.. title:: Control Center Configuration Reference .. meta:: :description: This topic provides configuration parameters for Control Center, a web-based tool for managing and monitoring Apache Kafka® in Confluent Platform. .. include:: ../../installation/includes/filter.rst .. _controlcenter_configuration: |c3-short| Configuration Reference for |cp| =========================================== The following settings are available for configuring Control Center. |c3| includes several sample configuration (.properties) files in the following directory: ``$CONFLUENT_HOME/etc/confluent-control-center`` For a list of sample configuration files, see :ref:`c3_properties_files`. Search reference ---------------- |c3| groups settings into catagories. You can search and filter by configuration property name. .. include:: ../../installation/includes/filter-form.rst Base settings ------------- This section includes base settings for |c3-short|. bootstrap.servers ^^^^^^^^^^^^^^^^^ A list of host/port pairs to use for establishing the initial connection to the |ak-tm| cluster. The client will make use of all servers irrespective of which servers are specified here for bootstrapping; this list only impacts the initial hosts used to discover the full set of servers. This list should be in the form ``host1:port1,host2:port2,...``. Since these servers are just used for the initial connection to discover the full cluster membership (which could change dynamically), this list need not contain the full set of servers (you may want more than one, though, in case a server is down). * Type: list * Default: localhost:9092 * Importance: high confluent.license ^^^^^^^^^^^^^^^^^ Confluent issues an enterprise license key to each subscriber, allowing the subscriber to unlock the full functionality of |c3-short|. The license key is text that you can copy and paste. Paste the license key as the value for ``confluent.license``. You can also manage the license in the |c3-short| web interface. A trial license allows using for a 30-day trial period. A developer license allows using |c3-short| and other |cp| proprietary components indefinitely for single-broker development environments. Trial and developer licenses are shipped with |cp|. See :ref:`controlcenter_licenses` for more details. If you are a subscriber, contact Confluent Support for more information about obtaining another valid enterprise license before it expires. ``confluent.controlcenter.license`` is a deprecated synonym for this configuration key. * Type: string * Default: "" * Importance: high confluent.controlcenter.rest.csrf.prevention.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When enabled, uses a token-based system to help prevent Cross-Site Request Forgery (CSRF). CSRF is a malicious exploit that can result in an end user executing unwanted actions on a web application in which they’re currently authenticated. If the target user has an administrative account, CSRF can compromise the entire web application. * Type: boolean * Default: false * Importance: medium confluent.controlcenter.rest.csrf.prevention.token.expiration.minutes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Sets the CSRF prevention token expiration time, if CSRF prevention is enabled. The default expiration time should be sufficent for most use cases, however you can use this setting to increase or decrease the token expiration interval time if needed. * Type: int * Default: 30 * Importance: low confluent.controlcenter.rest.thread.pool.max ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The maximum number of threads that will be started for the HTTP Servlet server. * Type: int * Default: 200 * Importance: low confluent.controlcenter.rest.thread.pool.min ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The minimum number of threads that will be started for the HTTP Servlet server. * Type: int * Default: 8 * Importance: low confluent.controlcenter.ui.basepath ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies the basepath of the base URL to use for all relative URLs in the HTML document displayed by |c3-short|. The basepath should start and end with a slash (/). For example, you could specify ``confluent.controlcenter.ui.basepath=/app1/``, and |c3-short| can then be accessed from ``http://somehost:9021/app1/``. * Type: string * Default: null * Importance: medium confluent.controlcenter.ui.external.js.files ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies a comma-separated list of external JavaScript files to add to the HTML document displayed by |c3-short|. * Type: string * Default: null * Importance: low confluent.controlcenter.ui.external.css.files ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies a comma-separated list of external CSS files to add to the HTML document displayed by |c3-short|. * Type: string * Default: null * Importance: low Production Settings ------------------- In production, you should run |c3-short| in a cluster that is separate from the |ak| clusters being monitored. Set the following configuration parameters in the |c3-short| properties file. confluent.controlcenter.streams.statestore.cache.max.bytes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum number of memory bytes used for record caches across all threads. .. tip:: Consider setting this config value proportional to the total :ref:`num.partitions `. Here is an example computation: - Each per-partition metric is stored as a key-value pair that consists of "topic-string, partition-id, cluster-name". |c3-short| compacts the values as four long variables, recording the min, max, count, and total. - X is the total topic partitions and seven per-partition metrics that |c3-short| collects. - Twelve threads by default. The total cache size should be: :: X (topic partitions) * 7 (per-partition metrics) * 12 (number of threads) * 150 (average bytes per metric). For example, with 100000 topic partitions, the cache size should be 1,260,000,000 bytes. * Type: * Default: 1,073,741,824 bytes * Importance: high .. _c3_addl_cluster_boot_servers: confluent.controlcenter.kafka..bootstrap.servers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Bootstrap servers for any additional |ak| cluster being monitored. Replace ```` with the name |c3-short| should use to identify this cluster. For example, using ``confluent.controlcenter.kafka.production-nyc.bootstrap.servers``, |c3-short| will show the additional cluster with the name ``production-nyc`` in the cluster list. * Type: list * Default: "" * Importance: high .. _c3_addl_connection_config_cluster_name: confluent.controlcenter.kafka.. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Any additional connection configuration required to connect to the Kafka cluster identified by ```` can be specified using the ``confluent.controlcenter.kafka..`` prefix. For example, to specify the ``security.protocol=SASL_SSL`` configuration for the cluster named ``production-nyc``, add ``confluent.controlcenter.kafka.production-nyc.security.protocol=SASL_SSL`` to the configuration. * Importance: medium .. tip:: If you are configuring a multi-cluster deployment, see also :ref:`confluent.controlcenter.streams.name.cprest.url `. .. _mode_settings: Mode settings ------------- Use this optional setting to specify the :ref:`mode ` that |c3| starts in. By default, |c3-short| starts in Normal mode, meaning ``all`` is specified, and monitoring is enabled. confluent.controlcenter.mode.