1 of 39

Agent

This page describe the Lenses Agent configuration.

Overview

This page describes an overview of the Lenses Agent configuration.

The Agent configuration is driven by two files:

lenses.conf
provisioning.yaml

lenses.conf holds all the database connections and low level options for the agent.

provisioning.yaml holds the your Kafka cluster and supporting services, that the Agent is to connect to. In addition it defines the connection to HQ. The provisioning.yaml is watched by the Agent, so any changes made, if valid, are applied. See Provisioning for more information. Without provisioning your agent can not connect to HQ.

Provisioning

This page describes how to setup connections to Kafka and other services and have changes applied automatically for the Lenses Agent.

Overview

This page describes an overview of Lenses Agent Provisioning.

As of version 6.0 the calling the Rest endpoint for provisioning is no longer available.

Connections are defined in the provisioning.yaml file. The Agent will watch the file and resolve the desired state, applying connections defined in the file.

Defining a Connection

Connections are defined in the provisioning.yaml. This file is divided into components, each component representing a type of connection.

Each component is mandatory:

Name - This is the free name of the connection
Version set to 1
Configuration - This is a list of keys/values dependent on the component type.

Example provisioning.yaml

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - PLAINTEXT://your.kafka.broker.0:9092
        - PLAINTEXT://your.kafka.broker.1:9092
    protocol: 
      value: PLAINTEXT
    # all metrics properties are optional
    metricsPort: 
      value: 9581
    metricsType: 
      value: JMX
    metricsSsl: 
      value: falseSSL

Managing secrets

The provisioning.yaml contains secrets. If you are deploying via Helm, the chart will use Kubernetes secrets.

Additionally, support is provided for referencing environment variables. This allows you to set secrets in your environment and resolve the value at runtime.

sslKeystorePassword:
  value: ${ENV_VAR_NAME}

Referencing files

Many connections need files, for example, to secure Kafka with SSL you will need a key store and optionally a trust store.

To reference a file in the provisioning.yaml, for example, given:

    configuration:
      protocol:
        value: SASL_SSL
      sslKeystore:
        file: "my-keystore.jks"

a file called my-keystore.jks is expected in the same directory.

HQ

This page describes connection a Lenses Agent with HQ

To be able to view and drill into your Kafka environment, you need to connect the agent to HQ. You need to create an environment in HQ and copy the Agent Key into the provisioning.yaml.

Kafka

This page describes how to connect the Lenses Agent to your Kafka brokers.

The Lenses Agent can connect to any Kafka cluster or service exposing the Apache Kafka APIs and supporting the authentication methods offered by Apache Kafka.

Apache Kafka

This page describes connecting the Lenses Agent to Apache Kafka.

A Kafka connection is required for the agent to start. You can connect to Kafka via:

Plaintext (no credentials an unencrypted)
SSL (no credentials an encrypted)
SASL Plaintext and SASL SSL

Plaintext

With PLAINTEXT, there's no encryption and no authentication when connecting to Kafka.

The only required fields are:

kafkaBootstrapServers - a list of bootstrap servers (brokers). It is recommended to add as many brokers (if available) as convenient to this list for fault tolerance.
protocol - depending on the protocol, other fields might be necessary (see examples for other protocols)

In following example JMX metrics for Kafka Brokers are configured too, assuming that all brokers expose their JMX metrics using the same port (9581), without SSL and authentication.

provisioning.yaml

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - PLAINTEXT://your.kafka.broker.0:9092
        - PLAINTEXT://your.kafka.broker.1:9092
    protocol: 
      value: PLAINTEXT
    # all metrics properties are optional
    metricsPort: 
      value: 9581
    metricsType: 
      value: JMX
    metricsSsl: 
      value: falseSSL

SSL

With SSL the connection to Kafka is encrypted. You can also uses SSL and certificates to authenticate users against Kafka.

A truststore (with password) might need to be set explicitly if the global truststore of the Agent does not include the Certificate Authority (CA) of the brokers.

If TLS is used for authentication to the brokers in addition to encryption-in-transit, a key store (with passwords) is required.

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - SSL://your.kafka.broker.0:9092
        - SSL://your.kafka.broker.1:9092
    protocol: 
      value: SSL
    sslTruststore:
      file: /path/to/truststore.jks
    sslTruststorePassword: 
      value: truststorePassword
    sslKeystore:
      file: /path/to/keystore.jks
    sslKeyPassword: 
      value: keyPassword
    sslKeystorePassword: 
      value: keystorePassword

SASL Plaintext vs SASL SSL

There are 2 SASL-based protocols to access Kafka Brokers: SASL_SSL and SASL_PLAINTEXT. They both require SASL mechanism and JAAS Configuration values. What is different is:

The transport layer is encyrpted (SSL)
The SASL mechanism for authentication (PLAIN, AWS_MSK_IAM, GSSAPI).

In addition to this, there might be a keytab file required, depending on the SASL mechanism (for example when using GSSAPI mechanism, most often used for Kerberos).

To use Kerberos authentication, a Kerberos _Connection_ should be created beforehand.

When encryption-in-transit is used (with SASL_SSL), a trust store might need to be set explicitly if the global trust store of Lenses does not include the CA of the brokers.

SASL SSL

Mechanism PLAIN

Encrypted communication and basic username and password for authentication.

provisioning.yaml

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - SASL_SSL://your.kafka.broker.0:9092
        - SASL_SSL://your.kafka.broker.1:9092
    protocol: 
      value: SASL_SSL
    sslTruststore:
      file: /path/to/truststore.jks
    sslTruststorePassword: 
      value: truststorePassword
    sslKeystore:
      file: /path/to/keystore.jks
    sslKeyPassword: 
      value: keyPassword
    sslKeystorePassword: 
      value: keystorePassword
    saslMechanism: 
      value: PLAIN
    saslJaasConfig:
      value: |
        org.apache.kafka.common.security.plain.PlainLoginModule required
        username="your-username"
        password="your-password";

Mechanism GSSAPI

In order to use Kerberos authentication, a Kerberos Connection should be created beforehand.

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - SASL_SSL://your.kafka.broker.0:9092
        - SASL_SSL://your.kafka.broker.1:9092
    protocol: 
      value: SASL_SSL
    sslTruststore:
      file: /path/to/truststore.jks
    sslTruststorePassword: 
      value: truststorePassword
    sslKeystore:
      file: /path/to/keystore.jks
    sslKeyPassword: 
      value: keyPassword
    sslKeystorePassword: 
      value: keystorePassword  
    saslMechanism: 
      value: GSSAPI
    saslJaasConfig:
      value: |
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        storeKey=true
        useTicketCache=false
        serviceName=kafka
        principal="my-principal@DOMAIN.COM";      
     keytab:
       file: /path/to/keytab.jks

SASL Plaintext

No SSL encrypted of communication, credentials communicated to Kafka in clear text.

Mechanism SCRAM-SHA-256

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - SASL_PLAINTEXT://your.kafka.broker.0:9092
        - SASL_PLAINTEXT://your.kafka.broker.1:9092
    protocol: 
      value: SASL_PLAINTEXT
    saslMechanism: 
      value: SCRAM-SHA-256
    saslJaasConfig: 
      value: |
        org.apache.kafka.common.security.scram.ScramLoginModule required
        username="your-username"
        password="your-password";

Mechanism SCRAM-SHA-512

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - SASL_PLAINTEXT://your.kafka.broker.0:9092
        - SASL_PLAINTEXT://your.kafka.broker.1:9092
    protocol: 
      value: SASL_PLAINTEXT
    saslMechanism: 
      value: SCRAM-SHA-512
    saslJaasConfig: 
      value: |
        org.apache.kafka.common.security.scram.ScramLoginModule required
        username="your-username"
        password="your-password";

Aiven

This page describes configuring Lenses to connect to Aiven.

Find your Service URI

From the Aiven, locate your Service URI and set it as the bootstrap servers.

Configure Provisioning

Set the following in the provisioning.yaml, replacing Service URI, username and password from your Aiven account.

provisioning.yaml

kafka:
- name: Kafka
  version: 1
  tags: [my-tag]
  configuration:
    kafkaBootstrapServers:
      value:
        - SASL_SSL://[Service URI]
    protocol: 
      value: SASL_SSL
    saslMechanism: 
      value: SCRAM-SHA-256
    saslJaasConfig: 
      value: |
        org.apache.kafka.common.security.scram.ScramLoginModule required
        username="[your-username]"
        password="[your-password]";

AWS MSK

This page describes connection the Lenses Agent to a AWS MSK cluster.

