.. _controlcenter_security: Security ======== UI Authentication ----------------- User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are :ref:`documented here`. .. sourcecode:: bash $ cat < /tmp/confluent/login.properties admin: admin_pw,Administrators disallowed: no_access EOF $ cat < /tmp/confluent/propertyfile.jaas c3 { org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required debug="true" file="/tmp/confluent/login.properties"; }; EOF $ cat <> /path/to/control-center.properties confluent.controlcenter.rest.authentication.method=BASIC confluent.controlcenter.rest.authentication.realm=c3 confluent.controlcenter.rest.authentication.roles=Administrators EOF Now when you start Control Center and access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work. UI HTTPS -------- HTTPS is supported for web access to Confluent Control Center. For more details, check the :ref:`configuration options`. Kafka ----- Standard Kafka authentication, authorization, and encryption options are available for :ref:`control center` and :ref:`interceptors`. Authorization with Kafka ACLS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ We have provided a script for creating the ACLs necessary for Confluent Control Center to operate on an authorized cluster. This script needs to be run before you start Confluent Control Center: .. sourcecode:: bash $ export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf" $ bin/controlcenter-set-acls config/controlcenter.properties You will also need to export a Confluent Control Center JAAS config before starting Confluent Control Center. .. sourcecode:: bash $ export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'