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Set the mode in which |c3-short| should be started. Valid values are ``all``, meaning |c3| operates normally, and ``management`` meaning |c3| uses less infrastructure to operate. In :ref:`Reduced infrastructure mode `, |c3-short| is used to manage |ak| clusters only and will not display monitoring or metrics information. Use this setting to specify the :ref:`mode ` that |c3| starts in. By default, |c3-short| starts in Normal mode, meaning ``all`` is specified, and monitoring is enabled. * Type: string * Default: all * Importance: high .. _c3-connect-cluster-setting: General settings ---------------- General settings for |c3-short| are optional. confluent.controlcenter.connect..cluster ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Comma-separated list of |kconnect-long| worker URLs for the |kconnect| cluster specified by ````. ``.cluster``. * Type: list * Default: "" * Importance: low confluent.controlcenter.data.dir ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Location for |c3-short|-specific data. Although the data stored in this directory can be recomputed, doing so is expensive and can affect the availability of |c3-short|'s stream monitoring functionality. For production, you should set this to a durable, writable, and secure location. * Type: path * Default: ``/var/lib/confluent-control-center`` (``control-center-production.properties``) * Default: ``/tmp/confluent/control-center`` (``control-center.properties``, ``control-center-dev.properties``, ``control-center-minimal.properties``) * Importance: high .. _rest_listeners: .. include:: includes/rest-listeners.rst .. _c3_rest_adv_url: confluent.controlcenter.rest.advertised.url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Externally visible host. |c3-short| uses this as an override to ``rest.listeners`` when generating URLs for external communications such as alert emails. * Type: string * Default: "" * Importance: low confluent.controlcenter.rest.access.control.allow.origin ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Sets the value for Jetty Access-Control-Allow-Origin header. * Type: string * Default: "" * Importance: low confluent.controlcenter.rest.response.http.headers.config ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Use to select which HTTP headers are returned in the HTTP response for |cp| components. Specify multiple values in a comma-separated string using the format ``[action][header name]:[header value]`` where ``[action]`` is one of the following: ``set``, ``add``, ``setDate``, or ``addDate``. You must use quotation marks around the header value when the header value contains commas. For example: :: response.http.headers.config="add Cache-Control: no-cache, no-store, must-revalidate", add X-XSS-Protection: 1; mode=block, add Strict-Transport-Security: max-age=31536000; includeSubDomains, add X-Content-Type-Options: nosniff * Type: string * Default: "" * Importance: low .. _confluent-controlcenter-streams-cprest-url: confluent.controlcenter.streams.cprest.url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Defines the REST endpoints for |c3-short| to enable HTTP servers on the broker(s). A comma-separated list with multiple values can be provided for a multi-broker cluster. For examples, see :ref:`c3-cprest-config-tutorial`, :ref:`sbc-configs-c3`, and :ref:`Self-Balancing Clusters ` documentation. * Type: list * Default: ``http://localhost:8090`` * Importance: high To configure multiple clusters, see :ref:`confluent.controlcenter.kafka.name.cprest.url `. .. _confluent-controlcenter-kafka-name-url: confluent.controlcenter.kafka..cprest.url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Defines the REST endpoints for any additional Kafka clusters being monitored by |c3-short| to enable HTTP servers on the broker(s). Replace ```` with the name that identifies this cluster. This name should be consistent with the Kafka cluster name used for other Control Center configurations. A comma-separated list with multiple values can be provided for a multi-broker cluster. Note that if the REST API endpoints are secured with TLS, you must include additional properties in the |c3| properties file that provide the security information. For more information, see :ref:`controlcenter-ui-https` and :ref:`https_settings`. The following example shows REST endpoint settings for three clusters or data centers (dc1, dc2, and dc3): .. code:: bash confluent.controlcenter.streams.cprest.url=https://dc1:8090 confluent.controlcenter.kafka.dc2.cprest.url=https://dc2:8090 confluent.controlcenter.kafka.dc3.cprest.url=https://dc3:8090 * Type: list * Default: "" * Importance: high For an example of configuring the |c3-short| ``cprest.url`` specifically for multiple clusters, see :ref:`multi-cluster-sr`. .. _c3-schema-registry-url: confluent.controlcenter.schema.registry.url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Schema Registry URL. For more information and examples, see the :ref:`Schema Registry documentation ` and configuration steps for :ref:`multi-cluster-sr`. * Type: list * Default: http://localhost:8081 * Importance: high confluent.controlcenter.id ^^^^^^^^^^^^^^^^^^^^^^^^^^ Identifier used as a prefix so that multiple instances of |c3-short| can co-exist. * Type: string * Default: "1" * Importance: low confluent.controlcenter.name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |c3-short| Name * Type: string * Default: _confluent-controlcenter-|release| * Importance: low confluent.controlcenter.internal.topics.partitions ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Number of partitions used internally by |c3-short|. * Type: int * Default: 12 * Importance: low confluent.controlcenter.internal.topics.replication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Replication factor used internally by |c3-short|. It is not recommended to reduce this value except in a development environment. * Type: int * Default: 3 * Importance: low confluent.controlcenter.internal.topics.retention.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum time in milliseconds that internal data is stored in |ak|. For more information, see :ref:`data retention `. * Type: long * Default: 604,800,000 (7 days) * Importance: low confluent.controlcenter.internal.topics.changelog.segment.bytes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Segment size in bytes for internal changelog topics in |ak|. This must be as small as broker settings ``log.cleaner.dedupe.buffer.size`` / ``log.cleaner.threads`` to guarantee enough space in the broker's dedupe buffer for compaction to work. * Type: long * Default: 134,217,728 * Importance: low confluent.metrics.topic ^^^^^^^^^^^^^^^^^^^^^^^ Topic from which metrics data will be read. For multiple instances of |c3-short| using the same |ak| cluster for monitoring purposes, it may be helpful to use separate metrics and command topics (if each |c3-short| installation is monitoring different |ak| clusters). * Type: string * Default: _confluent-metrics * Importance: low confluent.metrics.topic.retention.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum time in milliseconds that metrics data is stored in |ak|. For more information, see :ref:`data retention `. * Type: long * Default: 259,200,000 (3 days) * Importance: low confluent.metrics.topic.replication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Replication factor for metrics topic. It is not recommended to reduce this value except in a development environment. * Type: int * Default: 3 * Importance: low confluent.metrics.topic.partitions ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Partition count for metrics topic. * Type: int * Default: 12 * Importance: low confluent.metrics.topic.skip.backlog.minutes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Skip backlog older than x minutes ago for broker metrics data. Set this to 0 if you want to process from the latest offsets. This config overrides ``confluent.controlcenter.streams.consumer.auto.offset.reset`` (deprecated) for the metrics input topic. * Type: long * Default: 15 confluent.controlcenter.disk.skew.warning.min.bytes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Threshold for the max difference in disk usage across all brokers before disk skew warning is published. * Type: long * Default: 1,073,741,824 * Importance: low confluent.controlcenter.max.trigger.events.per.alert.config ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The maximum number of trigger events in one alert. * Type: int * Default: 1,000 * Importance: low confluent.controlcenter.alert.cluster.down.autocreate ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Auto create a trigger and an email action for Control Center's cluster down alerts. For more information, see :ref:`c3_cluster_offline`. * Type: boolean * Default: false * Importance: low confluent.controlcenter.alert.cluster.down.to.email ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Email to send alerts to when Control Center's cluster is down. * Type: string * Default: "" * Importance: low confluent.controlcenter.alert.cluster.down.to.webhookurl.slack ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The Slack webhook URL to post alerts to when Control Center's cluster is down. * Type: string * Default: "" * Importance: low confluent.controlcenter.alert.cluster.down.to.pagerduty.integration.key ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The PagerDuty integration key to post alerts to a certain service when |c3-short|'s cluster is down. * Type: string * Default: "" * Importance: low confluent.controlcenter.alert.cluster.down.send.rate ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Send rate per hour for auto-created cluster down alerts. Default: 12 times per hour (every 5 minutes). * Type: int * Default: 12 * Importance: low confluent.controlcenter.ui.data.expired.threshold ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Configure a threshold (in seconds) before data is considered out of date. Default: 120 seconds (2 minutes). * Type: int * Default: 120 * Importance: low confluent.controlcenter.service.healthcheck.interval.sec ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The interval (in seconds) used for checking the health of |cp| nodes. This includes |ksqldb|, |kconnect|, |sr|, |crest|, and |mds-long|. * Type: int * Default: 20 * Importance: low .. _c3-request-buffer-size: confluent.controlcenter.request.buffer.size.bytes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Allows adjustment of the RequestBuffer size of HttpClient. * Type: int * Default: 10,000 * Importance: low confluent.controlcenter.topic.inspection.max.message.bytes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum size of messages to display on the Messages page for a topic. Messages larger than this value are suppressed and an error (MESSAGE_TOO_BIG_FOR_UI) is shown. Metadata is displayed even if the the message is suppressed. Large messages can slow down or crash the Messages page. * Type: long * Default: 1048576 (1 Mb) * Importance: low .. _broker_settings: Broker UI settings ------------------ Starting with |cp| version 7.0.0, |c3-short| uses an embedded REST proxy and as a result provides an updated UI to display broker settings. These settings are optional. confluent.controlcenter.embedded.kafkarest.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables or disables the use of an embedded REST proxy for |c3-short|, which must be enabled for |c3| to display the new broker settings UI. Starting with |cp| version 7.0.0, |c3-short| uses an embedded REST proxy and as a result provides an updated UI to display broker settings. The new settings UI is enabled by default, but you can revert back to the old view with this setting and ``confluent.controlcenter.ui.brokersettings.kafkarest.enable``. * Type: boolean * Default: true * Importance: low confluent.controlcenter.ui.brokersettings.kafkarest.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables or disables new broker settings UI. This setting will be forced to false if ``confluent.controlcenter.embedded.kafkarest.enable`` is also false. * Type: boolean * Default: true * Importance: low .. _monitoring_settings: Monitoring settings ------------------- These optional settings are for consumption and end-to-end latency monitoring. The default settings work for the majority of use cases and scales. confluent.monitoring.interceptor.topic ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The |ak| topic that stores monitoring interceptor data. This setting must match the ``confluent.monitoring.interceptor.topic`` configuration used by the interceptors in your application. Usually you should not change this setting unless you are running multiple instances of |c3-short| with client monitoring interceptor data being reported to the same |ak| cluster. * Type: string * Default: _confluent-monitoring * Importance: high confluent.monitoring.interceptor.topic.partitions ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Number of partitions for the monitoring interceptor data topic. * Type: int * Default: 12 * Importance: low confluent.monitoring.interceptor.topic.replication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Replication factor for monitoring topic. It is not recommended to reduce this value except in a development environment. * Type: int * Default: 3 * Importance: low confluent.monitoring.interceptor.topic.retention.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum time in milliseconds that interceptor data is stored in |ak|. For more information, see :ref:`data retention `. * Type: long * Default: 259,200,000 (3 days) * Importance: low confluent.monitoring.interceptor.topic.skip.backlog.minutes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Skip backlog older than x minutes ago for monitoring interceptor data. Set this to 0 if you want to process from the latest offsets. This config overrides ``confluent.controlcenter.streams.consumer.auto.offset.reset`` (deprecated) for the monitoring input topic. * Type: long * Default: 15 * Importance: low .. _ui_authentication_settings: Basic Authentication settings for web access -------------------------------------------- These optional settings allow you to enable and configure authentication for accessing the |c3-short| web interface. See the :ref:`UI Authentication ` guide for more details on configuring authentication. confluent.controlcenter.rest.authentication.method ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Authentication method to use. Available options: NONE, BASIC, BEARER. .. important:: When |rbac| is enabled in |c3-short|, the method must be ``BEARER``. For more information, see :ref:`controlcenter_security_rbac`. * Type: string * Default: NONE * Importance: low confluent.controlcenter.rest.authentication.realm ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Realm to be used by |c3-short| when authenticating. * Type: string * Default: "" * Importance: low confluent.controlcenter.rest.authentication.roles ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Roles that are authenticated to access |c3-short|. * Type: string * Default: * * Importance: low confluent.controlcenter.auth.restricted.roles ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specify a list of roles with limited read-only access. You must include roles added here in ``confluent.controlcenter.rest.authentication.roles``. For users that are members of roles included in this list, the following features and options are unavailable: * Add, delete, pause, or resume connectors * Browse connectors * View connector settings * Upload connector configs * Create, delete, or edit alerts (triggers or actions) * Edit a license * Edit brokers * Press submit on cluster forms * Edit, create, or delete schemas * Edit data flow queries * :ref:`Inspect topics ` * Type in the KSQL editor * :ref:`Run or stop ksqlDB querie` * Add |ksqldb| streams or table For fine-grained access control, consider configuring :ref:`role-based access control (RBAC) `. * Type: list * Default: "" * Importance: low confluent.controlcenter.auth.session.expiration.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Timeout in milliseconds after which a user session will have to be re-authenticated with the authentication service (e.g. LDAP). Defaults to 0, which means authentication is done for every request. Increase this value to avoid calling the LDAP service for each request. * Type: long * Default: 0 * Importance: low .. _https_settings: TLS settings for web access --------------------------- Configure the following optional properties to secure web access (HTTPS) to |c3-short| with TLS. To configure TLS settings when |c3-short| acts as a proxy server to other |cp| components, see :ref:`controlcenter_security_ssl`. .. include:: includes/rest-listeners.rst confluent.controlcenter.rest.ssl.keystore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. Location of the keystore file to use for TLS. .. important:: Jetty requires that the key's CN stored in the keystore must match the FQDN. * Type: string * Default: "" * Importance: high confluent.controlcenter.rest.ssl.keystore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The store password for the keystore file. * Type: password * Default: "" * Importance: high confluent.controlcenter.rest.ssl.key.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The password of the private key in the keystore file. * Type: password * Default: "" * Importance: high confluent.controlcenter.rest.ssl.truststore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. Location of the truststore. Required only to authenticate HTTPS clients. * Type: string * Default: "" * Importance: high confluent.controlcenter.rest.ssl.truststore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The store password for the truststore file. * Type: password * Default: "" * Importance: high confluent.controlcenter.rest.ssl.keystore.type ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The type of keystore file. * Type: string * Default: JKS * Importance: medium confluent.controlcenter.rest.ssl.truststore.type ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The type of truststore file. * Type: string * Default: JKS * Importance: medium confluent.controlcenter.rest.ssl.protocol ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The TLS protocol used to generate the SSLContext. The default is ``TLSv1.3`` when running with Java 11 or newer, ``TLSv1.2`` otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are ``TLSv1.2`` and ``TLSv1.3``. ``TLS``, ``TLSv1.1``, ``SSL``, ``SSLv2`` and ``SSLv3`` might be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this configuration and ``ssl.enabled.protocols``, clients downgrade to ``TLSv1.2`` if the server does not support ``TLSv1.3``. If this configuration is set to ``TLSv1.2``, clients do not use ``TLSv1.3``, even if it is one of the values in ``ssl.enabled.protocols`` and the server only supports ``TLSv1.3``. * Type: string * Default: ``TLSv1.3`` * Importance: medium confluent.controlcenter.rest.ssl.provider ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The TLS security provider name. Leave blank to use the defaults for Jetty. * Type: string * Default: "" (Jetty default) * Importance: medium confluent.controlcenter.rest.ssl.client.auth ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Deprecated. Used for HTTPS. Whether to require the HTTPS client to authenticate using the server's truststore. This is deprecated by ``confluent.controlcenter.rest.ssl.client.authentication``. * Type: boolean * Default: false * Importance: medium confluent.controlcenter.rest.ssl.client.authentication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. Valid values: NONE, REQUESTED or REQUIRED. NONE disables TLS client authentication, REQUESTED requests but doesn't require TLS client authentication, and REQUIRED requires HTTPS clients to authenticate using the server's truststore. This config overrides ``confluent.controlcenter.rest.ssl.client.auth`` (deprecated). * Type: string * Default: NONE * Importance: medium confluent.controlcenter.rest.ssl.enabled.protocols ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. Leave blank (``""``) to use the Jetty default. The comma-separated list of protocols enabled for TLS connections. The default value is ``TLSv1.2,TLSv1.3`` when running with Java 11 or later, ``TLSv1.2`` otherwise. With the default value for Java 11 (``TLSv1.2,TLSv1.3``), |ak| clients and brokers prefer ``TLSv1.3`` if both support it, and falls back to ``TLSv1.2`` otherwise (assuming both support at least ``TLSv1.2``). * Type: list * Default: "" (Jetty default) * Importance: medium confluent.controlcenter.rest.ssl.keymanager.algorithm ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The algorithm used by the key manager factory for TLS connections. Leave blank to use the Jetty default. * Type: string * Default: "" (Jetty default) * Importance: low confluent.controlcenter.rest.ssl.trustmanager.algorithm ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The algorithm used by the trust manager factory for TLS connections. Leave blank to use the Jetty default. * Type: string * Default: "" (Jetty default) * Importance: low confluent.controlcenter.rest.ssl.cipher.suites ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A comma-separated list of TLS cipher suites used for HTTPS. Leave blank to use the Jetty default or specify any combination of the following suites: - ``TLS_AES_256_GCM_SHA384`` - ``TLS_CHACHA20_POLY1305_SHA256`` - ``TLS_AES_128_GCM_SHA256`` - ``TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`` - ``TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`` - ``TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`` - ``TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`` - ``TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`` - ``TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`` Using