Control Center Configuration Reference

Base Settings

You can configure Confluent Control Center through a configuration file that is passed to Control Center on start. A sample configuration is included at etc/confluent-control-center/control-center.properties. Parameters are provided in the form of key/value pairs. Lines beginning with # are ignored.

bootstrap.servers

A list of host/port pairs to use for establishing the initial connection to the Apache Kafka® cluster. The client will make use of all servers irrespective of which servers are specified here for bootstrapping; this list only impacts the initial hosts used to discover the full set of servers. This list should be in the form host1:port1,host2:port2,.... Since these servers are just used for the initial connection to discover the full cluster membership (which may change dynamically), this list need not contain the full set of servers (you may want more than one, though, in case a server is down).

  • Type: list
  • Default: "localhost:9092"
  • Importance: high
confluent.license

Confluent issues an enterprise license key to each subscriber, allowing the subscriber to unlock the full functionality of Control Center. The license key is text that you can copy and paste. Paste the license key as the value for confluent.license. You can also manage the license in the Control Center web interface.

A trial license allows using for a 30-day trial period. A developer license allows using Control Center and other Confluent Platform proprietary components indefinitely for single-broker development environments. Trial and developer licenses are shipped with Confluent Platform.

See Managing Confluent Platform Licenses for more details.

If you are a subscriber, please contact Confluent Support for more information about obtaining another valid enterprise license before it expires. confluent.controlcenter.license is a deprecated synonym for this configuration key.

  • Type: string
  • Default: None
  • Importance: high

Production Settings

In production, you should run Control Center in a cluster that is separate from the Kafka clusters being monitored. Set the following configuration parameters in the Kafka clusters being monitored.

confluent.controlcenter.streams.cache.max.bytes.buffering

Maximum number of memory bytes used for record caches across all threads.

Tip

Consider setting this config value proportional to the total num.partitions. Here is an example computation:

  • Each per-partition metric is stored as a key-value pair that consists of "topic-string, partition-id, cluster-name". Control Center compacts the values as four long variables, recording the min, max, count, and total.
  • X is the total topic partitions and seven per-partition metrics that Control Center collects.
  • Eight threads by default

The total cache size should be:

X (topic partitions) * 7 (per-partition metrics) * 8 (number of threads) * 150 (average bytes per metric).

For example, with 100000 topic partitions, the cache size should be 820000000 bytes.

  • Type:
  • Default: 10485760 bytes
  • Importance: high
confluent.controlcenter.kafka.<name>.bootstrap.servers

Bootstrap servers for any additional Kafka cluster being monitored. Replace <name> with the name Control Center should use to identify this cluster. For example, using confluent.controlcenter.kafka.production-nyc.bootstrap.servers, Control Center will show the addtional cluster with the name production-nyc in the cluster list.

  • Type: list
  • Default: []
  • Importance: high
confluent.controlcenter.kafka.<name>.<connection config>

Any additional connection configuration required to connect to the Kafka cluster identified by <name> can be specified using the confluent.controlcenter.kafka.<name>. prefix. For example, to specify the security.protocol=SASL_SSL configuration for the cluster named production-nyc, add confluent.controlcenter.kafka.production-nyc.security.protocol=SASL_SSL to the configuration.

  • Importance: medium
confluent.controlcenter.connect.bootstrap.servers

Bootstrap servers for Kafka cluster backing the Connect cluster. If left unspecified, falls back to the bootstrap.servers setting.

  • Type: list
  • Default: []
  • Importance: medium

Logging

By default, Control Center outputs its logs to stdout. Logging configuration is defined in etc/confluent-control-center/log4j.properties. Confluent also provides``etc/confluent-control-center/log4j-rolling.properties`` as an example of setting up Control Center with rolling log files that may be easier to manage. You can select your desired log4j config by setting the CONTROL_CENTER_LOG4J_OPTS env variable when starting Control Center.

Optional Settings

Confluent allows you to change some other parameters that change how Control Center behaves, such as internal topic names, data file locations, and replication settings. The default values for most of these settings are suitable for production use, but you can change these if needed.