It is recommended to install the Agent on an EC2 instance or with EKS in the same VPC as your MSK cluster. The Agent can be installed and preconfigured via the AWS Marketplace.

Open network connectivity

Edit the AWS MSK security group in the AWS Console and add the IP address of your Agent installation.

Enable Open Monitoring

If you want to have the Agent collect JMX metrics you have to enable Open Monitoring on your MSK cluster. Follow the AWS guide here.

Select your MSK endpoint

Depending on your MSK cluster, select the endpoint and protocol you want to connect with.

It is not recommended to use Plaintext for secure environments. For these environments use TLS or IAM.

When the Agent is running inside AWS and is connecting to an Amazon’s Managed Kafka (MSK) instance, IAM can be used for authentication.

Configure Provisioning

provisioning.yaml

kafka:
- name: Kafka
  version: 1
  tags: ["optional-tag"]
  configuration:
    kafkaBootstrapServers:
      value:
       - SASL_SSL://your.kafka.broker.0:9098
       - SASL_SSL://your.kafka.broker.1:9098
    protocol: SASL_SSL
    saslMechanism: 
      value: AWS_MSK_IAM
    saslJaasConfig:
      value: software.amazon.msk.auth.iam.IAMLoginModule required;
    additionalProperties:
      value:
        sasl.client.callback.handler.class: "software.amazon.msk.auth.iam.IAMClientCallbackHandler"

AWS MSK Serverless

This page describes how to connect Lenses to an Amazon MSK Serverless cluster.

It is recommended to install the Agent on an EC2 instance or with EKS in the same VPC as your MSK Serverless cluster.

Security Groups

Enable communications between the Agent & the Amazon MSK Serverless cluster by opening the Amazon MSK Serverless cluster's security group in the AWS Console and add the IP address of your Agent installation.

IAM Policy

To authenticate the Agent & access resources within our MSK Serverless cluster, we'll need to create an IAM policy and apply that to the resource (EC2, EKS cluster, etc) running the Agent service. here is an example IAM policy with sufficient permissions which you can associate with the relevant IAM role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kafka-cluster:Connect",
                "kafka-cluster:AlterCluster",
                "kafka-cluster:DescribeCluster"
            ],
            "Resource": "arn:aws:kafka:[region]:[aws_account_id]:cluster/[cluster_name]/[cluster_uuid]/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kafka-cluster:DescribeTopic",
                "kafka-cluster:CreateTopic",
                "kafka-cluster:WriteData",
                "kafka-cluster:ReadData"
            ],
            "Resource": "arn:aws:kafka:[region]:[aws_account_id]:topic/[cluster_name]/[cluster_uuid]/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kafka-cluster:AlterGroup",
                "kafka-cluster:DescribeGroup"
            ],
            "Resource": "arn:aws:kafka:[region]:[aws_account_id]:group/[cluster_name]/[cluster_uuid]/*"
        }
    ]
}

MSK Serverless IAM to be used after cluster creation. Update this IAM policy with the relevant ARN.

Select your MSK endpoint

Click your MSK Serverless Cluster in the MSK console and select View Client Information page to check the bootstrap server endpoint.

Configure Provisioning

provisioning.yaml

kafka:
  tags: ["optional-tag"]
  name: Kafka
  configuration:
    kafkaBootstrapServers:
      value:
       - SASL_SSL://your.kafka.broker.0:9098
       - SASL_SSL://your.kafka.broker.1:9098
    protocol: SASL_SSL
    saslMechanism: 
      value: AWS_MSK_IAM
    saslJaasConfig:
      value: software.amazon.msk.auth.iam.IAMLoginModule required;
    additionalProperties:
      value:
        sasl.client.callback.handler.class: "software.amazon.msk.auth.iam.IAMClientCallbackHandle

SQL Processor Configurations

To enable the creation of SQL Processors that create consumer groups, you need to add the following statement in your IAM policy:

{
  "Action": [
    "kafka-cluster:*Topic*",
    "kafka-cluster:WriteData",
    "kafka-cluster:ReadData"
  ],
  "Resource": "arn:aws:kafka:[region]:[aws_account_id]:cluster/[cluster_name]/[cluster_uuid]/*"
}

Update the placeholders in the IAM policy based on the relevant MSK Serverless cluster ARN.

To integrate with the AWS Glue Schema Registry, you also need to add the following statement for the registries and schemas in your IAM policy:

{
  "Action": [
    "kafka-cluster:*Group*"
  ],
  "Resource": "arn:aws:kafka:[region]:[aws_account_id]:cluster/[cluster_name]/[cluster_uuid]/*"
}

Update the placeholders in the IAM policy based on the relevant MSK Serverless cluster ARN.

To integrate with the AWS Glue Schema Registry, you also need to modify the security policy for the registry and schemas, which results in additional functions within it:

{
  "Action": [
    "glue:DeregisterDataPreview",
    "glue:ListRegistries",
    "glue:CreateRegistry",
    "glue:RegisterSchemaVersion",
    "glue:GetRegistry",
    "glue:UpdateRegistry",
    "glue:ListSchemas",
    "glue:DeleteRegistry",
    "glue:GetSchema",
    "glue:CreateSchema",
    "glue:ListSchemaVersions",
    "glue:GetSchemaVersion",
    "glue:UpdateSchema",
    "glue:DeleteSchemaVersions"
  ],
  "Resource": [
    "arn:aws:glue:[region]:[aws_account_id]:registry/*",
    "arn:aws:glue:[region]:[aws_account_id]:schema/*"
  ]
}

More details about how IAM works with MSK Serverless can be found in the documentation: MSK Serverless

Limitations

When using the Agent with MSK Serverless:

The agent does not receive Prometheus-compatible metrics from the brokers because they are not exported outside of CloudWatch.
The agent does not configure quotas and ACLs because MSK Serveless does not allow this.

Azure EventHubs

This page describes connection Lenses to Azure EventHubs.

Create a Data Integration API key

Add a shared access policy
- Navigate to your Event Hub resource and select Shared access policies in the Settings section.
- Select + Add shared access policy, give a name, and check all boxes for the permissions (Manage, Send, Listen)
Once the policy is created, obtain the Primary Connection String, by clicking the policy and copying the connection string. The connection string will be used as a JAAS password to connect to Kafka.
The bootstrap broker [YOUR_EVENT_HUBS_NAMESPACE].servicebus.windows.net:9093

Configure Provisioning

Set the following in the provisioning.yaml

First set environment variable

Note that "\" at "$ConnectionString" is set additionally to escape the $ sign.

Azure HDInsight

This page describes connection Lenses to a Azure HDInsight cluster.

Find your Kafka endpoints

In our Azure Portal, go to Dashboards->Ambari home. Go to Kafka->Configs->Kafka Broker->Kafka Broker hosts

Optionally find your Zookeeper endpoints

Optionally get the Zookeeper endpoints: Go to Zookeeper->Configs->Zookeeper Server->Zookeeper Server hosts.

Configure Provisioning

See for different configurations for your security protocols.

Confluent Cloud

This page describes configuring Lenses to connect to Confluent Cloud.

For Confluent Platform see

Create a Data Integration API key

From Data integration API keys, select Create Key.
For this guide select Global access to get your API Key and API Secret Key.
Go to Cluster Settings to get your Bootstrap Server.

Configure Provisioning

Set the following in the provisioning.yaml

Confluent Platform

This page describes configuring Lenses to connect to Confluent Platform.

For Confluent Platform see

IBM Event Streams

This page describes how to connect Lenses to IBM Event Streams.

IBM Event Streams requires a replication factor of 3. Ensure you set the replication factor accordingly for Lenses internal topics.

See .

Find your bootstrap endpoints

From the IBM Cloud console, locate your bootstrap_endpoints, for the service credentials you want to connect with.

Configure Provisioning

Set the following in the provisioning.yaml:

Use "token" as the username in the Jaas Config. Set the password as your API KEY from IBM Event streams

Schema Registries

This page describes adding a Schema Registries to the Lenses Agent.

Overview

This page describes an overview of connecting a Lenses Agent with Schema Registries

Consider Rate Limiting if you have a high number of schemas.

Authentication

TLS and basic authentication are supported for connections to Schema Registries.

JMX Metrics

The Agent can collect Schema registry metrics via:

JMX
Jolokia

Supported formats

AVRO
PROTOBUF

JSON and XML formats are supported by Lenses but without a backing schema registry.

Schema deletion

To enable the deletion of schemas in the UI, set the following in the lenses.conf file.

lenses.conf

## Enable schema deletion in the Lenses UI
## default: false
lenses.schema.registry.delete = true

## When a topic is deleted,
## automatically delete also its associated Schema Registry subjects
## default: false
lenses.schema.registry.cascade.delete = true

IBM Event Streams supports hard deletes only

AWS Glue

This page describes connection to AWS Glue.