another cipher suite name causes |c3| to fail to start. Ciphers listed `here `__ are not supported. Do not use them. * Type: list * Default: "" (Jetty default) * Importance: low confluent.controlcenter.rest.ssl.endpoint.identification.algorithm ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Used for HTTPS. The endpoint identification algorithm to validate the server hostname using the server certificate. Leave blank to use the Jetty default. * Type: string * Default: https * Importance: low confluent.controlcenter.use.default.jvm.truststore ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable |c3-short| to fallback to use the default JVM trust store. * Type: string * Default: false * Importance: low confluent.controlcenter.use.default.os.truststore ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable |c3-short| to fallback to use the default operating system trust store. * Type: string * Default: false * Importance: low .. _controlcenter_configuration_encryption: .. _kafka_encryption_authentication_authorization_settings: Security for |cp| components settings ------------------------------------- The following optional settings control TLS encryption between |c3-short| and |cp| components or features. You can also configure Basic authentication for |sr|. You should configure these settings if you have configured your |ak| cluster with these security features. For TLS, you can choose to configure each component separately, or set a single store. - :ref:`Streams` - :ref:`Schema Registry` - :ref:`Connect` - :ref:`ksqlDB` - :ref:`single-store` .. _controlcenter_monitoring: Streams security settings ------------------------- These optional settings are the standard |ak| authentication and authorization settings prefixed with ``confluent.controlcenter.streams.``. confluent.controlcenter.streams.security.protocol ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Protocol used to communicate with brokers. Valid values are: ``PLAINTEXT``, ``SSL``, ``SASL_PLAINTEXT``, and ``SASL_SSL``. * Type: string * Default: ``PLAINTEXT`` * Importance: low confluent.controlcenter.streams.ssl.keystore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the keystore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.streams.ssl.keystore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The store password for the keystore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.streams.ssl.key.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The password of the private key in the keystore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.streams.ssl.truststore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the truststore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.streams.ssl.truststore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The password for the truststore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.streams.sasl.mechanism ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ SASL mechanism used for client connections. This may be any mechanism for which a security provider is available. GSSAPI is the default mechanism. * Type: string * Default: GSSAPI * Importance: low confluent.controlcenter.streams.sasl.kerberos.service.name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The Kerberos principal name that |ak| runs as. This can be defined either in |ak|'s JAAS config or in |ak|'s config. * Type: string * Default: null * Importance: low .. _controlcenter_sr: |sr| security settings ---------------------- These |sr| settings are optional. To enable TLS for |sr|, specify the following set of properties: - ``confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location`` - ``confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password`` - ``confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location`` - ``confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password`` - ``confluent.controlcenter.schema.registry.schema.registry.ssl.key.password`` - ``confluent.controlcenter.schema.registry.schema.registry.alias.name`` confluent.controlcenter.schema.registry.basic.auth.credentials.source ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Defines how to select the credentials for HTTP Basic Authentication header for a single |sr| cluster, or the first |sr| in a multi-cluster |sr| deployment. The supported values are URL, USER_INFO, and SASL_INHERIT. * Type: string * Default: URL * Importance: medium .. note:: Specifying ``control.center.schema.registry.basic.auth.credentials.source``, as shown, passes ``basic.auth.credentials.source`` to the |sr| client. confluent.controlcenter.schema.registry..basic.auth.credentials.source ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Defines how to pick the credentials for HTTP Basic Authentication header on a |sr| cluster in a multi-cluster |sr| deployment. The supported values are URL, USER_INFO, and SASL_INHERIT. * Type: string * Default: URL * Importance: medium confluent.controlcenter.schema.registry.basic.auth.user.info ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies the user credentials for HTTP Basic Authentication in the form of ``{username}:{password}`` for a single |sr| cluster, or the first |sr| cluster in a multi-cluster |sr| deployment. * Type: string * Default: "" * Importance: medium confluent.controlcenter.schema.registry..basic.auth.user.info ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies the user credentials for HTTP Basic Authentication in the form of ``:`` for |sr| clusters in a multi-cluster |sr| deployment (associated with the URL fields by ````). * Type: string * Default: "" * Importance: medium confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the truststore file for |sr|. * Type: string * Default: "" * Importance: low confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The password for the truststore file for |sr|. * Type: string * Default: "" * Importance: low confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the keystore file for |sr|. * Type: string * Default: "" * Importance: low confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The store password for the keystore file for |sr|. * Type: string * Default: "" * Importance: low confluent.controlcenter.schema.registry.schema.registry.ssl.key.