Security

UI Authentication

User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are documented here.

$ cat <<EOF > /tmp/confluent/login.properties
  admin: admin_pw,Administrators
  disallowed: no_access
  EOF
$ cat <<EOF > /tmp/confluent/propertyfile.jaas
  c3 {
    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="/tmp/confluent/login.properties";
  };
  EOF
$ cat <<EOF >> /path/to/control-center.properties
  confluent.controlcenter.rest.authentication.method=BASIC
  confluent.controlcenter.rest.authentication.realm=c3
  confluent.controlcenter.rest.authentication.roles=Administrators
  EOF

Now start Control Center to use the JAAS configuration like below:

$ CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/tmp/confluent/propertyfile.jaas" control-center-start /path/to/control-center.properties

Now when you access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.

UI HTTPS

HTTPS is supported for web access to Confluent Control Center. For more details, check the configuration options.

Kafka

Standard Kafka authentication, authorization, and encryption options are available for control center and interceptors.

Authorization with Kafka ACLS

We have provided a script for creating the ACLs necessary for Confluent Control Center to operate on an authorized cluster. This script needs to be run before you start Confluent Control Center:

$ export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf"
$ bin/control-center-set-acls config/control-center.properties

You will also need to export a Confluent Control Center JAAS config before starting Confluent Control Center.

$ export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'
$ bin/control-center-start config/control-center.properties