AWS Glue Schema Registry connection, depends on an AWS connection.

Set the following examples in provisioning.yaml

These are examples of provision Lenses with an AWS connection named my-aws-connection and an AWS Glue Schema Registry that references it.

Using AWS Access Key

aws:
  - name: my-aws-connection
    tags: ["tag1"]
    version: 1      
    configuration:
      authMode: 
        value: Access Key
      accessKeyId: 
        value: my-access-key-id
      secretAccessKey: 
        value: my-secret-access-key
      region: 
        value: eu-west-1
      
glueSchemaRegistry:
  - name: schema-registry
    tags: ["tag1"]
    version: 1      
    configuration:
      authMode: 
        value: my-aws-connection
      accessKeyId:
        reference: my-aws-connection
      secretAccessKey:
        reference: my-aws-connection
      glueRegistryArn:
          value: arn:aws:glue:region:123123123:registry/my-registry

Using AWS Credentials Chain

aws:
  - name: my-aws-connection
    tags: ["tag1"]
    version: 1      
    configuration:
      authMode: 
        value: Credentials Chain
      region: 
        value: eu-west-1
        
glueSchemaRegistry:
  - name: schema-registry
    tags: ["tag1"]
    version: 1      
    configuration:
      authMode: 
        value: my-aws-connection
      glueRegistryArn:
        value: arn:aws:glue:region:123123123:registry/my-registry

Confluent

This page describes connecting Lenses to Confluent schema registries.

Set the following examples in provisioning.yaml

Simple configuration, with JMX metrics

The URLs (nodes) should always have a scheme defined (http:// or https://).

confluentSchemaRegistry:
  - name: schema-registry
    tags: ["tag1"]
    version: 1      
    configuration:
      schemaRegistryUrls:
        value:
          - http://my-sr.host1:8081
          - http://my-sr.host2:8081
      ## all metrics properties are optional
      metricsPort: 
        value: 9581
      metricsType: 
        value: JMX
      metricsSsl: 
        value: false

Basic authentication

For Basic Authentication, define username and password properties.

confluentSchemaRegistry:
- name: schema-registry
  tags: ["tag1"]
  version: 1    
  configuration:
    schemaRegistryUrls:
      value:
        - http://my-sr.host1:8081
        - http://my-sr.host2:8081
    username: 
      value: my-username
    password: 
      value: my-password

TLS with custom truststore

A custom truststore is needed when the Schema Registry is served over TLS (encryption-in-transit) and the Registry’s certificate is not signed by a trusted CA.

confluentSchemaRegistry:
  - name: schema-registry
    tags: ["tag1"]
    version: 1      
    configuration:
      schemaRegistryUrls:
        value:
          - http://my-sr.host1:8081
          - http://my-sr.host2:8081
      sslTruststore:
        fileRef:
          filePath: /path/to/my/truststore.jks
      sslTruststorePassword: 
        value: myPassword

TLS with client authentication

A custom truststore might be necessary too (see above).

confluentSchemaRegistry:
  - name: schema-registry
    tags: ["tag1"]
    version: 1      
    configuration:
      schemaRegistryUrls:
        value:
          - http://my-sr.host1:8081
          - http://my-sr.host2:8081
      sslKeystore:
        fileRef:
          filePath: /path/to/my/keystore.jks
      sslKeystorePassword: 
        value: myPassword

Hard or soft delete

By default, Lenses will use hard delete for Schema Registry. To use soft delete, add the following property:

confluentSchemaRegistry:
  - name: schema-registry
    tags: ["tag1"]
    version: 1      
    configuration:
      schemaRegistryUrls:
        value:
          - http://my-sr.host1:8081
          - http://my-sr.host2:8081
      hardDelete:
        value: true

Apicurio

This page describes connecting Lenses to Apicurio.

Apicuro supports the following versions of Confluent's API:

Confluent Schema Registry API v6
Confluent Schema Registry API v7

Set the following examples in provisioning.yaml

Set the schema registry URLs to include the compatibility endpoints, for example:

http://localhost:8080/apis/ccompat/v6

provisioning.yaml

confluentSchemaRegistry:
  - name: schema-registry
    tags: ["tag1"]
    version: 1      
    configuration:
      schemaRegistryUrls:
        value:
          - http://localhost:8080/apis/ccompat/v6

IBM Event Streams Registry

This page describes connecting Lenses to IBM Event Streams schema registry.

Requires Enterprise subscription on IBM Event Streams and only hard delete is supported for IBM Event streams

To configure an application to use this compatibility API, specify the Schema Registry endpoint in the following format:

Use "token" as the username. Set the password as your API KEY from IBM Event streams

Set the following examples in provisioning.yaml

Kafka Connect

This page describes adding a Kafka Connect Cluster to the Lenses Agent.

Lenses integrates with Kafka Connect Clusters to manage connectors.

The name of a Kafka Connect Connections may only contain alphanumeric characters ([A-Za-z0-9]) and dashes (-). Valid examples would be dev, Prod1, SQLCluster,Prod-1, SQL-Team-Awesome.

Multiple Kafka Connect clusters are supported.

If you are using Kafka Connect < 2.6 set the following to ensure you can see Connectors

lenses.features.connectors.topics.via.api.enabled=false

Consider if you have a high number of connectors.

Simple configuration, with JMX metrics

The URLs (workers) should always have a scheme defined (http:// or https://).

This example uses an optional AES-256 key. The key decodes values encoded with AES-256 to enable passing encrypted values to connectors. It is only needed if your cluster uses AES-256 Decryption plugin.

Basic authentication

For Basic Authentication, define username and password properties.

TLS with custom truststore

A custom truststore is needed when the Kafka Connect workers are served over TLS (encryption-in-transit) and their certificates are not signed by a trusted CA.

TLS with client authentication

A custom truststore might be necessary too (see above).

Adding 3rd Party Connector to the Topology

If you have developed your own Connector or are using not using a Lenses connector you can still display the connector instances in the topology. To do this Lenses needs to know the configuration option of the Connector that defines which topic the Connector reads from or writes to. This is set in the connectors.info parameter in the lenses.conf file.

Zookeeper

This page describes adding a Zookeeper to the Lenses Agent.

Set the following examples in provisioning.yaml

Simple configuration, without metrics

Simple configuration, with JMX metrics

Simple configuration with Zookeeper metrics read via JMX.

With such a configuration, Lenses will use 3 Zookeeper nodes and will try to read their metrics from following URLs (notice the same port - 9581 - used for all of them, as defined by metricsPort property):

my-zookeeper-host-0:9581
my-zookeeper-host-1:9581
my-zookeeper-host-2:9581

AWS

Add a connection to AWS in the Lenses Agent.

The agent uses an AWS in three places:

AWS IAM connection to for Lenses itself
Connecting to AWS Glue
Alert channels to Cloud Watch.

If the Agent is deployed on an EC2 Instance or has access to AWS credentials in the default that can be used instead.

Alert & Audit integrations

Connect the Lenses Agent to your alerting and auditing systems.

The Agent can send out alerts and audits events. Once you have configured alert and audit connections, you can create alert and audit channels to route events to them.

Alerts

DataDog

AWS CloudWatch

PagerDuty

Slack

Alert Manager

Webook (Email, SMS, HTTP and MS Teams)

Audits

Webhook

Splunk

Infrastructure JMX Metrics

This page describes how to configure JMX metrics for Connections in Lenses.

All core services (Kafka, Schema Registry, Kafka Connect, Zookeeper) use the same set of properties for services’ monitoring.

The Agent will discover all the brokers by itself and will try to fetch metrics using metricsPort, metricsCustomUrlMappings and other properties (if specified).

JMX

Simple

The same port used for all brokers/workers/nodes. No SSL, no authentication.

SSL

Basic Auth

Such a configuration means that the Agent will try to connect using JMX with every pair of kafkaBootstrapServers.host:metricsPort, so following the example: my-kafka-host-0:9581.

Jolokia

For Jolokia the Agent supports two types of requests: GET (JOLOKIAG) and POST (JOLOKIAP).

For JOLOKIA each entry value in metricsCustomUrlMappings must contain protocol.

Simple

The same port used for all brokers/workers/nodes. No SSL, no authentication.

Custom Http Request Timeout

JOLOKIA monitoring works on the top of HTTP protocol. To fetch metrics the Agent has to perform either GET or POST request. There is a way of configuring http request timeout using httpRequestTimeout property (ms value). Its default value is 20 seconds.