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The password of the private key in the keystore file for |sr|. * Type: string * Default: "" * Importance: low confluent.controlcenter.schema.registry.schema.registry.alias.name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies an alias for the certificate |sr| uses during mTLS. Use the following format to specify ```` as an alias. :: confluent.controlcenter.schema.registry.schema.registry.alias.name= If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections. * Type: string * Default: "" * Importance: low .. _controlcenter_connect: |kconnect| security settings ---------------------------- These |kconnect| settings are optional. To enable TLS for |kconnect|, specify the following set of properties: - ``confluent.controlcenter.connect.connect.ssl.truststore.location`` - ``confluent.controlcenter.connect.connect.ssl.truststore.password`` - ``confluent.controlcenter.connect.connect.ssl.keystore.location`` - ``confluent.controlcenter.connect.connect.ssl.keystore.password`` - ``confluent.controlcenter.connect.connect.ssl.key.password`` - ``confluent.controlcenter.connect.connect.alias.name`` confluent.controlcenter.connect..basic.auth.user.info ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies the user credentials for |c3-short| to communicate with a |kconnect| cluster configured for HTTP Basic Authentication. The name of the |kconnect| cluster appears in the configuration (````) and credentials use this form: ``:`` Without this configuration for |kconnect| clusters using HTTP Basic Authentication, |c3-short| cannot display Connectors in the cluster. For more information, see :ref:`control-center-client-basic-auth`. .. tip:: Versions of |c3-short| prior to 7.2 did not require this configuration. If you are upgrading and using HTTP Basic Authentication with |kconnect|, you must use this configuration. * Type: string * Default: "" * Importance: medium confluent.controlcenter.connect.connect.ssl.truststore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the truststore file for |kconnect|. * Type: string * Default: "" * Importance: low confluent.controlcenter.connect.connect.ssl.truststore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The stored password for the truststore for |kconnect|. * Type: string * Default: "" * Importance: low confluent.controlcenter.connect.connect.ssl.keystore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the keystore file for |kconnect|. * Type: string * Default: "" * Importance: low confluent.controlcenter.connect.connect.ssl.keystore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The store password for the keystore file for |kconnect|. * Type: string * Default: "" * Importance: low confluent.controlcenter.connect.connect.ssl.key.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The password of the private key in the keystore file for |kconnect|. * Type: string * Default: "" * Importance: low confluent.controlcenter.connect.connect.alias.name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies an alias for the certificate |kconnect| uses during mTLS. Use the following format to specify ```` as an alias. :: confluent.controlcenter.connect.connect.alias.name= If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections. * Type: string * Default: "" * Importance: low .. _controlcenter_ksql: |ksqldb| security settings -------------------------- These |ksqldb| settings are optional. To enable TLS for |ksqldb|, specify the following set of properties: - ``confluent.controlcenter.ksql.ksql.ssl.truststore.location`` - ``confluent.controlcenter.ksql.ksql.ssl.truststore.password`` - ``confluent.controlcenter.ksql.ksql.ssl.keystore.location`` - ``confluent.controlcenter.ksql.ksql.ssl.keystore.password`` - ``confluent.controlcenter.ksql.ksql.ssl.key.password`` - ``confluent.controlcenter.ksql.ksql.alias.name`` confluent.controlcenter.ksql..basic.auth.user.info ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies the user credentials for HTTP Basic Authentication in the form of ``:`` for |ksqldb| clusters associated with the URL fields by ````. * Type: string * Default: "" * Importance: medium confluent.controlcenter.ksql.ksql.ssl.truststore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the truststore file for |ksqldb|. * Type: string * Default: "" * Importance: low confluent.controlcenter.ksql.ksql.ssl.truststore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The stored password for the truststore file for |ksqldb|. * Type: string * Default: "" * Importance: low confluent.controlcenter.ksql.ksql.ssl.keystore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the keystore file for |ksqldb|. * Type: string * Default: "" * Importance: low confluent.controlcenter.ksql.ksql.ssl.keystore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The stored password for the keystore file for |ksqldb|. * Type: string * Default: "" * Importance: low confluent.controlcenter.ksql.ksql.ssl.key.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The password of the private key in the keystore file for |ksqldb|. * Type: string * Default: "" * Importance: low confluent.controlcenter.ksql.ksql.alias.name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Specifies an alias for the certificate |ksqldb| uses during mTLS. Use the following format to specify ```` as an alias. :: confluent.controlcenter.ksql.ksql.alias.name= If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections. * Type: string * Default: "" * Importance: low .. _single-store: Single proxy server store security settings ------------------------------------------- Instead of specifying TLS settings for each component, you have the option to specify that |c3| use a single proxy server truststore and keystore that contain all the TLS settings for all the components. confluent.controlcenter.rest.proxy.ssl.truststore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the the truststore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.rest.proxy.ssl.truststore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The stored password for the truststore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.rest.proxy.ssl.keystore.location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The location of the keystore file. * Type: string * Default: "" * Importance: low confluent.controlcenter.rest.proxy.ssl.keystore.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The stored password for the password file. * Type: string * Default: "" * Importance: low confluent.controlcenter.rest.proxy.ssl.key.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The password of the private key in the keystore file. * Type: string * Default: "" * Importance: low .. _c3_RBAC_settings: RBAC settings ------------- Metadata Service (MDS) and other optional settings required for implementing RBAC in |c3-short|. For a complete configuration example of essential settings, see :ref:`controlcenter_security_rbac`. confluent.metadata.bootstrap.server.urls ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A comma-separated list of valid URLs that specify where the RBAC metadata server or servers can be reached. This configuration is required to run |c3-short| inside an RBAC environment. * Type: long * Default: 0 * Importance: low confluent.metadata.basic.auth.user.info ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Formatted as ``USERNAME:PASSWORD``, the credentials of an RBAC user for |c3-short| to act on behalf of. This includes running |kstreams|, authorizing requests, and interacting with other |cp| services. This configuration is required to run |c3-short| inside an RBAC environment. * Type: string * Default: "" * Importance: low confluent.controlcenter.auth.bearer.issuer ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JWT token issuer. * Type: string * Default: "" * Importance: low public.key.path ^^^^^^^^^^^^^^^ Path to public key for authenticating JWT tokens. * Type: string * Default: "" * Importance: low confluent.controlcenter.auth.bearer.roles.claim ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ JWT roles claim. * Type: string * Default: "" * Importance: low confluent.controlcenter.mds.client.max.requests.queued.per.destination ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The number of requests that can be queued for the |c3-short| MDS client used with RBAC. You can increase this property value to increase queue capacity, but you should not lower the value. Consider adjusting this value if you receive a :ref:`max-requests-exceeded` error. * Type: int * Default: 1024 * Importance: low confluent.controlcenter.mds.client.idle.timeout ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The number of seconds before an idle connection to the |c3-short| MDS client used with RBAC times out. You can reduce this property value to help reduce the number connections left in a ``CLOSE_WAIT`` state. * Type: int * Default: 30 * Importance: low .. _cluster_registry_settings: Cluster Registry settings ------------------------- Version 6.0.1 of |cp| and later includes optional settings to enable the :ref:`cluster-registry` for |c3-short|, which creates a more user-friendly RBAC role binding experience and enables centralized audit logging. confluent.metadata.cluster.registry.