Control Center UI Authentication

User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are documented here.

 cat <<EOF > /tmp/confluent/login.properties
admin: admin_pw,Administrators
disallowed: no_access
EOF
 cat <<EOF > /tmp/confluent/propertyfile.jaas
c3 {
  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
  file="/tmp/confluent/login.properties";
};
EOF
 cat <<EOF >> /path/to/control-center.properties
confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
confluent.controlcenter.auth.restricted.roles=Restricted
EOF

Now start Control Center to use the JAAS configuration like below:

CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/tmp/confluent/propertyfile.jaas" control-center-start /path/to/control-center.properties

Now when you access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.

UI HTTPS

HTTPS is supported for web access to Confluent Control Center. To enable HTTPS you must first add a HTTPS listener in the Control Center properties file using the confluent.controlcenter.rest.listeners parameter. You must also set the appropriate SSL configuration options. If you haven’t already this would be a good time to create SSL keys and certificates.

An example of the necessary additions to control-center.properties are shown below:

confluent.controlcenter.rest.listeners=https://0.0.0.0:9022
confluent.controlcenter.rest.ssl.keystore.location=/var/private/ssl/kafka.control-center.keystore.jks
confluent.controlcenter.rest.ssl.keystore.password=test1234
confluent.controlcenter.rest.ssl.key.password=test1234
confluent.controlcenter.rest.ssl.truststore.location=/var/private/ssl/kafka.control-center.truststore.jks
confluent.controlcenter.rest.ssl.truststore.password=test1234

To test your HTTPS configuration without a web browser you can use curl as shown below:

   curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
   curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022

Authorization with Kafka ACLs

Standard Apache Kafka® authentication, authorization, and encryption options are available for control center and interceptors. You can use this script to create the ACLs that are required by Confluent Control Center to operate on an authorized cluster. This script must be run before you start Confluent Control Center:

export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf"
bin/control-center-set-acls config/control-center.properties

You will also need to export a Confluent Control Center JAAS config before starting Confluent Control Center.

export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'
bin/control-center-start config/control-center.properties