Custom Metrics Http Suffix

Default suffix for Jolokia endpoints is /jolokia/, so that should be provided value. Sometimes that suffix can be different, so there is a way of customizing it by using metricsHttpSuffix field.

AWS

AWS has predefined metrics configuration. The Agent hits the Prometheus endpoint using port 11001 for each broker. There is an option of customizing AWS metrics connection in Lenses by using metricsUsername, metricsPassword, httpRequestTimeout, metricsHttpSuffix, metricsCustomUrlMappings, metricsSsl properties, but most likely no one will need to do that - AWS has its own standard and most probably it won’t change. Customization can be achieved only by API or CLI - UI does not support it.

Custom URL mapping

There is also a way to configure custom mapping for each broker (Kafka) / node (Schema Registry, Zookeeper) / worker (Kafka Connect).

Such a configuration means that the Agent will try to connect using JMX for:

my-kafka-host-0:9582 - because of metricsCustomUrlMappings
my-kafka-host-1:9581 - because of metricsPort and no entry in metricsCustomUrlMappings

Provisioning API reference

This page describes the Provisioning API reference.

For the options for each connection see the Schema /Object of the PUT call.

Hardware & OS

This page describes the hardware and OS prerequisites for Lenses.

Run on any Linux server (review ulimits or container technology (docker/kubernetes). For RHEL 6.x and CentOS 6.x use docker.

Linux machines typically have a soft limit of 1024 open file descriptors. Check your current limit with the ulimit command:

Increase as a super-user the soft limit to 4096 with:

Memory & CPU

This page describes the memory & cpu prerequisites for Lenses.

This documentation provides memory recommendations for Lenses.io, considering the number of Kafka topics, the number of schemas, and the complexity of these schemas (measured by the number of fields). Proper memory allocation ensures optimal performance and stability of Lenses.io in various environments.

Key Considerations

Number of Topics: Kafka topics require memory for indexing, metadata, and state management.
Schemas and Their Complexity: The memory impact of schemas is influenced by both the number of schemas and the number of fields within each schema. Each schema field contributes to the creation of Lucene indexes, which affects memory usage.

Baseline Memory Requirements

For a basic setup with minimal topics and schemas:

Minimum Memory: 4 GB
Recommended Memory: 8 GB

This setup assumes:

Fewer than 100 topics
Fewer than 100 schemas
Small schemas with few fields (less than 10 fields per schema)

Scaling with Topics

Memory requirements increase with the number of topics. Topics are used as the primary reference for memory scaling, with additional considerations for schemas.

Impact of Schemas and Their Complexity

Schemas have a significant impact on memory usage, particularly as the number of fields within each schema increases. The memory impact is determined by both the number of schemas and the complexity (number of fields) of these schemas.

Memory Addition Based on Schema Complexity

Cross-Reference Table for Topics and Schema Complexity

Example Configurations

To help illustrate how to apply these recommendations, here are some example configurations considering both topics and schema complexity:

Small Setup

Topics: 500
Schemas: 100 (average size 50 KB, 8 fields per schema)

Recommended Memory: 8 GB

Schema Complexity: Low → No additional memory needed.

Total Recommended Memory: 8 GB

Medium Setup

Topics: 5,000
Schemas: 1,000 (average size 200 KB, 25 fields per schema)

Base Memory: 12 GB

Schema Complexity: Moderate → No additional memory needed.

Total Recommended Memory: 16 GB

Large Setup

Topics: 15,000
Schemas: 3,000 (average size 500 KB, 70 fields per schema)

Base Memory: 32 GB

Schema Complexity: High → Add 3 GB for schema complexity.

Total Recommended Memory: 35 GB

High-Volume Setup Examples

30,000 Topics
- Schemas: 5,000 (average size 300 KB, 30 fields per schema)
Base Memory: 64 GB
- Schema Complexity: Moderate → Add 5 GB for schema complexity.
Total Recommended Memory: 69 GB

Additional Considerations

High Throughput: If your Kafka cluster is expected to handle high throughput, consider adding 20-30% more memory than the recommendations.
Complex Queries and Joins: If using Lenses.io for complex data queries and joins, consider increasing the memory allocation by 10-15% to accommodate the additional processing.
Monitoring and Adjustment: Regularly monitor memory usage and adjust based on actual load and performance.

Conclusion

Proper memory allocation is crucial for the performance and reliability of Lenses.io, especially in environments with a large number of topics and complex schemas. While topics provide a solid baseline for memory recommendations, the complexity of schemas—particularly the number of fields—can also significantly impact memory usage. Regular monitoring and adjustments are recommended to ensure that your Lenses.io setup remains performant as your Kafka environment scales.

Database

This page describes configuring the database connection for the Lenses Agent.

Once you have created a role for the agent to use you can then configure the Agent in the lenses.conf file:

lenses.conf

lenses.storage.postgres.host="my-postgres-server"
lenses.storage.postgres.port=5432
lenses.storage.postgres.username="lenses_agent"
lenses.storage.postgres.database="lenses_agent"
lenses.storage.postgres.password="changeme"

Additional configurations for the PostgreSQL database connection can be passed under the lenses.storage.postgres.properties configuration prefix.

One Postgres server can be used for all agents by using a separate database or schema each.

For the Agent see lenses.storage.postgres.schema or lenses.storage.postgres.database

The supported parameters can be found in the PostgreSQL documentation. For example:

lenses.conf

# require SSL encryption with full host verification
lenses.storage.postgres.properties.ssl=true
lenses.storage.postgres.properties.sslmode="verify-full"
lenses.storage.postgres.properties.sslcert="/path/to/certs/lenses.crt.pem"
lenses.storage.postgres.properties.sslkey="/path/to/certs/lenses.key.pk8"
lenses.storage.postgres.properties.sslpassword="mypassword"
lenses.storage.postgres.properties.sslrootcert="/path/to/certs/CA.crt.pem"

Database Role

terminal

# login as superuser and add Lenses role and database
psql -U postgres -d postgres <<EOF
CREATE ROLE lenses_agent WITH LOGIN PASSWORD 'changeme';
CREATE DATABASE lenses_agent OWNER lenses_agent;
EOF

Connection pooling

The Agent uses the HikariCP library for high-performance database connection pooling.

The default settings should perform well but can be overridden via the lenses.storage.hikaricp configuration prefix. The supported parameters can be found in the HikariCP documentation.

Camelcase configuration keys are not supported in agent configuration and should be translated to dot notation.

For example:

# set maximumPoolSize to 25
lenses.storage.hikaricp.maximum.pool.size=25

TLS

This page describes how to configure TLS for the Lenses Agent.

By default, the Agent does not provide TLS termination but can be enabled via a configuration option. TLS termination is recommended for enhanced security and a prerequisite for integrating with SSO (Single Sign On) via SAML2.0.

TLS termination can be configured directly within Agent or by using a TLS proxy or load balancer.

Global Truststore

To use a non-default global truststore, set the path in accordingly with the LENSES_OPTS variable.

LENSES_OPTS=-Djavax.net.ssl.trustStore=/path/to/truststore

Custom Truststore

lenses.conf

lenses.ssl.truststore.location = "/path/to/truststore.jks"
lenses.ssl.truststore.password = "changeit"

Mutual TLS

To enable mutual TLS, set your keystore accordingly.

lenses.conf

# To secure and encrypt all HTTPS connections to Lenses via TLS termination.
# Java Keystore location and passwords
lenses.ssl.client.auth = true
lenses.ssl.keystore.location = "/path/to/keystore.jks"
lenses.ssl.keystore.password = "changeit"
lenses.ssl.key.password      = "changeit"


# You can also tweak the TLS version, algorithm and ciphers
#lenses.ssl.enabled.protocols = "TLSv1.2"
#lenses.ssl.cipher.suites     = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WIT

Kafka ACLs

This page describes the Kafka ACLs prerequisites for the Lenses Agent if ACLs are enabled on your Kafka clusters.

These ACLs are for the underlying Lenses Agent Kafka client. Lenses has its own set of permissions guarding access.

You can restrict the access of the Lenses Kafka client but this can reduce the functionality on offer in Lenses, e.g. not allow Lenses to create topic at all, even though this can be managed by .

When your Kafka cluster is configured with an authorizer which enforces ACLs, the Agent will need a set of permissions to function correctly.

Common practice is to give teh Agent superuser status or the complete list of available operations for all resources. The IAM model of Lenses can then be used to restrict the access level per user.

Minimal Permissions

The Agent needs permission to manage and access their own internal Kafka topics:

__topology
__topology__metrics

It also needs to read and describe permissions for the consumer offsets and Kafka Connect topics —if enabled:

__consumer_offsets
connect-configs
connect-offsets
connect-status

This same set of permissions is required for any topic that the agent must have read access.

DescribeConfigs was added in Kafka 2.0. It may not be needed for versions before 2.2.

Additional permissions are needed to produce topics or manage them.

Consumer Groups

Permission to at least read and describe consumer groups is required to take advantage of the Consumer Groups' monitoring capabilities.

Additional permissions are needed to manage groups.

ACLs

To manage ACLs, permission to the cluster is required:

Rate Limiting

Rate limit the calls the Lenses Agent makes to Schema Registries and Connect Clusters.

To rate limit the calls the Agent makes to Schema Registries or Connect Clusters set the following the Agent configuration:

The exact values provided will depend on your setup, for example the number of schemas, how often are new schemas added, so some trial and error is required.

JMX Metrics

This page describes the how to retrieve Lenses Agent JMX metrics.

The JMX endpoint is managed by the lenses.jmx.port option. To disable the JMX leave the option empty.

To enable monitoring of the Agent metrics:

LENSES_JMX_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Djava.rmi.server.hostname=[HOSTNAME]"

To export via Prometheus exporter:

export LENSES_OPTS="-javaagent:/path/to/jmx_exporter/fastdata_agent.jar=9102:/path/to/jmx_exporter/client.yml"

The Agent Docker image (lensesio/lenses) automatically sets up the Prometheus endpoint. You only have to expose the 9102 port to access it.

Setting up the JMX Agent with Basic Auth.

This will be done in two parts. The first part is about setting up the required files that JMX Agent will require and the second is about the options we need to pass to the agent.

Setting up required files

First let’s create a new folder called jmxremote

mkdir -vp /etc/jmxremote

To enable basic auth JMX, first create two files:

jmxremote.access
jmxremote.password

JMX Password file

The password file has the credentials that the JMX agent will check during client authentication

cat /etc/jmxremote/jmxremote.password 
admin admin
guest admin

The above code is registering 2 users.

UserA:
- username admin
- password admin
UserB:
- username: guest
- password: admin

JMX Access file

The access file has authorization information, like who is allowed to do what.

cat jmxremote/jmxremote.access 
admin readwrite
guest readonly

In the above code, we can see that the admin user can do read and write operations in JMX, while guest user can only read the JMX content.

Enable JMX with Basic Auth Protection

Now, to enable JMX with basic auth protection, all we need to do is pass the following options in the JRE’s env that will run the Java process you need to protect the jmx.

Let’s assume this java process is Kafka.

Change the permissions on both files so only owner can edit and view them.

chmod -R 0600 /etc/jmxremote
chown -R <user-that-will-run-kafka-name>:<user-that-will-run-kafka-group> /etc/jmxremote/jmxremote.*

If you do not change the permissions to 0600 and to the user that will run the jre process, then JMX will Agent will cause an error complaining that the Process is not the owner of the files that will be used for authentication and authorization.

Finally export the following options in the user’s env which will run Kafka.

export BROKER_JMX_OPTS= "-Dcom.sun.management.jmxremote=true \
  -Dcom.sun.management.jmxremote.authenticate=true \
  -Dcom.sun.management.jmxremote.ssl=false \
  -Dcom.sun.management.jmxremote.local.only=false \
  -Djava.rmi.server.hostname=10.15.3.1 \
  -Dcom.sun.management.jmxremote.rmi.port=9581 \
  -Dcom.sun.management.jmxremote.access.file=/etc/jmxremote/jmxremote.access \
  -Dcom.sun.management.jmxremote.password.file=/etc/jmxremote/jmxremote.password \
  -Dcom.sun.management.jmxremote.port=9581

Secure JMX with TLS Encryption

First setup JMX with basic auth as shown in the Secure JMX: Basic Auth page.

To enable TLS Encryption/Authentication in JMX you need a jks keystore and truststore.

Please note that both JKS Truststore and Keystore should have the same password.

The reason for this is because the javax.net.ssl class will use the password you pass to the Keystore as the keypassword

Let’s assume this java process is Kafka and that you have installed the keystore.jks and truststore.jks under `/etc/certs``

Export the following options in the user’s env which will run Kafka.

export BROKER_JMX_OPTS= "-Dcom.sun.management.jmxremote=true
  -Dcom.sun.management.jmxremote.authenticate=true \
  -Dcom.sun.management.jmxremote.ssl=true \
  -Dcom.sun.management.jmxremote.local.only=false \
  -Djava.rmi.server.hostname=10.15.3.1 \
  -Dcom.sun.management.jmxremote.rmi.port=9581 \
  -Dcom.sun.management.jmxremote.access.file=/etc/jmxremote.access \
  -Dcom.sun.management.jmxremote.password.file=/etc/jmxremote.password \
  -Dcom.sun.management.jmxremote.port=9581 \
  -Djavax.net.ssl.keyStore=/etc/certs/kafka.jks \
  -Djavax.net.ssl.keyStorePassword=somePassword \
  -Djavax.net.ssl.trustStore=/etc/certs/truststore.jks \
  -Djavax.net.ssl.trustStorePassword=somePassword \
  -Dcom.sun.management.jmxremote.registry.ssl=true \
  -Dcom.sun.management.jmxremote.ssl.need.client.auth=true

JVM Options

This page describes the JVM options for the Lenses Agent.

The Agent runs as a JVM app; you can tune runtime configurations via environment variables.

Key

Description

SQL Processor Deployment

This page describes how to configure the agent to deploy and manage SQL Processors for stream processing.

Lenses can be used to define & deploy stream processing applications that read from Kafka and write back to Kafka with SQL. They are based on the Kafka Stream framework. They are known as SQL Processors.

SQL processing of real-time data can run in 2 modes:

SQL In-Process - the workload runs inside of the Lenses Agent.
SQL in Kubernetes - the workload runs & scale on your Kubernetes cluster.

Which mode the SQL Processors will run as should be defined within the lenses.conf before Lenses is started.

In-Process Mode

In this mode, SQL processors run as part of the Agent process, sharing resources, memory, and CPU time with the rest of the platform.

This mode of operation is meant to be used for development only.

As such, the agent will not allow the creation of more than 50 SQL Processors in In Process mode, as this could impact the platform's stability and performance negatively.

For production, use the KUBERNETES mode for maximum flexibility and scalability.

Set the execution configuration to IN_PROC

# Set up Lenses SQL processing engine
lenses.sql.execution.mode = "IN_PROC"

Set the directory to store the internal state of the SQL Processors:

lenses.sql.state.dir = "/tmp/sql-kstream-state"

TLS connections to Kafka and Schema Registries

SQL processors use the same connection details that Agent uses to speak to Kafka and Schema Registry. The following properties are mounted, if present, on the file system for each processor:

Kafka
1. SSLTruststore
2. SSLKeystore
Schema Registry
1. SSL Keystore
2. SSL Truststore

The file structure created by applications is the following: /run/[lenses_installation_id]/applications/

Keep in mind Lenses require an installation folder with write permissions. The following are tried:

/run
/tmp

Kubernetes Mode

Kubernetes can be used to deploy SQL Processors. To configure Kubernetes, set the mode to KUBERNETES and configure the location of the kubeconfig file.

When the Agent is deployed inside Kubernetes, the lenses.kubernetes.config.file configuration entry should be set to an empty string. The Kubernetes client will auto-configure from the pod it is deployed in.

The SQL Processor docker image is live in Dockerhub.

lenses.sql.execution.mode = KUBERNETES
# kubernetes configuration
lenses.kubernetes.config.file = "/home/lenses/.kube/config"
lenses.kubernetes.service.account = "default"
#lenses.kubernetes.processor.image.name = "" # Only needed if you use a custom image
#lenses.kubernetes.processor.image.tag = ""  # Only needed if you use a custom image

# Only needed if you want to tune the buffer size for incoming events from Kubernetes
#lenses.deployments.errors.buffer.size = 1000

# Only needed if you want to tune the buffer size for incoming errors from Kubernetes WS communication
#lenses.deployments.events.buffer.size = 10000

Custom Serdes

Custom serdes should be embedded in a new Lenses SQL processor Docker image.

To build a custom Docker image, create the following directory structure:

mkdir -p processor-docker/serde

Copy your serde jar files under processor-docker/serde.

Create Dockerfile containing:

FROM lensesioextra/sql-processor:4.2

ADD serde /opt/serde
ENV LENSES_SQL_RUNNERS_SERDE_CLASSPATH_OPTS=/opt/serde

Build the Docker.

cd processor-docker
docker build -t example/lsql-processor .

Once the image is deployed in your registry, please set Lenses to use it (lenses.conf):

lenses.kubernetes.processor.image.name = "your/image-name"
lenses.kubernetes.processor.image.tag = "your-tag"

Don't use the LPFP_ prefix.

Internally, Lenses prefixes all its properties with LPFP_.

Avoid passing custom environment variables starting with LPFP_ as it may cause the processors to fail.

Use Role/RoleBinging to deploy Lenses processors

To deploy Lenses Processors in Kubernetes the suggested way is to activate RBAC in Cluster level through Helm values.yaml:

rbacEnable: true

If you want to limit the permissions Lenses has against your Kubernetes cluster, you can use Role/RoleBinding resources instead.

To achieve this you need to create a Role and a RoleBinding resource in the namespace you want the processors deployed to:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: [ROLE_NAME]
  namespace: [PROCESSORS_NAMESPACE]
rules:
- apiGroups: [""]
  resources:
    - namespaces
    - persistentvolumes
    - persistentvolumeclaims
    - pods/log
  verbs:
    - list
    - watch
    - get
    - create
- apiGroups: ["", "extensions", "apps"]
  resources:
    - pods
    - replicasets
    - deployments
    - ingresses
    - secrets
    - statefulsets
    - services
  verbs:
    - list
    - watch
    - get
    - update
    - create
    - delete
    - patch
- apiGroups: [""]
  resources:
    - events
  verbs:
    - list
    - watch
    - get

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: [ROLE_BINDING_NAME]
  namespace: [PROCESSOR_NAMESPACE]
subjects:
- kind: ServiceAccount
  namespace: [LENSES_NAMESPACE]
  name: [SERVICE_ACCOUNT_NAME]
roleRef:
  kind: Role
  name: [ROLE_NAME]
  apiGroup: rbac.authorization.k8s.io

example for:

Lenses namespace = lenses-ns
Processor namespace = lenses-proc-ns

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: processor-role
  namespace: lenses-proc-ns
rules:
- apiGroups: [""]
  resources:
    - namespaces
    - persistentvolumes
    - persistentvolumeclaims
    - pods/log
  verbs:
    - list
    - watch
    - get
    - create
- apiGroups: ["", "extensions", "apps"]
  resources:
    - pods
    - replicasets
    - deployments
    - ingresses
    - secrets
    - statefulsets
    - services
  verbs:
    - list
    - watch
    - get
    - update
    - create
    - delete
    - patch
- apiGroups: [""]
  resources:
    - events
  verbs:
    - list
    - watch
    - get

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: processor-role-binding
  namespace: lenses-proc-ns
subjects:
- kind: ServiceAccount
  namespace: lenses-ns
  name: default
roleRef:
  kind: Role
  name: processor-role
  apiGroup: rbac.authorization.k8s.io

You can repeat this for as many namespaces you may want Lenses to have access to.

Finally you need to define in Lenses configuration which namespaces can Lenses access. To achieve this amend values.yaml to contain the following:

lenses:
  append:
    conf: |
      lenses.kubernetes.namespaces = {
        incluster = [
          "[PROCESSORS NAMESPACE]"
        ]
      }

example:

lenses:
  append:
    conf: |
      lenses.kubernetes.namespaces = {
        incluster = [
          "lenses-processors"
        ]
      }

Logs

This page describes configuring Lenses Agent logging.

Changes to the logback.xml are hot reloaded by the Agent, no need to restart.

All logs are emitted unbuffered as a stream of events to both stdout and to rotating files inside the directory logs/.

The logback.xml file is used to configure logging.

If customization is required, it is recommended to adapt the default configuration rather than write your own from scratch.

The file can be placed in any of the following directories:

the directory where the Agent is started from
/etc/lenses/
agent installation directory.

The first one found, in the above order, is used, but to override this and use a custom location, set the following environment variable:

export LENSES_LOG4J_OPTS="-Dlogback.configurationFile=file:/path/to/logback.xml"

Default configuration

The default configuration file is set up to hot-reload any changes every 30 seconds.

Log Level

The default log level is set to INFO (apart from some very verbose classes).

Log Format

All the log entries are written to the output using the following pattern:

%d{ISO8601} %-5p [%c{2}:%L] [%thread] %m%n

You can adjust this inside logback.xml to match your organization’s defaults.

Log Location

logs/ you will find three files: lenses.log, lenses-warn.log and metrics.log. The first contains all logs and is the same as the stdout. The second contains only messages at level WARN and above. The third one contains timing metrics and can be useful for debugging.

Log Buffering

The default configuration contains two cyclic buffer appenders: "CYCLIC-INFO” and “CYCLIC-METRICS”. These appenders are required to expose the Agent logs within the Admin UI.

Plugins

This page describes how to install plugins in the Lenses Agent.

The following implementations can be specified:

Serializers/Deserializers Plug your serializer and deserializer to enable observability over any data format (i.e., protobuf / thrift)
Custom authentication Authenticate users on your proxy and inject permissions HTTP headers.
LDAP lookup Use multiple LDAP servers or your group mapping logic.
SQL UDFs User Defined Functions (UDF) that extend SQL and streaming SQL capabilities.

Once built, the jar files and any plugin dependencies should be added to the Agent and, in the case of Serializers and UDFs, to the SQL Processors if required.

Adding plugins

On startup, the Agent loads plugins from the $LENSES_HOME/plugins/ directory and any location set in the environment variable LENSES_PLUGINS_CLASSPATH_OPTS. The Agent is watching, and dropping a new plugin will hot-reload it. For the Agent docker (and Helm chart) you use /data/plugins.

Any first-level directories under the paths mentioned above, detected on startup will also be monitored for new files. During startup, the list of monitored locations will be shown in the logs to help confirm the setup.

...
Initializing (pre-run) Lenses
Installation directory autodetected: /opt/lenses
Current directory: /data
Logback configuration file autodetected: logback.xml
These directories will be monitored for new jar files:
 - /opt/lenses/plugins
 - /data/plugins
 - /opt/lenses/serde
Starting application
...

Whilst all jar files may be added to the same directory (e.g /data/plugins), it is suggested to use a directory hierarchy to make management and maintenance easier.

An example hierarchy for a set of plugins:

├── security
│   └── sso_header_decoder.jar
├── serde
│   ├── protobuf_actions.jar
│   └── protobuf_clients.jar
└── udf
    ├── eu_vat.jar
    ├── reverse_geocode.jar
    └── summer_sale_discount.jar

SQL Processors in Kubernetes

There are two ways to add custom plugins (UDFs and Serializers) to the SQL Processors; (1) via making available a tar.gz archive at an HTTP (s) address, or (2) via creating a custom docker image.

Archive served via HTTP

With this method, a tar archive, compressed with gzip, can be created that contains all plugin jars and their dependencies. Then this archive should be uploaded to a web server that the SQL Processors containers can access, and its address should be set with the option lenses.kubernetes.processor.extra.jars.url.

Step by step:

Create a tar.gz file that includes all required jars at its root:
```
tar -czf [FILENAME.tar.gz] -C /path/to/jars/ *
```
Upload to a web server, ie. https://example.net/myfiles/FILENAME.tar.gz

Set

lenses.kubernetes.processor.extra.jars.url=https://example.net/myfiles/FILENAME.tar.gz

For the docker image, set the corresponding environment variable

LENSES_KUBERNETES_PROCESSOR_EXTRA_JARS_URL=https://example.net/myfiles/FILENAME.tar.gz`

Custom Docker image

The SQL Processors inside Kubernetes use the docker image lensesio-extra/sql-processor. It is possible to build a custom image and add all the required jar files under the /plugins directory, then set lenses.kubernetes.processor.image.name and lenses.kubernetes.processor.image.tag options to point to the custom image.

Step by step:

Create a Docker image using lensesio-extra/sql-processor:VERSION as a base and add all required jar files under /plugins:
```
FROM lensesio-extra/sql-processor:4.2
ADD jars/* /plugins
```
```
docker build -t example/sql-processor:4.2 .
```
Upload the docker image to a registry:
```
docker push example/sql-processor:4.2
```

Set

lenses.kubernetes.processor.image.name=example/sql-processor
lenses.kubernetes.processor.image.tag=4.2

For the docker image, set the corresponding environment variables

LENSES_KUBERNETES_PROCESSOR_IMAGE_NAME=example/sql-processor
LENSES_KUBERNETES_PROCESSOR_IMAGE_TAG=4.2

Configuration Reference

This page lists the available configurations in Lenses Agent.

Set in lenses.conf

Basics

Reference documentation of all configuration and authentication options:

Key

Description

Default

Type

Required

Default system topics

System or control topics are created by services for their internal use. Below is the list of built-in configurations to identify them.

_schemas
__consumer_offsets
_kafka_lenses_
lsql_*
lsql-*
__transaction_state
__topology
__topology__metrics
_confluent*
*-KSTREAM-*
*-TableSource-*
*-changelog
__amazon_msk*

Wildcard (*) is used to match any name in the path to capture a list of topics not just one. When the wildcard is not specified, Lenses matches on the entry name provided.

Security

TLS

Kerberos

Persistent storage

Common

H2

Postgres

Schema registries

If the records schema is centralized, the connectivity to Schema Registry nodes is defined by a Lenses Connection.

There are two static config entries to enable/disable the deletion of schemas:

Deployments

Options for specific deployment targets:

Global options
Kubernetes

Global options

Common settings, independently of the underlying deployment target:

Kubernetes

Kubernetes connectivity is optional. Minimum supported K8 version 0.11.10. All settings are string.

SQL snapshot (Explore & Studio)

Optimization settings for SQL queries.

Lenses internal Kafka topics

Lenses requires these Kafka topics to be available, otherwise, it will try to create them. The topics can be created manually before Lenses is run, or allow Lenses the correct Kafka ACLs to create the topics:

To allow for fine-grained control over the replication factor of the three topics, the following settings are available:

When configuring the replication factor for your deployment, it's essential to consider the requirements imposed by your cloud provider. Many cloud providers enforce a minimum replication factor to ensure data durability and high availability. For example, IBM Cloud mandates a minimum replication factor of 3. Therefore, it's crucial to set the replication factor for the Lenses internal topics to at least 3 when deploying Lenses on IBM Cloud.

Advanced

All time configuration options are in milliseconds.

Connectors topology

Control how Lenses identifies your connectors in the Topology view. Catalogue your connector types, set their icons, and control how Lenses extracts the topics used by your connectors.

Lenses comes preconfigured for some of the popular connectors as well as the Stream Reactor connectors. If you see that Lenses doesn’t automatically identify your connector type then use the lenses.connectors.info setting to register it with Lenses.

Add a new HOCON object {} for every new Connector in your lenses.connectors.info list :

  lenses.connectors.info = [
      {
        class.name = "The connector full classpath"
        name = "The name which will be presented in the UI"
        instance = "Details about the instance. Contains the connector configuration field which holds the information. If  a database is involved it would be  the DB connection details, if it is a file it would be the file path, etc"
        sink = true
        extractor.class = "The full classpath for the implementation knowing how to extract the Kafka topics involved. This is only required for a Source"
        icon = "file.png"
        description = "A description for the connector"
        author = "The connector author"
      }
  ]

This configuration allows the connector to work with the topology graph, and also have the RBAC rules applied to it.

Source example

To extract the topic information from the connector configuration, source connectors require an extra configuration. The extractor class should be: io.lenses.config.kafka.connect.SimpleTopicsExtractor. Using this extractor requires an extra property configuration. It specifies the field in the connector configuration which determines the topics data is sent to.

Here is an example for the file source:

  lenses.connectors.info = [
    {
      class.name = "org.apache.kafka.connect.file.FileStreamSource"
      name = "File"
      instance = "file"
      sink = false
      property = "topic"
      extractor.class = "io.lenses.config.kafka.connect.SimpleTopicsExtractor"
    }
  ]

Sink example

An example of a Splunk sink connector and a Debezium SQL server connector

  lenses.connectors.info = [
    {
      class.name = "com.splunk.kafka.connect.SplunkSinkConnector"
      name = "Splunk Sink",
      instance = "splunk.hec.uri"
      sink = true,
      extractor.class = "io.lenses.config.kafka.connect.SimpleTopicsExtractor"
      icon = "splunk.png",
      description = "Stores Kafka data in Splunk"
      docs = "https://github.com/splunk/kafka-connect-splunk",
      author = "Splunk"
    },
    {
      class.name = "io.debezium.connector.sqlserver.SqlServerConnector"
      name = "CDC MySQL"
      instance = "database.hostname"
      sink = false,
      property = "database.history.kafka.topic"
      extractor.class = "io.lenses.config.kafka.connect.SimpleTopicsExtractor"
      icon = "debezium.png"
      description = "CDC data from RDBMS into Kafka"
      docs = "//debezium.io/docs/connectors/mysql/",
      author = "Debezium"
    }
  ]

External Applications

Update Lenses connections state.

It will update the connections state and validate the configuration. If the validation fails, the state will not be updated.

PUT/api/v1/state/connections

Query parameters

validateOnlyboolean

It will only validate the request, not applying any actual change to the system.

validateConnectivityboolean

It will try to connect to the configured service as part of the validation step.

Body

provisioningUpdateConnectionStateAPIRequest (object)

Configuration in YAML format representing the connections state.

kafka*array of object

nameenum

The only allowed name for the Kafka connection is "kafka".

kafka

versioninteger

tagsarray of string

itemsstring

configurationKafkaConfigurationProperties (object)

protocolobject

Kafka security protocol.

valueenum

PLAINTEXTSASL_PLAINTEXTSASL_SSLSSL

sslKeystoreobject

SSL keystore file path.

filestring

sslKeystorePasswordobject

Password to the keystore.

valuestring

sslKeyPasswordobject

Key password for the keystore.

valuestring

sslTruststorePasswordobject

Password to the truststore.

valuestring

sslTruststoreobject

SSL truststore file path.

filestring

saslJaasConfigobject

JAAS Login module configuration for SASL.

valuestring

keytabobject

Kerberos keytab file path.

filestring

kafkaBootstrapServers*object

Comma separated list of protocol://host:port to use for initial connection to Kafka.

valuearray of string

itemsstring

saslMechanismobject

Mechanism to use when authenticated using SASL.

valuestring

metricsPortobject

Default port number for metrics connection (JMX and JOLOKIA).

valueinteger

metricsUsernameobject

The username for metrics connections.

valuestring

metricsPasswordobject

The password for metrics connections.

valuestring

metricsSslobject

Flag to enable SSL for metrics connections.

valueboolean

metricsHttpSuffixobject

HTTP URL suffix for Jolokia or AWS metrics.

valuestring

metricsHttpTimeoutobject

HTTP Request timeout (ms) for Jolokia or AWS metrics.

valueinteger

metricsTypeobject

Metrics type.

valueenum

AWSJMXJOLOKIAGJOLOKIAP

additionalPropertiesobject

Additional properties for Kafka connection.

valueobject

metricsCustomUrlMappingsobject

Mapping from node URL to metrics URL, allows overriding metrics target on a per-node basis.

valueobject

metricsCustomPortMappingsobject

DEPRECATED.

valueobject

confluentSchemaRegistryarray of object

nameenum

The only allowed name for a schema registry connection is "schema-registry".

schema-registry

versioninteger

tagsarray of string

itemsstring

configurationConfluentSchemaRegistryConfigurationProperties (object)

sslKeystoreobject

Path to SSL keystore file

filestring

sslKeystorePasswordobject

Password to the keystore

valuestring (password)

sslKeyPasswordobject

Key password for the keystore

valuestring (password)

sslTruststorePasswordobject

Password to the truststore

valuestring (password)

sslTruststoreobject

Path to SSL truststore file

filestring

schemaRegistryUrls*object

List of schema registry urls

valuearray of string

itemsstring

basicAuthCredentialsSourceobject

Source for the basic auth credentials

valuestring (password)

basicAuthUserInfoobject

Basic auth user information

valuestring (password)

metricsTypeobject

Metrics type

valueenum

JMXJOLOKIAGJOLOKIAP

metricsSslobject

Flag to enable SSL for metrics connections

valueboolean

metricsUsernameobject

The username for metrics connections

valuestring

metricsPasswordobject

The password for metrics connections

valuestring (password)

metricsPortobject

Default port number for metrics connection (JMX and JOLOKIA)

valueinteger

additionalPropertiesobject

Additional properties for Schema Registry connection

valueobject

metricsCustomUrlMappingsobject

Mapping from node URL to metrics URL, allows overriding metrics target on a per-node basis

valueobject

metricsCustomPortMappingsobject

DEPRECATED

valueobject

metricsHttpSuffixobject

HTTP URL suffix for Jolokia metrics

valuestring

metricsHttpTimeoutobject

HTTP Request timeout (ms) for Jolokia metrics

valueinteger

usernameobject

Username for HTTP Basic Authentication

valuestring

passwordobject

Password for HTTP Basic Authentication

valuestring (password)

hardDelete*object

Enables Schema Registry hard delete

valueboolean

elasticSearcharray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationElasticsearchConfigurationProperties (object)

userobject

The username to connect to the Elasticsearch service.

