasers to hook up with Apache Kafka Clusters securely – Half 3: PAM authentication.

In case of sink connectors, the shopper configurations are prefixed with shopper.override; in case of supply connectors, the shopper configurations are prefixed with producer.override (in some circumstances admin.override. is also wanted).

So for my MySqlConnector I set required username=”sconnector” password=”<secret>”;

This may trigger the connector to entry the Kafka subject utilizing the PLAIN credentials as an alternative of utilizing the default Kafka Join employee principal’s id.

To keep away from disclosure of delicate data, I additionally set the producer.override.sasl.jaas.config as a secret utilizing the lock icon.

Utilizing a secret saved on the file system of the Kafka Join Staff (reminiscent of a Kerberos keytab file) for authentication is discouraged as a result of the file entry of the connectors cannot be set individually, solely on a employee degree. In different phrases, connectors can entry one another’s recordsdata and thus use one another’s secrets and techniques for authentication. 


On this article I’ve launched how Kafka Join is built-in with Cloudera Knowledge Platform, how connectors may be created and managed by means of the Streams Messaging Supervisor, and the way customers can make the most of safety features offered in CDP 7.2.15. In case you are and need check out CDP you need to use the CDP Public Cloud with a 60 days free trial utilizing the hyperlink campaign/try-cdp-public-cloud.html


Securing JAAS override

Kafka Join Secret Storage

configure purchasers to hook up with Apache Kafka Clusters securely – Half 3: PAM authentication

MySQL CDC with Kafka Join/Debezium in CDP Public Cloud

The utilization of safe Debezium connectors in Cloudera environments



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments