Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This page describes how to configure Lenses IAM to secure access to you Kafka cluster.
IAM (Identity and Access Management) in Lenses is controlled by Groups. Users and service accounts belong to groups. Permissions are assigned to groups and apply to the users and service accounts in those groups.
Authentication of users is determined by the configured authentication mechanism.
For automation use the CLI.
This page describes how to configure Lenses.
This section guides you through understanding what is required to utilize Lenses efficiently and securely.
Two files control Lenses configuration:
lenses.conf - contains most of the configuration
security.conf - sensitive configuration options such as passwords for authentication
A third, optionally, provisioning.yaml allows you to define your license and connection details to Kafka and other services in a file, that is dynamically pick up by Lenses.
JVM Options
Understand how to customize the Lenses JVM settings.
Logs
Understand and customize Lenses logging.
Identity & Access Management
Configure how users authenticate in Lenses.
Lenses Database
Configure the backing store for Lenses.
TLS
Configure TLS on Lenses for HTTPS.
Kafka ACLs
Configure the Kafka ACLs Lenses needs to operate.
Processor Modes
Configure how and where Lenses deploys SQL Processors.
JMX Metrics
Configure Lenses to expose JMX metrics.
Plugins
Add your own plugins to extend Lenses functionality.
Configuration Reference
Review Lenses configuration reference.
This page describes how to configure the default admin account for Lenses.
When you first log in to Lenses, use the default credentials admin/admin
The default account is a super user and can be used to create groups and other accounts with appropriate permissions.
The default account username and password may be adjusted as below.
We strongly recommend that you change the default password. If you don’t, you will be prompted with a dashboard notification.
For security purposes, it is strongly advised to use your password’s SHA256 checksum instead of the plaintext.
To create a SHA256 checksum for your password you can use the command line tools available in your Linux server or macOS.
To disable the Lenses Administrator user, set an adequately long random password. You can achieve this by using the snippet below:
This page describes configuring basic authentication in Lenses.
With Basic Auth, user accounts are managed by Lenses and a unique username and a password are used to log in.
For BASIC and LDAP authentication type, there is the option to set a policy to temporarily lock the account when successive login attempts fail. Once the lock time window has passed the user can log in again.
.
The internal database that stores user/group information is stored on disk, under the lenses.storage.directory or an external Postgres database.
If using the embedded H2 database keep this directory intact between updates and upgrades.
To enforce specific password rules the following configurations need to be set:
To not allow previous passwords to be reused, use the following configuration:
This page described configuring Lenses with a custom HTTP implementation for authentication.
With custom authentication, you can plug in your own authentication system by using HTTP headers.
In this approach, your own authentication proxy/code sitting in front of Lenses takes care of the authentication and injects appropriate Headers in all HTTP requests for verified users.
Set up a custom authentication layer by introducing in security.conf:
Lenses connects similarly to any other application to the infrastructure You can implement a plugin in a few hours in Java/Scala or other JVM technology by implementing one interface:
The returned object UserAndGroups will contain the username and the groups a person authentication belongs to (or raise an exception if no such user exists).
The best way to get started is to look into a sample open-source implementation of such a plugin in .
This section describes configuring user authentication in Lenses.
Authentication is configured in the security configuration file. Lenses Administrator and Basic Auth do not require any configuration.
Multiple authentication configurations can be used together.
Authentication settings go in security.conf.
The following authentication methods are available. Users, regardless of the method need to be mapped to groups.
For BASIC and LDAP authentication types, there is the option to set a policy to temporarily lock the account when successive login attempts fail. Once the lock time window has passed the user can log in again.
These two configuration entries enable the functionality (both of them have to be provided to take effect):
A Group is a collection of permissions that defines the level of access for users belonging to it. Groups consist of:
Namespaces
Application permissions
Administration permissions
When working with LDAP or Active Directory, user and group management is done in LDAP.
Lenses provides fine-grained role-based access (RBAC) for your existing groups of users over data and applications. Create a group in Lenses with the same name (case-sensitive) as in LDAP/AD.
When using an SSO solution such as Azure AD, Google, Okta, OneLogin or an open source like KeyCloak user and group management is done in the Identity Provider.
Lenses provides fine-grained role-based access (RBAC) for your existing groups of users over data and applications. Create a group in Lenses with the same name (case-sensitive) as in your SSO group.
With Basic Authentication, create groups of users and add users to those groups. Authentication and authorization are fully managed, and users can change their passwords.
This pages describes configuring Lenses with Azure SSO.
Groups are case-sensitive and mapped by UUID with Azure
Integrate your user-groups with Lenses using the Azure group IDs. Create a group in Lenses using the UUID as the name.
For example, if the Engineers group has the UUID ae3f363d-f0f1-43e6-8122-afed65147ef8, create a group with the same name.
Learn more about
Go to Enterprise applications > + New Application
Search for Lenses.io in the gallery directory
Choose a name for Lenses e.g. Lenses.io and click Add
Select Set up single sign on > SAML
Configure the SAML details
| Setting | Value |
|---|
Download the Federation Metadata XML file with the Azure IdP details. You will reference this file’s path in the Lenses security.conf configuration file.
This pages describes configuring Lenses with Google SSO.
Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.
Open the from an administrator account.
Click the Users button
Select the More dropdown and choose Manage custom attributes
Click the Add custom attribute button
Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add
Open the from an administrator account.
Click the Users button
Select the user to update
Click User information
Click the Lenses Groups attribute
Enter one or more groups and click Save
Click the Apps button
Click the SAML apps button
Select the Add App dropdown and choose Add custom SAML app
Enter a descriptive name for the Lenses installation
Configure in security.conf.
This pages describes configuring Lenses with Keycloak SSO.
Integrate your user groups with Lenses using the Keycloak group names. Create a group in Lenses using the same case-sensitive group name as in Keycloak.
For example, if the Engineers group is available in Keycloak, with Lenses assigned to it, create a group with the same name.
Go to Clients
Click Create
Fill in the details: see the table below.
Click Save
| Setting | Value |
|---|
Change the settings on client you just created to:
| Setting | Value |
|---|
Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.
Click Create
Fill in the details: see table below.
Click Save
Configure in the security.conf file.
This page describes configuring Lenses with Azure AD via LDAP.
Azure AD supports the LDAP protocol. You can use it as an authentication provider with users, passwords, and groups stored in Azure AD. When a user is authenticated successfully, Lenses queries Azure AD to get the user’s groups and authorizes the user with the selected permissions.
Here is a sample Lenses configuration:
In the Azure portal create a resource. Search for Domain service and select Azure AD Domain Services from the options.
Set the DNS Domain Name as the same one you have with for your existing Azure AD tenant
In the Administration tab, you can manage the group membership for the AAD DC Administrator and control the members with access rights on Azure AD.
Azure AD Domain Services provides one-way synchronization from Azure Active Directory to the managed domain. Only certain attributes are synchronized to the managed domain, along with groups, group memberships and passwords.
The Synchronization tab provides two options. The first one is All, where everything will be synchronized to Azure AD DS managed domain. The second one is Scoped, which allows the selection of specific groups to be synced.
Once the managed domain is ready to be used, configure the DNS server settings for the Azure Virtual Network. Click the button configure:
For the DNS changes to be applied, all the VMs are required to be restarted.
Azure AD DS needs password hashes in a format that’s suitable for NT LAN Manager (NTLM) and Kerberos authentication. Azure AD does not generate or store password hashes in the format that’s required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant.
For security reasons, Azure AD doesn’t store any password credentials in clear-text form. Therefore, Azure AD can’t automatically generate these NTLM or Kerberos password hashes based on users’ existing credentials.
The Virtual Network to deploy Lenses, requires enabling Virtual Network Peering. This allows it to communicate with Azure AD DS. You should add the IPs that have been generated in the previous step as DNS Servers.
To enable the LDAP(S) protocol on Azure AD DS, use the following PowerShell to generate the self-signed certificate:
In case PowerShell is not available, you can use the openssl command. This following script generates a certificate for Azure AD DS.
Under Secure LDAP, upload the PFX certificate and make sure the options Allow secure LDAP and access over the Internet are enabled.
After the secure LDAP is enabled to allow secure LDAP access, use the Azure AD DS properties to review the external IP address that is used to expose the LDAP service.
Finally, you need to allow inbound traffic to the Azure AD DS network security group for the LDAPS port 636 and limit the access only to the the virtual machine or the range of the IPs to which they should have inbound access.
This page describes configuring Lenses with LDAP.
Lenses can be configured via LDAP handle the user authentication.
The groups that a user belongs to (authorization) may come either from LDAP (automatic mapping) or via manually mapping an LDAP user to a set of Lenses groups.
All the user’s groups are then matched by name (case sensitive) with the groups stored in Lenses. All the matching groups' permissions are combined. If a user has been assigned manually a set of Lenses groups, then the groups coming from LDAP are ignored.
Active Directory (AD) and OpenLDAP (with the memberOf overlay if LDAP group mapping is required) servers are tested and supported in general.
Due to the LDAP standard ambiguity, it is impossible to support all the configurations in the wild. The most common pain point is LDAP group mapping. If the default class that extracts and maps LDAP groups to Lenses groups does not work, it is possible to implement your own.
Before setting up an LDAP connection, we advise you to familiarize yourself with LDAP and/or have access to your LDAP and/or Active Directory administrators.
An LDAP setup example with LDAP group mapping is shown below:
In the example above you can distinguish three key sections for LDAP:
the connection settings,
the user search settings,
and the group search settings.
Lenses uses the connection settings to connect to your LDAP server. The provided account should be able to list users under the base path and their groups. The default group plugin only needs access to the memberOf attributes for each user, but your custom implementation may need different permissions.
When a user tries to log in, a query is sent to the LDAP server for all accounts that are under the lenses.security.ldap.base and match the lenses.security.ldap.filter. The result needs to be unique; a distinguished name (DN) —the user that will log in to Lenses.
In the example, the application would query the LDAP server for all entities under ou=Users,dc=example,dc=com that satisfy the LDAP filter (&(objectClass=person)(sAMAccountName=)) which would be replaced by the username that tries to login to Lenses. A more simple filter could be cn=, which for user Mark would return the DN cn=Mark,ou=Users,dc=example,dc=com.
Once the user has been verified, Lenses queries the user groups and maps them to Lenses groups. For every LDAP group that matches a Lenses group, the user is granted the selected permissions.
Depending on the LDAP setup, only one of the users or the Lenses service user may be able to retrieve the group memberships. This can be controlled by the option lenses.security.ldap.use.service.user.search.
The default value (false) uses the user itself to query for groups. Groups be can be created in the admin section of the web interface, or in the command line via the lenses-cli application.
Set lenses.security.ldap.use.service.user.search to true to use lenses.security.ldap.user account to list a logged user groups when your LDAP setup restricts most of the user's action to list their groups.
When working with LDAP or Active Directory, user and group management is done in LDAP.
Lenses provides fine-grained role-based access (RBAC) for your existing groups of users over data and applications.
Create a group in Lenses with the same name (case-sensitive) as in LDAP/AD.
If mapping LDAP groups to Lenses groups is not desired. Manually map LDAP users to Lenses groups, using the web interface, or the lenses-cli.
LDAP still provides the authentication, but all LDAP groups for this user are ignored.
When you create an LDAP user in Lenses, the username will be used in the search expression set in lenses.security.ldap.filter to authenticate them. If no user should be allowed to use the groups coming from LDAP, then this functionality should be disabled.
Set lenses.security.ldap.plugin.memberof.key or lenses.security.ldap.plugin.group.extract.regex to a bogus entry, rendering it unusable.
An example would be:
The group extract plugin is a class that implements an LDAP query that retrieves a user’s groups and makes any necessary transformation to match the LDAP group to a Lenses group name.
The default class implementation that comes with Lenses is io.lenses.security.ldap.LdapMemberOfUserGroupPlugin.
If your LDAP server supports the memberOf functionality, where each user has his/her group memberships added as attributes to his/her entity, you can use it by setting the lenses.security.ldap.plugin.class option to this class:
Below you will see a brief example of its setup.
As an example, the memberOf search may return two attributes for user Mark:
The regular expression (?i)cn=(\w+),ou=Groups.* will return these two regex group matches:
If any of these groups exist in Lenses, Mark will be granted the permissions of the matching groups.
The lenses.security.ldap.plugin.group.extract.regex should contain exactly one regular expression capturing group.
If you need to apply more groups for your matching purposes, you should use non-capturing groups (e.g (?:groupRegex).
As an example, the regular expression (?i)cn=((?:Kafka|Apps)Admin),ou=Groups,dc=example,dc=com applied to memberOf attributes:
will return these two regex group matches:
Do not forget to grant to the account any permissions it may need for your plugin to work.
The following configuration entries are specific to the default group plugin. A custom LDAP plugin might require different entries under lenses.security.ldap.plugin:
Learn more about
Open the from an administrator account.
Upload a
| Setting | Value |
|---|
Read the details from Microsoft on how to .
Read more details on
If your LDAP does not offer the memberOf functionality or uses a complex setup, you can provide your own implementation. Start with the code on , create a JAR, and add it to the plugins/ folder and set your implementation’s full classpath:
Azure SSO
Configure Azure SSO for Lenses.
Google SSO
Configure Google SSO for Lenses.
Keycloak SSO
Configure Keycloak SSO for Lenses.
Okta SSO
Configure Okta SSO for Lenses.
Onelogin SSO
Configure Onelogin SSO for Lenses.
Client ID | Use the |
Client Protocol | Set it to |
Client Saml Endpoint | This is the Lenses API point for Keycloak to call back. Set it to |
Name |
|
Description | (Optional) Add a description to your app. |
SAML Signature Name |
|
Client Signature Required |
|
Force POST Binding |
|
Front Channel Logout |
|
Force Name ID Format |
|
Name ID Format |
|
Root URL | Use the |
Valid Redirect URIs | Use the |
Name |
|
Mapper Type |
|
Group attribute name |
|
Single Group Attribute |
|
Full group path |
|
Identifier (Entity ID) | Use the |
Reply URL | Use the |
Sign on URL | Use the |
This pages describes configuring Lenses with Okta SSO.
Groups are case-sensitive and mapped by name with Okta
Integrate your user-groups with Lenses using the Okta group names. Create a group in Lenses using the same case-sensitive group name as in Okta.
For example, if the Engineers group is available in Okta, create a group with the same name.
Lenses is available directly in Okta’s Application catalog.
Go to Applications > Applications
Click Add Application
Search for Lenses
Select by pressing Add
App label: Lenses
Set the base url of your lenses installation e.g. https://lenses-dev.example.com
Click Done
Download the Metadata XML file with the Okta IdP details.
Go to Sign On > Settings > SIGN ON METHODS
Click on Identity Provider metadata and download the XML data to a file.
You will reference this file’s path in the security.conf configuration file.
This page describe creating and managing groups in Lenses.
A Group is a collection of permissions that defines the level of access for users belonging to it. Groups consist of:
Namespaces
Application permissions
Administration permissions
Groups must be pre-created, and the group's names in Lenses must match (case sensitive) those in the SSO provider.
To create a new Group, go to Admin->Groups->New Group.
For every Group, you must set the data namespaces for Kafka or other available connections to data sources.
Groups must be given names, optionally a description.
Namespace permissions define the access to datasets. and
Each group must have a namespace. A namespace is a set of permissions that apply to topics or a set of topics, for example, prod*. This allows you to define virtual multi-tenancy.
Application permissions define how a user can interact with applications and linked resources associated with those datasets.
Application permissions cover:
Viewing or resetting Consumer group offsets linked to a group's namespaces
Deploying or viewing connectors linked to a group's namespaces
Deploying or viewing SQL Processors linked to a group's namespaces
Additionally, application permissions define whether a group can access a specified Connect cluster.
Admin permissions refer to activities that are in the global scope of Lenses and affect all the related entities.
The user’s session in the SSO provider is too old.
The system clocks of the SSO provider and the Lenses instance are out of sync.
For security purposes, Lenses prevents authenticating SSO users that have remained logged in SSO for a very long time.
Example: You use Okta SSO and, you logged in to Okta a year ago. Okta might allow you to remain logged in along that year without having to re-authenticate. Lenses has a limit of 100 days. In that case, Lenses will receive an authenticated user that originally logged in before the 100 days mark.
Ensure that the SSO and Lenses system clocks are in sync.
If the SSO provider supports very long sessions either:
Log out of the SSO and log back in. This explicitly renews the SSO session.
Increase the Lenses limit to more than 100 days.
Example:
This pages describes configuring Lenses with Onelogin SSO.
Groups are case-sensitive and mapped to roles, by name, with OneLogin
Integrate your user roles with Lenses using the Keycloak role names. Create a group in Lenses using the same case-sensitive role name as in OneLogin.
For example, if the Engineers role is available in OneLogin, create a group with the same name.
Lenses is available in the OneLogin Application catalog.
Visit OneLogin’s Administration console. Select Applications > Applications > Add App
Search and select Lenses
Optionally add a description and click save
In the Configuration section set the base path from the url of the Lenses installation e.g. lenses-dev.example.com ( without the https://)
Click Save
Use the More Actions button
Click and download the SAML Metadata
You will reference this file’s path in the security.conf configuration file.
This page describes configuring Lenses with Kerberos.
Deprecated in Lenses 6.0
Kerberos uses SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) for authentication.
Kerberos will automatically log in authorized users when using the /api/auth REST endpoint. If using Microsoft Windows, logging into your Windows domain is usually sufficient to issue your Kerberos credentials.
On Linux, if you use Kerberos with PAM, your Kerberos credentials should be already available to Kerberos-enabled browsers. Otherwise, you will need to authenticate to the KDC manually using kinit at the command line and start your browser from the same terminal.
In order to use Kerberos authentication in Lenses, both a static configuration and Kerberos Connection is required.
Static configuration
To set up Kerberos you need a Kerberos principal and a password-less keytab. Add them in security.conf before starting Lenses:
Kerberos Connection
A Kerberos Connection should be defined in order to use a proper krb5.conf
This page describes how create and use Lenses Service Accounts.
Service accounts require an authentication token to be authenticated and must belong to at least one group for authorization.
Service accounts are commonly used for automation, for example, when using Lenses CLI or APIs, or any other application or service to interact with Lenses.
Service account tokens are not recoverable. You can edit, revoke or delete a Service Account, but you can never retrieve the original token.
To create a new Service Account, navigate to the Admin and select Users and New Service Account.
You can manually enter the authentication token or autogenerate it. If you select to auto-generate tokens, then you will receive a one-time token for this service account. Follow the instructions and copy and store this token. You can now use this token to authenticate via API and CLI.
You can only change the groups and owner of services accounts. Go to the service account and select Edit Info, from the Actions menu.
To change the token, go to the service account and select Revoke Token from the Actions menu.
To use the service account you need to prefix the token with its name separated by a colon. You then include that in the corresponding header.
For a service account named myservice and a token da6bad50-55c8-4ed4-8cad-5ebd54a18e26 then the combination looks like this:
myservice:28ab4195-18cf-426a-abda-c41a451e001a
To use the CLI with a service account for CI/CD you need to pass these options:
This page describes managing users in Lenses.
Users must be assigned to a group. SSO and LDAP users are mapped to a group matching the group name provided by the Idp.
Group name matching is case-sensitive.
Multiple types of users can be supported at the same time.
Select Admin->Users->New User->Basic Auth.
By default, users are mapped to the group provided by the SSO provider. If you wish to override the group mapping from your SSO, users can be created directly in Lenses and you can manually map the user to a group.
By default, users are mapped to the group provided by the LDAP server. If you wish to override the group mapping you manually map the user to a group.
Lenses allows you to view users and:
Authentication type
Groups they belong to
Last login
Go to Admin -> Users.
This page contains the Lenses IAM permission references.
This matrix shows both display name (first column) and code name (second column) for permissions. Knowing code name may be helpful while using API / CLI.
| Permission | Code name | Description |
|---|
This matrix shows both display name (first column) and code name (second column) for permissions. Knowing code name may be helpful while using API / CLI.
This page describes the how to retrieve Lenses JMX metrics.
The JMX endpoint is managed by the lenses.jmx.port option. To disable the JMX leave the option empty.
To enable monitoring of Lenses metrics:
To export via Prometheus exporter:
The Lenses Docker image (lensesio/lenses) automatically sets up the Prometheus endpoint. You only have to expose the 9102 port to access it.
This will be done in two parts. The first part is about setting up the required files that JMX Agent will require and the second is about the options we need to pass to the agent.
First let’s create a new folder called jmxremote
To enable basic auth JMX, first create two files:
jmxremote.access
jmxremote.password
The password file has the credentials that the JMX agent will check during client authentication
The above code is registering 2 users.
UserA:
username admin
password admin
UserB:
username: guest
password: admin
The access file has authorization information, like who is allowed to do what.
In the above code, we can see that the admin user can do read and write operations in JMX, while guest user can only read the JMX content.
Now, to enable JMX with basic auth protection, all we need to do is pass the following options in the JRE’s env that will run the Java process you need to protect the jmx.
Let’s assume this java process is Kafka.
Change the permissions on both files so only owner can edit and view them.
If you do not change the permissions to 0600 and to the user that will run the jre process, then JMX will Agent will cause an error complaining that the Process is not the owner of the files that will be used for authentication and authorization.
Finally export the following options in the user’s env which will run Kafka.
First setup JMX with basic auth as shown in the Secure JMX: Basic Auth page.
To enable TLS Encryption/Authentication in JMX you need a jks keystore and truststore.
Please note that both JKS Truststore and Keystore should have the same password.
The reason for this is because the javax.net.ssl class will use the password you pass to the Keystore as the keypassword
Let’s assume this java process is Kafka and that you have installed the keystore.jks and truststore.jks under `/etc/certs``
Export the following options in the user’s env which will run Kafka.
This page describes how to configure the storage layer Lenses.
Lenses state can be stored:
on the local filesystem - (quick start and default option)
in a PostgreSQL database - (recommended) and takes preference when configured
Start with Postgres if possible to avoid migrations from H2 when moving to production. H2 is not recommended in production environments.
If any Postgres configuration is defined either in lenses.conf or security.conf, the storage mode will switch to Postgres.
Databases settings go in security.conf.
By default, Lenses will store its internal state in the storage folder. We advise explicitly setting this location, ensuring the Lenses process has permission to read and write files in this directory and have an upgrade and backup policy.
Lenses can persist their internal state to a remote PostgreSQL database server.
Current minimum requirements:
Postgres server running version 9.6 or higher
The recommended configuration is to create a dedicated login role and database for the agent, setting the agent role as the database owner. This will mean the agent will only be able to manage that database and require no superuser privileges.
Example psql command for initial setup:
You can then configure Lenses as so:
Enabling PostgreSQL storage for an existing Lenses installation means the data will be automatically migrated to the PostgreSQL schema on the first run.
After this process has succeeded, a lensesdb.postgresql.migration file will be created in the local storage directory to flag that the migration has already been run. You can then delete the local storage directory and remove the lenses.storage.directory configuration.
If, for whatever reason, you want to re-run the migration to PostgreSQL, deleting the lensesdb.postgresql.migration file will cause Lenses to re-attempt migration on the next restart. The migration process will fail if it encounters any data that can’t be migrated into PostgreSQL, so re-running the migration should only be done on an empty PostgreSQL schema to avoid duplicate record failures.
Lenses use the HikariCP library for high-performance database connection pooling.
The default settings should perform well but can be overridden via the lenses.storage.hikaricp configuration prefix. The supported parameters can be found in the HikariCP documentation.
Camelcase configuration keys are not supported in agent configuration and should be translated to "dot notation"
For example:
This page describes the JVM options for Lenses.
Lenses runs as a JVM app; you can tune runtime configurations via environment variables.
| Key | Description |
|---|
This page describes how to configure TLS for Lenses.
TLS settings go in security.conf.
To use a non-default global truststore, set the path in accordingly with the LENSES_OPTS variable.
To use a custom truststore set the following in security.conf. Supported types: jks, pkcs12.
To enable mutual TLS, set your keystore accordingly.
This page describes the ACLs that need to be configured on your Kafka Cluster if ACLs are enabled, for Lenses to function.
These ACLs are for the underlying Lenses Kafka client. Lenses has its own set of permissions guarding access.
You can restrict the access of the Lenses Kafka client but this can reduce the functionality on offer in Lenses, e.g. not allow Lenses to create topic at all, even though this can be managed by .
When your Kafka cluster is configured with an authorizer which enforces ACLs, Lenses will need a set of permissions to function correctly.
Common practice is to give Lenses superuser status or the complete list of available operations for all resources. The fine-grained permission model of Lenses can then be used to restrict the access level per user.
The agent needs permission to manage and access their own internal Kafka topics:
__topology
__topology__metrics
It also needs to read and describe permissions for the consumer offsets and Kafka Connect topics —if enabled:
__consumer_offsets
connect-configs
connect-offsets
connect-status
This same set of permissions is required for any topic that the agent must have read access.
DescribeConfigs was added in Kafka 2.0. It may not be needed for versions before 2.2.
Additional permissions are needed to produce topics or manage them.
Permission to at least read and describe consumer groups is required to take advantage of the Consumer Groups' monitoring capabilities.
Additional permissions are needed to manage groups.
To manage ACLs, permission to the cluster is required:
| Permission | Description |
|---|
| Permission | Code name | Description |
|---|
Additional configuration for the PostgreSQL database connection can be passed under the lenses.storage.postgres.properties configuration prefix. The supported parameters can be found in the . For example:
View Kafka Settings | ViewKafkaSettings | Allows viewing Kafka ACLs, Quotas |
Manage Kafka Settings | ManageKafkaSettings | Allows managing Kafka ACLs, Quotas |
View Log | ViewLogs | Allows viewing Lenses logs |
View Users | ViewUsers | Allows viewing the users, groups and service accounts |
Manage Users | ManageUsers | Allows to add/remove/update/delete users,groups and service accounts |
View Alert Rules | ViewAlertRules | Allows viewing the alert settings rules |
Manage Alert Rules | ManageAlertRules | Allows adding/deleting/updating alert settings rules |
View Audit | ViewAuditLogs | Allows viewing the audit records |
View Data Policies | ViewDataPolicies | Allows viewing the data policies |
Manage Data Policies | ManageDataPolicies | Allows to add/remove/update data policies |
Manage Connections | ManageConnections | Allows to add/remove/update connections |
View Approvals | ViewApprovalRequest | Allows viewing raised approval requests |
Manage Approvals | ManageApprovalRequest | Allows to accept/reject requests |
Manage Lenses License | ManageLensesLicense | Allows to update Lenses license at runtime via the Lenses API |
Manage Audit Logs | ManageAuditLogs | Allows deleting audit logs |
Show | Allows viewing the topic name and basic info |
Query | Allows viewing the data in a topic |
Create | Allows creating topics |
Create Topic Request | Topics are not created directly, they are sent for approval |
Drop | Allows deleting topics |
Configure | Allows changing a topic configuration |
Insert Data | Allows inserting data into the topic |
Delete Data | Allows deleting data from the topic |
Update Schema | Allows configuring the topic storage format and schema |
View Schema | Allows viewing schema information |
Show Index | Allows viewing Elasticsearch index information |
Query Index | Allows viewing the data in an Elasticsearch index |
View SQL Processors | ViewSQLProcessors | Allows viewing the SQL processors |
Manage SQL Processors | ManageSQLProcessors | Allows to add/remove/stop/delete SQL processors |
View Schemas | ViewSchemaRegistry | Allows viewing your Schema Registry entries |
Manage Schema Registry | ManageSchemaRegistry | Allows to add/remove/update/delete your Schema Registry entries |
View Topology | ViewTopology | Allows viewing the data pipeline topology |
Manage Topology | ManageTopology | Allows decommissioning topology applications |
View Kafka Connectors | ViewConnectors | Allows viewing running Kafka Connectors |
Manage Kafka Connectors | ManageConnectors | Allows to add/update/delete/stop Kafka Connectors |
View Kafka Consumers | ViewKafkaConsumers | Allows viewing the Kafka Consumers details |
Manage Kafka Consumers | ManageKafkaConsumers | Allows changing the Kafka Consumers offset |
Connect Clusters Access | - | Allows to use Connect Clusters |
LENSES_OPTS | For generic settings, such as the global truststore. Note that the docker image is using this to plug in a prometheus java agent for monitoring Lenses |
LENSES_HEAP_OPTS | JVM heap options. Default setting are |
LENSES_JMX_OPTS | Tune the JMX options for the JVM i.e. to allowing remote access. |
LENSES_LOG4J_OPTS | Override Lenses logging configuration. Should only be used to set the logback configuration file, using the format |
LENSES_PERFORMANCE_OPTS | JVM performance tuning. The default settings are |
This page describes how to install plugins in Lenses.
The following implementations can be specified:
Serializers/Deserializers Plug your serializer and deserializer to enable observability over any data format (i.e., protobuf / thrift)
Custom authentication Authenticate users on your proxy and inject permissions HTTP headers.
LDAP lookup Use multiple LDAP servers or your group mapping logic.
SQL UDFs User Defined Functions (UDF) that extend SQL and streaming SQL capabilities.
Once built, the jar files and any plugin dependencies should be added to Lenses and, in the case of Serializers and UDFs, to the SQL Processors if required.
On startup, Lenses loads plugins from the $LENSES_HOME/plugins/ directory and any location set in the environment variable LENSES_PLUGINS_CLASSPATH_OPTS. These locations Lenses is watching, and dropping a new plugin will hot-reload it. For the Lenses docker (and Helm chart) you use /data/plugins.
Any first-level directories under the paths mentioned above, detected on startup will also be monitored for new files. During startup, the list of monitored locations will be shown in the logs to help confirm the setup.
Whilst all jar files may be added to the same directory (e.g /data/plugins), it is suggested to use a directory hierarchy to make management and maintenance easier.
An example hierarchy for a set of plugins:
There are two ways to add custom plugins (UDFs and Serializers) to the SQL Processors; (1) via making available a tar.gz archive at an HTTP (s) address, or (2) via creating a custom docker image.
With this method, a tar archive, compressed with gzip, can be created that contains all plugin jars and their dependencies. Then this archive should be uploaded to a web server that the SQL Processors containers can access, and its address should be set with the option lenses.kubernetes.processor.extra.jars.url.
Step by step:
Create a tar.gz file that includes all required jars at its root:
Upload to a web server, ie. https://example.net/myfiles/FILENAME.tar.gz
Set
For the docker image, set the corresponding environment variable
The SQL Processors that run inside Kubernetes use the docker image lensesio-extra/sql-processor. It is possible to build a custom image and add all the required jar files under the /plugins directory, then set lenses.kubernetes.processor.image.name and lenses.kubernetes.processor.image.tag options to point to the custom image.
Step by step:
Create a Docker image using lensesio-extra/sql-processor:VERSION as a base and add all required jar files under /plugins:
Upload the docker image to a registry:
Set
For the docker image, set the corresponding environment variables
This page describes how to configure the agent to deploy and manage SQL Processors for stream processing.
Set in lenses.conf
Lenses can be used to define & deploy stream processing applications that read from Kafka and write back to Kafka with SQL. They are based on the Kafka Stream framework. They are known as SQL Processors.
SQL processing of real-time data can run in 2 modes:
SQL In-Process - the workload runs inside of Lenses.
SQL in Kubernetes - the workload runs & scale on your Kubernetes cluster.
Which mode the SQL Processors will run as should be defined within the lenses.conf before Lenses is started.
In this mode, SQL processors run as part of the Lenses process, sharing resources, memory, and CPU time with the rest of the platform.
This mode of operation is meant to be used for development only.
As such, the agent will not allow the creation of more than 50 SQL Processors in In Process mode, as this could impact the platform's stability and performance negatively.
For production, use the KUBERNETES mode for maximum flexibility and scalability.
Set the execution configuration to IN_PROC
Set the directory to store the internal state of the SQL Processors:
SQL processors use the same connection details that Lenses uses to speak to Kafka and Schema Registry. The following properties are mounted, if present, on the file system for each processor:
Kafka
SSLTruststore
SSLKeystore
Schema Registry
SSL Keystore
SSL Truststore
The file structure created by applications is the following: /run/[lenses_installation_id]/applications/
Keep in mind Lenses require an installation folder with write permissions. The following are tried:
/run
/tmp
Kubernetes can be used to deploy SQL Processors. To configure Kubernetes, set the mode to KUBERNETES and configure the location of the kubeconfig file.
When Lenses is deployed inside Kubernetes, the lenses.kubernetes.config.file configuration entry should be set to an empty string. The Kubernetes client will auto-configure from the pod it is deployed in.
The SQL Processor docker image is live in Dockerhub.
Custom serdes should be embedded in a new Lenses SQL processor Docker image.
To build a custom Docker image, create the following directory structure:
Copy your serde jar files under processor-docker/serde.
Create Dockerfile containing:
Build the Docker.
Once the image is deployed in your registry, please set Lenses to use it (lenses.conf):
Don't use the LPFP_ prefix.
Internally, Lenses prefixes all its properties with LPFP_.
Avoid passing custom environment variables starting with LPFP_ as it may cause the processors to fail.
To deploy Lenses Processors in Kubernetes the suggested way is to activate RBAC in Cluster level through Helm values.yaml:
If you want to limit the permissions Lenses has against your Kubernetes cluster, you can use Role/RoleBinding resources instead.
To achieve this you need to create a Role and a RoleBinding resource in the namespace you want the processors deployed to:
example for:
Lenses namespace = lenses-ns
Processor namespace = lenses-proc-ns
You can repeat this for as many namespaces you may want Lenses to have access to.
Finally you need to define in Lenses configuration which namespaces can Lenses access. To achieve this amend values.yaml to contain the following:
example:
Rate limit the calls Lenses makes to Schema Registries and Connect Clusters.
Careful monitoring of the data managed by the configured Schema Registry is paramount in order for Lenses to provide its users with the most up-to-date data.
For most cases, this monitoring doesn't cause any issues, but it might happen that, in some cases, Lenses is forced to access the Schema Registry too often.
If this happens, or if you want to make sure Lenses does not go over a rate limit imposed by the Schema Registry, it is possible to throttle Lenses usage of the Schema Registry's API.
In order to do so, it is possible to set the following Lenses configuration:
Doing so will make sure Lenses does not issue more than maxRequests over any window period.
The exact values provided will depend on things like the resources of the machine hosting the Schema Registry, the number of schemas, how often are new schemas added, so some trial and error is required. These values should however define a rate smaller than the one allowed by the Schema Registry.
This page describes configuring Lenses logging.
All logs are emitted unbuffered as a stream of events to both stdout and to rotating files inside the directory logs/.
The logback.xml file is used to configure logging.
If customization is required, it is recommended to adapt the default configuration rather than write your own from scratch.
The file can be placed in any of the following directories:
the directory where Lenses is started from
/etc/lenses/
agent installation directory.
The first one found, in the above order, is used, but to override this and use a custom location, set the following environment variable:
The default configuration file is set up to hot-reload any changes every 30 seconds.
The default log level is set to INFO (apart from some very verbose classes).
All the log entries are written to the output using the following pattern:
You can adjust this inside logback.xml to match your organization’s defaults.
logs/ you will find three files: lenses.log, lenses-warn.log and metrics.log. The first contains all logs and is the same as the stdout. The second contains only messages at level WARN and above. The third one contains timing metrics and can be useful for debugging.
The default configuration contains two cyclic buffer appenders: "CYCLIC-INFO” and “CYCLIC-METRICS”. These appenders are required to expose the Lenses logs within the Admin UI.
Configuring Lenses Websockets to work with Load Balancers.
Lenses uses Websockets. It can be that your load balancers block them by default. Depending on your load balancer you need to allow websockets.
For example on NGINX:
If it is exposed via a service type LoadBalancer, ensure the protocol between the load balancer and NGINX is set to TCP. See Kubernetes documentation for more information.
Lenses can be placed behind a proxy, but you must allow websocket connections.
These two paths are used for WebSocket connections:
/api/ws
/api/kafka/ws
Disable proxy buffering for SSE (Server Sent Events) connections on this path:
/api/sse
Lenses supports TLS termination out of the box, see Enabling TLS
This page lists the available configurations in Lenses.
Reference documentation of all configuration and authentication options:
Set in lenses.conf
| Key | Description | Default | Type | Required |
|---|---|---|---|---|
System or control topics are created by services for their internal use. Below is the list of built-in configurations to identify them.
_schemas
__consumer_offsets
_kafka_lenses_
lsql_*
lsql-*
__transaction_state
__topology
__topology__metrics
_confluent*
*-KSTREAM-*
*-TableSource-*
*-changelog
__amazon_msk*
Wildcard (*) is used to match any name in the path to capture a list of topics not just one. When the wildcard is not specified, Lenses matches on the entry name provided.
Set in security.conf
LDAP or AD connectivity is optional. All settings are string.
Set in security.conf
An additional configuration setting lenses.security.ldap.use.service.user.search when set to true will use the lenses.security.ldap.user account to read the groups of the currently logged user. The default behaviour (false) uses the currently logged user to read group memberships.
Set in security.conf
Set in security.conf
Set in lenses.conf
If the records schema is centralized, the connectivity to Schema Registry nodes is defined by a Lenses Connection.
There are two static config entries to enable/disable the deletion of schemas:
Set in lenses.conf
Options for specific deployment targets:
Global options
Kubernetes
Common settings, independently of the underlying deployment target:
Kubernetes connectivity is optional. Minimum supported K8 version 0.11.10. All settings are string.
Set in lenses.conf
Optimization settings for SQL queries.
Set in lenses.conf
Lenses requires these Kafka topics to be available, otherwise, it will try to create them. The topics can be created manually before Lenses is run, or allow Lenses the correct Kafka ACLs to create the topics:
Set in lenses.conf
To allow for fine-grained control over the replication factor of the three topics, the following settings are available:
When configuring the replication factor for your deployment, it's essential to consider the requirements imposed by your cloud provider. Many cloud providers enforce a minimum replication factor to ensure data durability and high availability. For example, IBM Cloud mandates a minimum replication factor of 3. Therefore, it's crucial to set the replication factor for the Lenses internal topics to at least 3 when deploying Lenses on IBM Cloud.
All time configuration options are in milliseconds.
Set in lenses.conf
Set in lenses.conf
Control how Lenses identifies your connectors in the Topology view. Catalogue your connector types, set their icons, and control how Lenses extracts the topics used by your connectors.
Lenses comes preconfigured for some of the popular connectors as well as the Stream Reactor connectors. If you see that Lenses doesn’t automatically identify your connector type then use the lenses.connectors.info setting to register it with Lenses.
Add a new HOCON object {} for every new Connector in your lenses.connectors.info list :
This configuration allows the connector to work with the topology graph, and also have the RBAC rules applied to it.
To extract the topic information from the connector configuration, source connectors require an extra configuration. The extractor class should be: io.lenses.config.kafka.connect.SimpleTopicsExtractor. Using this extractor requires an extra property configuration. It specifies the field in the connector configuration which determines the topics data is sent to.
Here is an example for the file source:
An example of a Splunk sink connector and a Debezium SQL server connector
Set in lenses.conf
| Key | Description | Default |
|---|---|---|
| Key | Description | Default |
|---|---|---|
| Key | Description | Default |
|---|---|---|
| Key | Description | Default |
|---|---|---|
| Key | Description | Default | Type | Required |
|---|---|---|---|---|
| Key | Description | Default | Type | Required |
|---|---|---|---|---|
| Key | Description | Default | Type | Required |
|---|---|---|---|---|
| Key | Description | Type |
|---|---|---|
| Key | Description | Default |
|---|---|---|
| Key | Description | Default |
|---|---|---|
| Key | Description | Type | Default |
|---|---|---|---|
| Key | Description | Partition | Replication | Default | Compacted | Retention |
|---|---|---|---|---|---|---|
| Key | Description | Default |
|---|---|---|
| Key | Description | Type | Default |
|---|---|---|---|
| Key | Description | Default | Type | Required |
|---|---|---|---|---|
lenses.ip
Bind HTTP at the given endpoint. Use in conjunction with lenses.port
0.0.0.0
string
no
lenses.port
The HTTP port to listen for API, UI and WS calls
9991
int
no
lenses.jmx.port
Bind JMX port to enable monitoring Lenses
int
no
lenses.root.path
The path from which all the Lenses URLs are served
string
no
lenses.secret.file
The full path to security.conf for security credentials
security.conf
string
no
lenses.sql.execution.mode
Streaming SQL mode IN_PROC (test mode) or KUBERNETES (prod mode)
IN_PROC
string
no
lenses.offset.workers
Number of workers to monitor topic offsets
5
int
no
lenses.telemetry.enable
Enable telemetry data collection
true
boolean
no
lenses.kafka.control.topics
An array of topics to be treated as “system topics”
list
array
no
lenses.grafana
Add your Grafana url i.e. http://grafanahost:port
string
no
lenses.api.response.cache.enable
If enabled, it disables client cache on the Lenses API HTTP responses by adding these HTTP Headers: Cache-Control: no-cache, no-store, must-revalidate, Pragma: no-cache, and Expires: -1.
false
boolean
no
lenses.workspace
Directory to write temp files. If write access is denied, Lenses will fallback to /tmp.
/run
string
no
lenses.access.control.allow.methods
HTTP verbs allowed in cross-origin HTTP requests
GET,POST,PUT,DELETE,OPTIONS
lenses.access.control.allow.origin
Allowed hosts for cross-origin HTTP requests
*
lenses.allow.weak.ssl
Allow https:// with self-signed certificates
false
lenses.ssl.keystore.location
The full path to the keystore file used to enable TLS on Lenses port
lenses.ssl.keystore.password
Password for the keystore file
lenses.ssl.key.password
Password for the ssl certificate used
lenses.ssl.enabled.protocols
Version of TLS protocol to use
TLSv1.2
lenses.ssl.algorithm
X509 or PKIX algorithm to use for TLS termination
SunX509
lenses.ssl.cipher.suites
Comma separated list of ciphers allowed for TLS negotiation
lenses.security.ldap.url
LDAP server URL (TLS, StartTLS and unencrypted supported)
lenses.security.ldap.user
LDAP user account. Must be able to list users and their groups. The distinguished name (DN) must be used
lenses.security.ldap.password
LDAP account password
lenses.security.ldap.base
LDAP base path for querying user accounts. All user accounts that will be able to access Lenses should be under this path
lenses.security.ldap.filter
LDAP query filter for matching users. Lenses will request all entries under the base path that satisfy this filter. The result should be unique
(&(objectClass=person)(sAMAccountName=<user>))
lenses.security.ldap.plugin.class
Full classpath that implements the LDAP query for the user’s groups. You can use the implementation that comes with Lenses if your LDAP setup is supported
lenses.security.ldap.plugin.memberof.key
LDAP user attribute that provides memberOf information. In most implementations the attribute has the same name, so you don’t have to set anything. Used by the default plugin
memberOf
lenses.security.ldap.plugin.group.extract.regex
A regular expression to extract a part of the user’s groups. If this part matches a Lenses group, the user will be granted all the permissions of this group. Lenses checks against the list of memberOf attribute values and uses the first regex group that is returned
(?i)CN=(\\w+),ou=Groups.*
lenses.security.ldap.plugin.person.name.key
This key is used by the included LDAP plugin class LdapMemberOfUserGroupPlugin. It expects the LDAP user attribute that provides the full name of the user
sn
lenses.security.saml.base.url
Lenses HTTPS URL that matches the Service Provider (SP) and part of the Identity Provider (IdP) SAML handshake i.e. https://lenses-dev.example.com
lenses.security.saml.sp.entityid
SAML Service Provider (SP) Entity ID for Lenses, used as part of the SAML handshake protocol.
lenses.security.saml.idp.provider
The Identity Provider (IdP) type: azure, google, keycloak, okta, onelogin
lenses.security.saml.idp.metadata.file
Path to XML file provided by the Identity Provider. e.g. /path/to/saml-idp.xml
lenses.security.saml.idp.session.lifetime.max
The maximum “duration since login” to accept from IdP. A SAML safety measure that is usually not used. See the duration syntax.
100days
lenses.security.saml.keystore.location
Location for the Java keystore file to be used for SAML crypto i.e. /path/to/keystore.jks
lenses.security.saml.keystore.password
Password for accessing the keystore
lenses.security.saml.key.alias
Alias to use for the private key within the keystore (only required when the keystore has multiple keys)
lenses.security.saml.key.password
Password for accessing the private key within the keystore
lenses.security.kerberos.service.principal
The Kerberos principal for Lenses to use in the SPNEGO form: HTTP/lenses.address@REALM.COM
lenses.security.kerberos.keytab
Path to Kerberos keytab with the service principal. It should not be password protected
lenses.security.kerberos.debug
Enable Java’s JAAS debugging information
false
lenses.storage.hikaricp.[*]
To pass additional properties to HikariCP connection pool
no
lenses.storage.directory
The full path to a directory for Lenses to use for persistence
"./storage"
string
no
lenses.storage.postgres.host
Host of PostgreSQL server for Lenses to use for persistence
string
no
lenses.storage.postgres.port
Port of PostgreSQL server for Lenses to use for persistence
5432
integer
no
lenses.storage.postgres.username
Username for PostgreSQL database user
string
no
lenses.storage.postgres.password
Password for PostgreSQL database user
string
no
lenses.storage.postgres.database
PostgreSQL database name for Lenses to use for persistence
string
no
lenses.storage.postgres.schema
PostgreSQL schema name for Lenses to use for persistence
"public"
string
no
lenses.storage.postgres.properties.[*]
To pass additional properties to PostgreSQL JDBC driver
no
lenses.schema.registry.delete
Allow schemas to be deleted. Default is false
boolean
lenses.schema.registry.cascade.delete
Deletes associated schemas when a topic is deleted. Default is false
boolean
lenses.deployments.events.buffer.size
Buffer size for events coming from Deployment targets such as Kubernetes
10000
lenses.deployments.errors.buffer.size
Buffer size for errors happening on the communication between Lenses and the Deployment targets such as Kubernetes
1000
lenses.kubernetes.processor.image.name
The url for the streaming SQL Docker for K8
lensesioextra/sql-processor
lenses.kubernetes.processor.image.tag
The version/tag of the above container
5.2
lenses.kubernetes.config.file
The path for the kubectrl config file
/home/lenses/.kube/config
lenses.kubernetes.pull.policy
Pull policy for K8 containers: IfNotPresent or Always
IfNotPresent
lenses.kubernetes.service.account
The service account for deployments. Will also pull the image
default
lenses.kubernetes.init.container.image.name
The docker/container repository url and name of the Init Container image used to deploy applications to Kubernetes
lensesio/lenses-cli
lenses.kubernetes.init.container.image.tag
The tag of the Init Container image used to deploy applications to Kubernetes
5.2.0
lenses.kubernetes.watch.reconnect.limit
How many times to reconnect to Kubernetes Watcher before considering the cluster unavailable
10
lenses.kubernetes.watch.reconnect.interval
How often to wait between Kubernetes Watcher reconnection attempts expressed in milliseconds
5000
lenses.kubernetes.websocket.timeout
How long to wait for a Kubernetes Websocket response expressed in milliseconds
15000
lenses.kubernetes.websocket.ping.interval
How often to ping Kubernetes Websocket to check it’s alive expressed in milliseconds
30000
lenses.kubernetes.pod.heap
The max amount of memory the underlying Java process will use
900M
lenses.kubernetes.pod.min.heap
The initial amount of memory the underlying Java process will allocate
128M
lenses.kubernetes.pod.mem.request
The value will control how much memory resource the Pod Container will request
128M
lenses.kubernetes.pod.mem.limit
The value will control the Pod Container memory limit
1152M
lenses.kubernetes.pod.cpu.request
The value will control how much cpu resource the Pod Container will request
null
lenses.kubernetes.pod.cpu.limit
The value will control the Pod Container cpu limit
null
lenses.kubernetes.namespaces
Object setting a list of Kubernetes namespaces that Lenses will see for each of the specified and configured cluster
null
lenses.kubernetes.pod.liveness.initial.delay
Amount of time Kubernetes will wait to check Processor’s health for the first time. It can be expressed like 30 second, 2 minute or 3 hour, mind the time unit is singular
60 second
lenses.deployments.events.buffer.size
Buffer size for events coming from Deployment targets such as Kubernetes
10000
lenses.deployments.errors.buffer.size
Buffer size for errors happening on the communication between Lenses and the Deployment targets such as Kubernetes
1000
lenses.kubernetes.config.reload.interval
Time interval to reload the Kubernetes configuration file. Expressed in milliseconds.
30000
lenses.sql.settings.max.size
Restricts the max bytes that a kafka sql query will return
long
20971520 (20MB)
lenses.sql.settings.max.query.time
Max time (in msec) that a sql query will run
int
3600000 (1h)
lenses.sql.settings.max.idle.time
Max time (in msec) for a query when it reaches the end of the topic
int
5000 (5 sec)
lenses.sql.settings.show.bad.records
By default show bad records when querying a kafka topic
boolean
true
lenses.sql.settings.format.timestamp
By default convert AVRO date to human readable format
boolean
true
lenses.sql.settings.live.aggs
By default allow aggregation queries on kafka data
boolean
true
lenses.sql.sample.default
Number of messages to sample when live tailing a kafka topic
int
2/window
lenses.sql.sample.window
How frequently to sample messages when tailing a kafka topic
int
200 msec
lenses.sql.websocket.buffer
Buffer size for messages in a SQL query
int
10000
lenses.metrics.workers
Number of workers for parallelising SQL queries
int
16
lenses.kafka.ws.buffer.size
Buffer size for WebSocket consumer
int
10000
lenses.kafka.ws.max.poll.records
Max number of kafka messages to return in a single poll()
long
1000
lenses.sql.state.dir
Folder to store KStreams state.