valuestring

passwordobject

The password to connect to the Elasticsearch service.

valuestring (password)

nodes*object

The nodes of the Elasticsearch cluster to connect to, e.g. https://hostname:port. Use the tab key to specify multiple nodes.

valuearray of string

itemsstring

pagerDutyarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationPagerDutyConfigurationProperties (object)

apiToken*object

An API Token for accessing PagerDuty's REST API.

valuestring (password)

datadogarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationDataDogConfigurationProperties (object)

site*object

The Datadog site.

valueenum

EUUS

apiKey*object

The Datadog API key.

valuestring

applicationKeyobject

The Datadog application key.

valuestring

slackarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationSlackConfigurationProperties (object)

webhookUrl*object

The Slack endpoint to send the alert to.

valuestring

alertManagerarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationAlertManagerProperties (object)

endpointsobject

Comma separated list of Alert Manager endpoints.

value*array of string

itemsstring

webhookarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationWebhookProperties (object)

host*object

The host name.

value*string

portobject

An optional port number to be appended to the hostname.

valueinteger (int64)

useHttps*object

Set to true in order to set the URL scheme to https. Will otherwise default to http.

value*boolean

credsobject

An array of (secret) strings to be passed over to alert channel plugins.

valuearray of string

itemsstring

awsarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationAWSConnectionProperties (object)

authMode*object

Way to authenticate against AWS.

value*enum

Credentials ChainAccess Key

accessKeyIdobject

Access key ID of an AWS IAM account.

value*string

secretAccessKeyobject

Secret access key of an AWS IAM account.

value*string

regionobject

AWS region to connect to. If not provided, this is deferred to client configuration.

valuestring

sessionTokenobject

Specifies the session token value that is required if you are using temporary security credentials that you retrieved directly from AWS STS operations.

valuestring

connectarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationConnectConnectionProperties (object)

workersobject

List of Kafka Connect worker URLs.

value*array of string

itemsstring

usernameobject

Username for HTTP Basic Authentication.

valuestring

passwordobject

Password for HTTP Basic Authentication.

valuestring

metricsSslobject

Flag to enable SSL for metrics connections.

valueboolean

metricsUsernameobject

The username for metrics connections.

valuestring

metricsPasswordobject

The password for metrics connections.

valuestring

metricsTypeobject

Metrics type.

valueenum

JMXJOLOKIAGJOLOKIAP

metricsPortobject

Default port number for metrics connection (JMX and JOLOKIA).

valueinteger

aes256Keyobject

AES256 Key used to encrypt secret properties when deploying Connectors to this ConnectCluster.

valuestring

sslAlgorithmobject

Name of the ssl algorithm. If empty default one will be used (X509).

valuestring

sslKeystoreobject

SSL keystore file.

filestring

sslKeystorePasswordobject

Password to the keystore.

valuestring

sslKeyPasswordobject

Key password for the keystore.

valuestring

sslTruststorePasswordobject

Password to the truststore.

valuestring

sslTruststoreobject

SSL truststore file.

filestring

metricsCustomUrlMappingsobject

Mapping from node URL to metrics URL, allows overriding metrics target on a per-node basis.

valueobject

Other propertiesstring

metricsCustomPortMappingsobject

DEPRECATED.

valueobject

Other propertiesinteger

metricsHttpSuffixobject

HTTP URL suffix for Jolokia metrics.

valuestring

metricsHttpTimeoutobject

HTTP Request timeout (ms) for Jolokia metrics.

valueinteger

awsGlueSchemaRegistryarray of object

nameenum

The only allowed name for a schema registry connection is "schema-registry".

schema-registry

versioninteger

tagsarray of string

itemsstring

configurationGlueSchemaRegistryConnectionProperties (object)

authMode*object

Way to authenticate against AWS. The value for this project corresponds to the AWS connection name of the AWS connection that contains the authentication mode.

reference*Referenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

accessKeyIdobject

Access key ID of an AWS IAM account. The value for this project corresponds to the AWS connection name of the AWS connection that contains the access key ID.

reference*Referenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

secretAccessKeyobject

Secret access key of an AWS IAM account. The value for this project corresponds to the AWS connection name of the AWS connection that contains the secret access key.

reference*Referenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

sessionTokenobject

Specifies the session token value that is required if you are using temporary security credentials that you retrieved directly from AWS STS operations.

valuestring

glueRegistryArn*object

Enter the Amazon Resource Name (ARN) of the Glue schema registry that you want to connect to.

value*string

glueRegistryCacheTtlobject

The period in milliseconds that Lenses will be updating its schema cache from AWS Glue.

valueinteger

glueRegistryCacheSizeobject

The size of the schema cache.

valueinteger

schemaRegistryFlavour*object

Type of schema registry connection.

value*string

glueRegistryDefaultCompatibilityobject

Default compatibility mode to use on Schema creation.

valueenum

BACKWARDBACKWARD_ALLFORWARDFORWARD_ALLFULLFULL_ALLNONE

zookeeperarray of object

nameenum

The only allowed name for the Zookeeper connection is "zookeeper".

zookeeper

versioninteger

tagsarray of string

itemsstring

configurationZookeeperConnectionProperties (object)

zookeeperUrlsobject

List of zookeeper urls.

value*array of string

itemsstring

zookeeperChrootPathobject

Zookeeper /znode path.

valuestring

zookeeperSessionTimeoutobject

Zookeeper connection session timeout.

value*integer

zookeeperConnectionTimeoutobject

Zookeeper connection timeout.

value*integer

metricsTypeobject

Metrics type.

valueenum

JMXJOLOKIAGJOLOKIAP

metricsPortobject

Default port number for metrics connection (JMX and JOLOKIA).

valueinteger

metricsUsernameobject

The username for metrics connections.

valuestring

metricsPasswordobject

The password for metrics connections.

valuestring

metricsSslobject

Flag to enable SSL for metrics connections.

valueboolean

metricsHttpSuffixobject

HTTP URL suffix for Jolokia metrics.

valuestring

metricsHttpTimeoutobject

HTTP Request timeout (ms) for Jolokia metrics.

valueinteger

metricsCustomUrlMappingsobject

Mapping from node URL to metrics URL, allows overriding metrics target on a per-node basis.

valueobject

metricsCustomPortMappingsobject

DEPRECATED.

valueobject

postgresarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationPostgresConnectionProperties (object)

hostobject

The Postgres hostname.

value*string

portobject

The port number.

value*integer

databaseobject

The database to connect to.

value*string

usernameobject

The user name.

value*string

passwordobject

The password.

valuestring

sslModeobject

The SSL connection mode as detailed in https://jdbc.postgresql.org/documentation/head/ssl-client.html.

value*enum

allowdisablepreferrequireverify-caverify-full

pagerdutyarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationPagerDutyConnectionProperties (object)

integrationKeyobject

An Integration Key for PagerDuty's service with Events API v2 integration type.

value*string

splunkarray of object

nameReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

versioninteger

tagsarray of string

itemsstring

configurationSplunkConnectionProperties (object)

hostobject

The host name for the HTTP Event Collector API of the Splunk instance.

value*string

portobject

The port number for the HTTP Event Collector API of the Splunk instance.

value*integer

useHttpsobject

Use SSL.

value*boolean

insecureobject

This is not encouraged but is required for a Splunk Cloud Trial instance.

value*boolean

tokenobject

HTTP event collector authorization token.

value*string

kerberosarray of object

nameenum

The only allowed name for the Zookeeper connection is "kerberos".

kerberos

versioninteger

tagsarray of string

itemsstring

configurationKerberosConnectionProperties (object)

kerberosKrb5object

Kerberos krb5 config

fileReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

attachedFilestring (binary)

Attached file(s) needed for establishing the connection. The name of each file part is used as a reference in the manifest.

Response

Successfully updated connection state

Body

updatedarray of Referenceable (string)

itemsReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

createdarray of Referenceable (string)

itemsReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

deletedarray of Referenceable (string)

itemsReferenceable (string)

An alphanumeric or dash non-empty string.

Pattern: ^[a-zA-Z0-9-]+$

Request

const response = await fetch('/api/v1/state/connections', {
    method: 'PUT',
    headers: {
      "Content-Type": "multipart/form-data"
    },
    body: JSON.stringify({}),
});
const data = await response.json();

Response

{
  "updated": [
    "text"
  ],
  "created": [
    "text"
  ],
  "deleted": [
    "text"
  ]
}