Security and CDC

Security for CDC is applied through Access Control Expressions (ACEs). In addition, if a secure cluster configuration is implemented, then additional setup may be needed depending on the configuration.

Access Control Expressions (ACEs)

Since Change Data Capture (CDC) changed data records are propagated from a HPE Ezmeral Data Fabric Database source table to a HPE Ezmeral Data Fabric Event Store stream topic, use the access control expressions (ACEs) on the source table and destination stream for establishing permissions.

Once a HPE Ezmeral Data Fabric Event Store stream is created for purposes of receiving change data records, it is dedicated for that sole purpose. For example, a producer application should not perform CRUD operations on the topics in the stream.

The following permissions are applicable depending on the scenario:

  • If you are a normal user and you want to create a changelog from a source table and to a destination stream topic, the following permissions are required:
    • replperm on the source table in the source cluster
    • topicperm on the destination stream in the destination cluster
  • If you are a normal user and want to create a changelog between your own HPE Ezmeral Data Fabric Database table and someone else's stream topic, you must be granted topicperm permissions on the destination stream.
  • If you are a normal user and want to receive or read the data in a stream topic, you must be granted consumeperm permission on the destination topic.

For more information about ACEs, see Managing Access Control Expressions

Secure Clusters

The destination HPE Ezmeral Data Fabric Event Store stream could be in same cluster as the HPE Ezmeral Data Fabric Database source table or it could be on a remote data-fabric cluster. The configuration setup depends on the purpose for using CDC.