General

confluent.controlcenter.connect.<name>.cluster

Comma-separated list of Connect worker URLs for the Connect cluster specified by <name>. Control Center will connect to a single worker, and if a worker fails it will try the request against a different worker. This must be set if you wish to manage a connect cluster.

  • Type: list
  • Default: []
  • Importance: high
confluent.controlcenter.connect.cluster

DEPRECATED: Comma-separated list of Connect worker URLs within a single cluster. This is deprecated by confluent.controlcenter.connect.<name>.cluster. If this deprecated configuration is supplied, then Control Center will ignore any named Connect cluster configurations.

  • Type: list
  • Default: []
  • Importance: low
confluent.controlcenter.data.dir

Location for Control Center specific data. Although the data stored in this directory can be recomputed, doing so is expensive and can affect the availability of Control Center's stream monitoring functionality. For production, you should set this to a durable location.

  • Type: path
  • Default: "/var/lib/confluent-control-center"
  • Importance: high
confluent.controlcenter.rest.listeners

Comma-separated list of listeners that listen for API requests over either http or https. If a listener uses https, the appropriate SSL configuration parameters need to be set as well. The first value will be used as a Control Center link in the body of eligible alert emails sent from Control Center. For details, see Alerts History.

confluent.controlcenter.rest.advertised.url

Externally visible host. Control Center uses this as an override to rest.listeners when generating URLs for external communications, e.g. emails.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.schema.registry.url

Schema Registry URL. For more information, see the Schema Registry documentation.

confluent.controlcenter.id

Identifier used as a prefix so that multiple instances of Control Center can co-exist.

  • Type: string
  • Default: "1"
  • Importance: low
confluent.controlcenter.name

Control Center Name

  • Type: string
  • Default: "_confluent-controlcenter-5.3.0"
  • Importance: low
confluent.controlcenter.internal.topics.partitions

Number of partitions used internally by Control Center.

  • Type: integer
  • Default: 4
  • Importance: low
confluent.controlcenter.internal.topics.replication

Replication factor used internally by Control Center. It is not recommended to reduce this value except in a development environment.

  • Type: integer
  • Default: 3
  • Importance: low
confluent.controlcenter.internal.topics.retention.ms

Maximum time in milliseconds that internal data is stored in Kafka.

  • Type: long
  • Default: 86400000
  • Importance: low
confluent.controlcenter.internal.topics.changelog.segment.bytes

Segment size in bytes for internal changelog topics in Kafka. This must be as small as broker settings log.cleaner.dedupe.buffer.size / log.cleaner.threads to guarantee enough space in the broker's dedupe buffer for compaction to work.

  • Type: long
  • Default: 134217728
  • Importance: low
confluent.metrics.topic

Topic from which metrics data will be read.

  • Type: string
  • Default: "_confluent-metrics"
  • Importance: low
confluent.metrics.topic.replication

Replication factor for metrics topic. It is not recommended to reduce this value except in a development environment.

  • Type: int
  • Default: 3
  • Importance: low
confluent.metrics.topic.partitions

Partition count for metrics topic

  • Type: int
  • Default: 12
  • Importance: low
confluent.metrics.topic.skip.backlog.minutes

Skip backlog older than x minutes ago for broker metrics data. Set this to 0 if you want to process from the latest offsets. This config overrides confluent.controlcenter.streams.consumer.auto.offset.reset (deprecated) for the metrics input topic.

  • Type: long
  • Default: 15
confluent.controlcenter.disk.skew.warning.min.bytes

Threshold for the max difference in disk usage across all brokers before disk skew warning is published.

  • Type: long
  • Default: 1073741824
  • Importance: low
confluent.controlcenter.max.trigger.events.per.alert.config

The maximum number of trigger events in one alert.

  • Type: int
  • Default: 1000
  • Importance: low
confluent.support.metrics.enable

Enable support metrics collection.

  • Type: boolean
  • Default: true
confluent.controlcenter.alert.cluster.down.autocreate

Auto create a trigger and an email action for Control Center's cluster down alerts.