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The value for this flag is **True** if the |CR| is enabled. When enabled, cluster information will be read from the |CR|. * Type: boolean * Default: false .. note:: If this feature flag is enabled, the following flags will be ignored: - ``confluent.controlcenter.kafka..bootstrap.servers`` - ``confluent.controlcenter.kafka..`` An exception to this rule occurs when you need to specify additional flags, such as ``confluent.controlcenter.kafka..ssl.keystore.location``. confluent.metadata.cluster.registry.merge.configuration.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When enabled, the configuration information for |ak| clusters in the properties file is merged with the one from |CR|. This enables users to configure additional properties that cannot be added to |CR| (for example, ``confluent.controlcenter.kafka..ssl.keystore.location``). * Type: boolean * Default: true confluent.controlcenter.purge.stale.cluster.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When enabled, |c3-short| will purge stale cluster information from the command store. * Type: boolean * Default: false .. _email_settings: Email settings -------------- These optional settings control the SMTP server and account used when an :ref:`alerts ` triggers the :ref:`email action `. .. important:: The body of the email alert is populated with the first hostname specified in the ``confluent.controlcenter.rest.listeners`` property. The default value is ``localhost:9021``. confluent.controlcenter.mail.enabled ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable email alerts. If this setting is false, you cannot add email alert actions in the web user interface. * Type: boolean * Default: false * Importance: low confluent.controlcenter.mail.host.name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Hostname of outgoing SMTP server. * Type: string * Default: localhost * Importance: low confluent.controlcenter.mail.port ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ SMTP port open on ``confluent.controlcenter.mail.host.name``. * Type: int * Default: 587 * Importance: low confluent.controlcenter.mail.ssl.checkserveridentity ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Forces the use of TLS and validation of the server's certificate. Enabling this flag causes |c3-short| to use the port set by ``confluent.controlcenter.mail.ssl.port`` instead of ``confluent.controlcenter.mail.port``. * Type: boolean * Default: false * Importance: low confluent.controlcenter.mail.ssl.port ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ SSL-specific SMTP port to open on ``confluent.controlcenter.mail.host.name``. Setting ``confluent.controlcenter.mail.ssl.checkserveridentity`` to ``true`` forces the use of this port and not the ``confluent.controlcenter.mail.port``. * Type: int * Default: 465 * Importance: low confluent.controlcenter.mail.from ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The originating address for emails sent from |c3-short|. * Type: string * Default: c3@confluent.io * Importance: low confluent.controlcenter.mail.bounce.address ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Override for ``confluent.controlcenter.mail.from`` config to send message bounce notifications. * Type: string * Importance: low confluent.controlcenter.mail.starttls.required ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Forces using STARTTLS. * Type: boolean * Default: false * Importance: low confluent.controlcenter.mail.username ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Username for username/password authentication. Authentication with your SMTP server only performs if this value is set. * Type: string * Importance: low confluent.controlcenter.mail.password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Password for username/password authentication. * Type: string * Importance: low .. _webhook_settings: Webhook settings ---------------- This setting is optional. confluent.controlcenter.webhook.enabled ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable supported webhook alerts. If this setting is false, you cannot add webhook alert actions in the web user interface. * Type: boolean * Default: true * Importance: low .. _controlcenter_access_control_settings: Feature settings ---------------- These optional settings enable |c3| features such as message inspection, broker configurations, license manager, :ref:`ksql_home`, and |sr|. They apply to all clusters managed by the current |c3-short| installation. Most features are enabled by default except the deprecated views for legacy System Health and Streams Monitoring. .. Health+ will have a default false value ^ confluent.controlcenter.topic.inspection.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable users to :ref:`inspect topics `. * Type: boolean * Default: true * Importance: low confluent.controlcenter.broker.config.edit.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable user access to :ref:`edit_broker_config`. * Type: boolean * Default: true * Importance: low confluent.controlcenter.license.manager.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable :ref:`License Manager ` in |c3-short|. * Type: boolean * Default: true * Importance: low confluent.controlcenter.consumers.view.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable the :ref:`Consumers ` view in |c3-short|. * Type: boolean * Default: true * Importance: low confluent.controlcenter.ksql.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable user access to the :ref:`ksqlDB GUI `. * Type: boolean * Default: true * Importance: low confluent.controlcenter.schema.registry.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable user access to :ref:`topicschema`. * Type: boolean * Default: true * Importance: low confluent.controlcenter.ui.autoupdate.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable :ref:`auto updating ` the |c3-short| UI. * Type: boolean * Default: true * Importance: low confluent.controlcenter.usage.data.collection.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Data collection is disabled, and this property has no effect regardless of its value. Enable or disable data collection in |c3-short|. * Type: boolean * Default: true * Importance: low confluent.controlcenter.ui.replicator.monitoring.