string
logs/lenses-sql-kstream-state
lenses.sql.udf.packages
The list of allowed java packages for UDFs/UDAFs
array of strings
["io.lenses.sql.udf"]
lenses.topics.external.topology
Topic for applications to publish their topology
1
3 (recommended)
__topology
yes
N/A
lenses.topics.external.metrics
Topic for external application to publish their metrics
1
3 (recommended)
__topology__metrics
no
1 day
lenses.topics.metrics
Topic for SQL Processor to send the metrics
1
3 (recommended)
_kafka_lenses_metrics
no
lenses.topics.replication.external.topology
Replication factor for the lenses.topics.external.topology topic
1
lenses.topics.replication.external.metrics
Replication factor for the lenses.topics.external.metrics topic
1
lenses.topics.replication.metrics
Replication factor for the lenses.topics.metrics topic
1
lenses.interval.summary
How often to refresh kafka topic list and configs
long
10000
lenses.interval.consumers.refresh.ms
How often to refresh kafka consumer group info
long
10000
lenses.interval.consumers.timeout.ms
How long to wait for kafka consumer group info to be retrieved
long
300000
lenses.interval.partitions.messages
How often to refresh kafka partition info
long
10000
lenses.interval.type.detection
How often to check kafka topic payload info
long
30000
lenses.interval.user.session.ms
How long a client-session stays alive if inactive (4 hours)
long
14400000
lenses.interval.user.session.refresh
How often to check for idle client sessions
long
60000
lenses.interval.topology.topics.metrics
How often to refresh topology info
long
30000
lenses.interval.schema.registry.healthcheck
How often to check the schema registries health
long
30000
lenses.interval.schema.registry.refresh.ms
How often to refresh schema registry data
long
30000
lenses.interval.metrics.refresh.zk
How often to refresh ZK metrics
long
5000
lenses.interval.metrics.refresh.sr
How often to refresh Schema Registry metrics
long
5000
lenses.interval.metrics.refresh.broker
How often to refresh Kafka Broker metrics
long
5000
lenses.interval.metrics.refresh.connect
How often to refresh Kafka Connect metrics
long
30000
lenses.interval.metrics.refresh.brokers.in.zk
How often to refresh from ZK the Kafka broker list
long
5000
lenses.interval.topology.timeout.ms
Time period when a metric is considered stale
long
120000
lenses.interval.audit.data.cleanup
How often to clean up dataset view entries from the audit log
long
300000
lenses.audit.to.log.file
Path to a file to write audits to in JSON format.
string
lenses.interval.jmxcache.refresh.ms
How often to refresh the JMX cache used in the Explore page
long
180000
lenses.interval.jmxcache.graceperiod.ms
How long to pause for when a JMX connectity error occurs
long
300000
lenses.interval.jmxcache.timeout.ms
How long to wait for a JMX response
long
500
lenses.interval.sql.udf
How often to look for new UDF/UDAF (user defined [aggregate] functions)
long
10000
lenses.kafka.consumers.batch.size
How many consumer groups to retrieve in a single request
Int
500
lenses.kafka.ws.heartbeat.ms
How often to send heartbeat messages in TCP connection
long
30000
lenses.kafka.ws.poll.ms
Max time for kafka consumer data polling on WS APIs
long
10000
lenses.kubernetes.config.reload.interval
Time interval to reload the Kubernetes configuration file.
long
30000
lenses.kubernetes.watch.reconnect.limit
How many times to reconnect to Kubernetes Watcher before considering the cluster unavailable
long
10
lenses.kubernetes.watch.reconnect.interval
How often to wait between Kubernetes Watcher reconnection attempts
long
5000
lenses.kubernetes.websocket.timeout
How long to wait for a Kubernetes Websocket response
long
15000
lenses.kubernetes.websocket.ping.interval
How often to ping Kubernetes Websocket to check it’s alive
long
30000
lenses.akka.request.timeout.ms
Max time for a response in an Akka Actor
long
10000
lenses.sql.monitor.frequency
How often to emit healthcheck and performance metrics on Streaming SQL
long
10000
lenses.audit.data.access
Record dataset access as audit log entries
boolean
true
lenses.audit.data.max.records
How many dataset view entries to retain in the audit log. Set to -1 to retain indefinitely
int
500000
lenses.explore.lucene.max.clause.count
Override Lucene’s maximum number of clauses permitted per BooleanQuery
int
1024
lenses.explore.queue.size
Optional setting to bound Lenses internal queue used by the catalog subsystem. It needs to be positive integer or it will be ignored.
int
N/A
lenses.interval.kafka.connect.http.timeout.ms
How long to wait for Kafka Connect response to be retrieved
int
10000
lenses.interval.kafka.connect.healthcheck
How often to check the Kafka health
int
15000
lenses.interval.schema.registry.http.timeout.ms
How long to wait for Schema Registry response to be retrieved
int
10000
lenses.interval.zookeeper.healthcheck
How often to check the Zookeeper health
int
15000
lenses.ui.topics.row.limit
The number of Kafka records to load automatically when exploring a topic
int
200
lenses.deployments.connect.failure.alert.check.interval
Time interval in seconds to check the connector failure grace period has completed. Used by the Connect auto-restart failed connectors functionality. It needs too be a value between (1,600].
int
10
lenses.provisioning.path
Folder on the filesystem containing the provisioning data. See [provisioning docs](link to provisioning docs) for further details
string
lenses.provisioning.interval
Time interval in seconds to check for changes on the provisioning resources
int
lenses.schema.registry.client.http.retryOnTooManyRequest
When enabled, Lenses will retry a request whenever the schema registry returns a 429 Too Many Requests
boolean
lenses.schema.registry.client.http.maxRetryAwait
Max amount of time to wait whenever a 429 Too Many Requests is returned.
duration
lenses.schema.registry.client.http.maxRetryCount
Max retry count whenever a 429 Too Many Requests is returned.
integer
2
lenses.schema.registry.client.http.rate.type
Specifies if http requests to the configured schema registry should be rate limited. Can be "session" or "unlimited"
"unlimited" | "session"
lenses.schema.registry.client.http.rate.maxRequests
Whenever the rate limiter is "session" this configuration will determine the max amount of requests per window size that are allowed.
integer
N/A
lenses.schema.registry.client.http.rate.window
Whenever the rate limiter is "session" this configuration will determine the duration of the window used.
duration
N/A
lenses.schema.connect.client.http.retryOnTooManyRequest
Retry a request whenever a connect cluster returns a 429 Too Many Requests
boolean
lenses.schema.connect.client.http.maxRetryAwait
Max amount of time to wait whenever a 429 Too Many Requests is returned.
duration
lenses.schema.connect.client.http.maxRetryCount
Max retry count whenever a 429 Too Many Requests is returned.
integer
2
lenses.connect.client.http.rate.type
Specifies if http requests to the configured connect cluster should be rate limited. Can be "session" or "unlimited"
"unlimited" | "session"
lenses.connect.client.http.rate.maxRequests
Whenever the rate limiter is "session" this configuration will determine the max amount of requests per window size that are allowed.
integer
N/A
lenses.connect.client.http.rate.window
Whenever the rate limiter is "session" this configuration will determine the duration of the window used.
duration
N/A
apps.external.http.state.refresh.ms
When registering a runner for external app, a health-check interval can be specified. If it is not, this default interval is used (value in milliseconds)
30000
int
no
apps.external.http.state.cache.expiration.ms
Last known state of the runner is stored in a cache. The entries in the cache are being invalidated after a time that is defined by following configuration key (value in milliseconds). This value should not be lower than the apps.external.http.state.refresh.ms value.
60000
int
no