  • Type: boolean
  • Default: false
  • Importance: low
confluent.controlcenter.alert.cluster.down.to.email

Email to send alerts to when Control Center's cluster is down.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.alert.cluster.down.to.webhookurl.slack

The Slack webhook URL to post alerts to when Control Center's cluster is down.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.alert.cluster.down.to.pagerduty.integration.key

The PagerDuty integration key to post alerts to a certain service when Control Center's cluster is down.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.alert.cluster.down.send.rate

Send rate per hour for auto-created cluster down alerts. Default: 12 times per hour (every 5 minutes).

  • Type: int
  • Default: 12
  • Importance: low

Monitoring Settings

These optional settings are for the Stream Monitoring functionality. The default settings work for the majority of use cases and scales.

confluent.monitoring.interceptor.topic

The Kafka topic that stores monitoring interceptor data. This setting must match the confluent.monitoring.interceptor.topic configuration used by the interceptors in your application. Usually you should not change this setting unless you are running multiple instances of Control Center with client monitoring interceptor data being reported to the same Kafka cluster.

  • Type: string
  • Default: "_confluent-monitoring"
  • Importance: high
confluent.monitoring.interceptor.topic.partitions

Number of partitions for the monitoring interceptor data topic.

  • Type: integer
  • Default: 12
  • Importance: low
confluent.monitoring.interceptor.topic.replication

Replication factor for monitoring topic. It is not recommended to reduce this value except in a development environment.

  • Type: int
  • Default: 3
  • Importance: low
confluent.monitoring.interceptor.topic.retention.ms

Maximum time that interceptor data is stored in Kafka.

  • Type: long
  • Default: None
  • Importance: low
confluent.monitoring.interceptor.topic.skip.backlog.minutes

Skip backlog older than x minutes ago for monitoring interceptor data. Set this to 0 if you want to process from the latest offsets. This config overrides confluent.controlcenter.streams.consumer.auto.offset.reset (deprecated) for the monitoring input topic.

  • Type: long
  • Default: 15
  • Importance: low

UI Authentication Settings

These optional settings allow you to enable and configure authentication for accessing the Control Center web interface. See the UI Authentication guide for more detail on configuring authentication.

confluent.controlcenter.rest.authentication.method

Authentication method to use. Available options: NONE, BASIC, BEARER.

Important

When RBAC is enabled in Control Center, the method must be BEARER. For more information, see Role-based access control (RBAC) in Confluent Control Center.

  • Type: string
  • Default: NONE
  • Importance: low
confluent.controlcenter.rest.authentication.realm

Realm to be used by Control Center when authenticating.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.rest.authentication.roles

Roles that are authenticated to access Control Center.

  • Type: string
  • Default: "*"
  • Importance: low
confluent.controlcenter.auth.restricted.roles

List of roles with limited access. No editing or creating using the UI. Any role here must also be added to confluent.controlcenter.rest.authentication.roles.

  • Type: list
  • Default: ""
  • Importance: low
confluent.controlcenter.auth.session.expiration.ms
Timeout in milliseconds after which a user session will have to be re-authenticated. Default is 0 (zero), which means authentication is done for every request.

RBAC Settings

Metadata Service (MDS) and other settings required for implementing RBAC in Control Center. For a complete configuration example of essential settings, see Role-based access control (RBAC) in Confluent Control Center.

confluent.controlcenter.metadata.urls

A comma-separated list of valid URLs that specify where the RBAC metadata server or servers can be reached. This configuration is required to run Control Center inside an RBAC environment.

  • Type: long
  • Default: 0
  • Importance: low
confluent.controlcenter.metadata.username

Username of an RBAC user for Control Center to act on behalf of. This includes running KafkaStreams, authorizing requests, and interacting with other Confluent Platform services. This configuration is required to run Control Center inside an RBAC environment.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.metadata.password

Password of an RBAC user for Control Center to act on behalf of. This includes running KafkaStreams, authorizing requests, and interacting with other Confluent Platform services. This configuration is required to run Control Center inside an RBAC environment.

  • Type: password
  • Default: ""
  • Importance: low
confluent.controlcenter.auth.bearer.issuer

JWT token issuer.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.auth.bearer.public.key.path

Path to public key for authenticating JWT tokens.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.auth.bearer.roles.claim

JWT roles claim.