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable :ref:`Replicator monitoring` in the |c3-short| UI. * Type: boolean * Default: true * Importance: low confluent.controlcenter.ui.controller.chart.enable ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable the Active Controller chart to display within the :ref:`Broker uptime panel ` in the |c3-short| UI. * Type: boolean * Default: false * Importance: low .. _controlcenter_ksql_settings: |ksqldb| settings ----------------- You can use these optional settings to use |c3-short| to interact with :ref:`ksqlDB Server `, which runs separately from your |ak| clusters. For access control configuration related to |ksqldb|, see :ref:`controlcenter_access_control_settings`. confluent.controlcenter.ksql..advertised.url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Comma-separated list of advertised URLs to access the |ksqldb| cluster on |c3-short|. Replace ```` with the name |c3-short| should use to identify this |ksqldb| cluster. By default, this is set to the value specified in ``confluent.controlcenter.ksql..url``. These hostnames must be reachable from any browser that will use the |ksqldb| web interface in |c3-short|. For example, if |ksqldb| is communicating over an internal DNS that is not externally resolvable or routeable (for example, if running in Docker for Mac), then the advertised URL must be set so that the browser can resolve the externally available DNS that |ksqldb| is available at. For more information, see :ref:`integrate-ksql-with-confluent-control-center`. * Type: list * Default: "" * Importance: low confluent.controlcenter.ksql..url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Comma-separated list of the |ksqldb| server hostnames and listener ports for the |ksqldb| cluster specified by ````. By default, this is empty. These hostnames must be reachable from the machine |c3-short| is installed on. For more information, see :ref:`integrate-ksql-with-confluent-control-center`. * Type: list * Default: "" * Importance: low confluent.controlcenter.ksql.advertised.url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Deprecated. The advertised URL to access the |ksqldb| cluster on |c3-short|. By default, this is set to the value specified in ``confluent.controlcenter.ksql.url``. * Type: string * Default: "" * Importance: low confluent.controlcenter.ksql.url ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Deprecated. The |ksqldb| server hostname and listener port. This is deprecated by ``confluent.controlcenter.ksql..url``. If this deprecated configuration is supplied, then |c3-short| will ignore any named |ksqldb| configurations. * Type: string * Default: "" * Importance: low .. _internal_streams_settings: Internal |kstreams| settings ---------------------------- Because |c3-short| reads and writes data to |ak|, you are allowed to change some optional settings for producer and consumer configurations. .. caution:: Changing these values is not recommended unless advised by Confluent Support. Some examples of values used internally are given. These settings map 1:1 with producer/consumer configs used internally by |c3-short| and all use the prefix ``confluent.controlcenter.streams.{producer,consumer}.``. confluent.controlcenter.streams.num.stream.threads ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The number of threads to execute stream processing. * Type: int * Default: 12 * Importance: low confluent.controlcenter.streams.producer.compression.type ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Compression type to use on internal topic production. * Type: string * Default: lz4 * Importance: low confluent.controlcenter.streams.producer.retries ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Number of retries in case of production failure. * Type: int * Default: maximum integer (effectively infinite) * Importance: low confluent.controlcenter.streams.producer.retry.backoff.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Time to wait before retrying in case of production failure. * Type: long * Default: 100 * Importance: low confluent.controlcenter.streams.ssl.cipher.suites ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS. By default, all of the available cipher suites are supported. * Type: list * Default: null * Importance: low confluent.controlcenter.streams.ssl.enabled.protocols ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The comma-separated list of protocols enabled for TLS connections. The default value is ``TLSv1.2,TLSv1.3`` when running with Java 11 or later, ``TLSv1.2`` otherwise. With the default value for Java 11 (``TLSv1.2,TLSv1.3``), |ak| clients and brokers prefer TLSv1.3 if both support it, and falls back to TLSv1.2 otherwise (assuming both support at least TLSv1.2). * Type: list * Default: ``TLSv1.2,TLSv1.3`` * Importance: medium confluent.controlcenter.streams.task.timeout.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The maximum amount of time, in milliseconds, a task will wait due to internal errors and retry the task before an external error is raised. Replaces the deprecated ``confluent.controlcenter.streams.retries`` setting. If the timeout value set to 0 ms, a task would raise an external error when the first internal error occurs. For any timeout value larger than 0 ms, a task retries at least once before an error is raised. * Type: int * Default: 0 * Importance: medium Internal Command settings ------------------------- These settings are optional. The command topic is used to store internal configuration data for |c3-short|. .. note:: For multiple instances of |c3-short| using the same |ak| cluster for monitoring purposes, it may be helpful to use separate metrics and command topics (if each |c3-short| installation is monitoring different |ak| clusters). The command topic reuses the defaults/overrides for :ref:`Kafka Streams`, but allows the following overrides. confluent.controlcenter.command.topic ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Topic used to store |c3-short| configuration. * Type: string * Default: _confluent-command * Importance: low confluent.controlcenter.command.topic.replication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Replication factor for command topic. .. important:: Reducing the replication value is not recommended, except in a development environment. * Type: int * Default: 3 * Importance: low confluent.controlcenter.command.topic.retention.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum time in milliseconds that command data is stored in |ak|. For more information, see :ref:`data retention `. * Type: long * Default: 86,400,000 (1 day) * Importance: low Consumer Group settings ----------------------- This setting is optional. If you find that the Consumer Group page is not returning data, you can change the timeout value for the page. The default value is 15 seconds (or 15000 milliseconds); try increasing the value to 30 seconds (30000 milliseconds) if you are having timeout issues. confluent.controlcenter.consumer.metadata.timeout.ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Time to wait when attempting to retrieve Consumer Group metadata. * Type: int * Default: 15,000 * Importance: low Related content --------------- - For details on configuring authentication, see the :ref:`UI Authentication ` guide. - To configure TLS settings when |c3-short| acts as a proxy server to other |cp| components, see :ref:`controlcenter_security_ssl`.