Control Center UI Authentication¶
User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are documented here.
cat <<EOF > /tmp/confluent/login.properties
admin: admin_pw,Administrators
disallowed: no_access
EOF
cat <<EOF > /tmp/confluent/propertyfile.jaas
c3 {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
file="/tmp/confluent/login.properties";
};
EOF
cat <<EOF >> /path/to/control-center.properties
confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
confluent.controlcenter.auth.restricted.roles=Restricted
EOF
Now start Control Center to use the JAAS configuration like below:
CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/tmp/confluent/propertyfile.jaas" control-center-start /path/to/control-center.properties
Now when you access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.
UI HTTPS¶
HTTPS is supported for web access to Confluent Control Center. To enable HTTPS, you must first add
an HTTPS listener in the Control Center properties file using
the confluent.controlcenter.rest.listeners parameter. You must also set the
appropriate SSL configuration options. If you haven’t already,
this would be a good time to create SSL keys and certificates.
An example of the necessary additions to control-center.properties are shown below:
confluent.controlcenter.rest.listeners=https://0.0.0.0:9022
confluent.controlcenter.rest.ssl.keystore.location=/var/private/ssl/kafka.control-center.keystore.jks
confluent.controlcenter.rest.ssl.keystore.password=test1234
confluent.controlcenter.rest.ssl.key.password=test1234
confluent.controlcenter.rest.ssl.truststore.location=/var/private/ssl/kafka.control-center.truststore.jks
confluent.controlcenter.rest.ssl.truststore.password=test1234
curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022
Tip
For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml for a configuration reference.
Tip
For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml for a configuration reference.
Authorization with Kafka ACLs¶
Standard Apache Kafka® authentication, authorization, and encryption options are available for control center and interceptors. You can use this script to create the ACLs that are required by Control Center to operate on an authorized cluster. This script must be run before you start Control Center:
export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf"
bin/control-center-set-acls config/control-center.properties
You will also need to export a Control Center JAAS config before starting Control Center.
export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'
bin/control-center-start config/control-center.properties