Control Center UI Authentication

User login is available using HTTP Basic Authentication that is pluggable using JAAS. All of the configuration options are documented here.

To configure Control Center authentication:

1. Specify the following options in control-center.properties:

   confluent.controlcenter.rest.authentication.method=BASIC
   confluent.controlcenter.rest.authentication.realm=c3
   confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
   confluent.controlcenter.auth.restricted.roles=Restricted
   

2. Create a JAAS file (propertyfile.jaas) similar to the following–note that the authentication realm is Control Center (c3):

   c3 {
       org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
       file="/password.properties";
   };
   

   Your password file in password.properties should look similar to the following:

   bob: <bob_password>,Administrators
   alice: <alice_password>,Restricted
   

3. Start Control Center to use the JAAS configuration:

   CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/propertyfile.jaas" control-center-start /control-center.properties
   

After you are granted access to Control Center, you are prompted for sign-in credentials. Logging in as bob:<bob_password> provides read and write access. Logging in as alice:<alice_password> provides read-only access.

UI HTTPS

HTTPS is supported for web access to Confluent Control Center. To enable HTTPS, you must first add an HTTPS listener in the Control Center properties file using the confluent.controlcenter.rest.listeners parameter. You must also set the appropriate SSL configuration options. If you haven’t already, this would be a good time to create SSL keys and certificates.

An example of the necessary additions to control-center.properties are shown below:

confluent.controlcenter.rest.listeners=https://0.0.0.0:9022
confluent.controlcenter.rest.ssl.keystore.location=/var/private/ssl/kafka.control-center.keystore.jks
confluent.controlcenter.rest.ssl.keystore.password=test1234
confluent.controlcenter.rest.ssl.key.password=test1234
confluent.controlcenter.rest.ssl.truststore.location=/var/private/ssl/kafka.control-center.truststore.jks
confluent.controlcenter.rest.ssl.truststore.password=test1234

   curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
   curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022

See also

For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml for a configuration reference.

Authorization with Kafka ACLs

Standard Apache Kafka® authentication, authorization, and encryption options are available for control center and interceptors. You can use this script to create the ACLs that are required by Control Center to operate on an authorized cluster. This script must be run before you start Control Center:

export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf"
bin/control-center-set-acls config/control-center.properties

You will also need to export a Control Center JAAS config before starting Control Center.

export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'
bin/control-center-start config/control-center.properties