.. _authentication:

.. _ui_authentication:

UI Authentication
-----------------

User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are :ref:`documented here<ui_authentication_settings>`.

.. sourcecode:: bash

    $ cat <<EOF > /tmp/confluent/login.properties
      admin: admin_pw,Administrators
      disallowed: no_access
      EOF
    $ cat <<EOF > /tmp/confluent/propertyfile.jaas
      c3 {
        org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
        file="/tmp/confluent/login.properties";
      };
      EOF
    $ cat <<EOF >> /path/to/control-center.properties
      confluent.controlcenter.rest.authentication.method=BASIC
      confluent.controlcenter.rest.authentication.realm=c3
      confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
      confluent.controlcenter.auth.restricted.roles=Restricted
      EOF

Now start |c3-short| to use the JAAS configuration like below:

.. sourcecode:: bash

    $ CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/tmp/confluent/propertyfile.jaas" control-center-start /path/to/control-center.properties

Now when you access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.

UI HTTPS
--------
HTTPS is supported for web access to |c3|. For more details, check the :ref:`configuration options<https_settings>`.

Authorization with Kafka ACLS
-----------------------------

Standard Kafka authentication, authorization, and encryption options are available for :ref:`control center<kafka_encryption_authentication_authorization_settings>` and :ref:`interceptors<interceptor_configuration_options>`.
We have provided a script for creating the ACLs necessary for |c3| to operate on an authorized cluster. This script needs to be run before you start |c3|:

.. sourcecode:: bash

    $ export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf"
    $ bin/control-center-set-acls config/control-center.properties

You will also need to export a |c3| JAAS config before starting |c3|.

.. sourcecode:: bash

    $ export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'
    $ bin/control-center-start config/control-center.properties