  • Type: string
  • Default: ""
  • Importance: low

Email Settings

These optional settings control the SMTP server and account used when an alerts triggers the email action.

Important

The body of the email alert is populated with the first hostname specified in the confluent.controlcenter.rest.listeners property. The default value is localhost:9021.

confluent.controlcenter.mail.enabled

Enable email alerts. If this setting is false, you cannot add email alert actions in the web user interface.

  • Type: boolean
  • Default: false
  • Importance: low
confluent.controlcenter.mail.host.name

Hostname of outgoing SMTP server.

  • Type: string
  • Default: localhost
  • Importance: low
confluent.controlcenter.mail.port

SMTP port open on confluent.controlcenter.mail.host.name.

  • Type: integer
  • Default: 587
  • Importance: low
confluent.controlcenter.mail.from

The originating address for emails sent from Control Center.

confluent.controlcenter.mail.bounce.address

Override for confluent.controlcenter.mail.from config to send message bounce notifications.

  • Type: string
  • Importance: low
confluent.controlcenter.mail.ssl.checkserveridentity

Forces validation of server's certificate when using STARTTLS or SSL.

  • Type: boolean
  • Default: false
  • Importance: low
confluent.controlcenter.mail.starttls.required

Forces using STARTTLS.

  • Type: boolean
  • Default: false
  • Importance: low
confluent.controlcenter.mail.username

Username for username/password authentication. Authentication with your SMTP server only performs if this value is set.

  • Type: string
  • Importance: low
confluent.controlcenter.mail.password

Password for username/password authentication.

  • Type: string
  • Importance: low

Webhook Settings

confluent.controlcenter.webhook.enabled

Enable supported webhook alerts. If this setting is false, you cannot add webhook alert actions in the web user interface.

  • Type: boolean
  • Default: true
  • Importance: low

Kafka Encryption, Authentication, Authorization Settings

These settings control the authentication and authorization between Control Center and the Kafka cluster containing its data, including the Stream Monitoring and System Health metrics. You need to configure these settings if you have configured your Kafka cluster with any security features.

Note that these are the standard Kafka authentication and authorization settings prefixed with confluent.controlcenter.streams..

confluent.controlcenter.streams.security.protocol

Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL.

  • Type: string
  • Default: PLAINTEXT
  • Importance: low
confluent.controlcenter.streams.ssl.keystore.location

The location of the keystore file.

  • Type: string
  • Default: None
  • Importance: low
confluent.controlcenter.streams.ssl.keystore.password

The store password for the keystore file.

  • Type: string
  • Default: None
  • Importance: low
confluent.controlcenter.streams.ssl.key.password

The password of the private key in the keystore file.

  • Type: string
  • Default: None
  • Importance: low
confluent.controlcenter.streams.ssl.truststore.location

The location of the truststore file.

  • Type: string
  • Default: None
  • Importance: low
confluent.controlcenter.streams.ssl.truststore.password

The password for the truststore file.

  • Type: string
  • Default: None
  • Importance: low
confluent.controlcenter.streams.sasl.mechanism

SASL mechanism used for client connections. This may be any mechanism for which a security provider is available. GSSAPI is the default mechanism.

  • Type: string
  • Default: GSSAPI
  • Importance: low
confluent.controlcenter.streams.sasl.kerberos.service.name

The Kerberos principal name that Kafka runs as. This can be defined either in Kafka's JAAS config or in Kafka's config.

  • Type: string
  • Default: GSSAPI
  • Importance: low

Access Control Settings

These settings control access to features such as message inspection, broker configurations, license manager, KSQL, and Schema Registry. They apply to all clusters managed by the current Control Center installation. Most features are enabled by default, with the exception of deprecated views for legacy System Health and Streams Monitoring.

confluent.controlcenter.topic.inspection.enable

Enable users to inspect topics.

  • Type: boolean
  • Default: true
  • Importance: low
confluent.controlcenter.broker.config.edit.enable

Enable user access to Edit dynamic broker configuration settings.

  • Type: boolean
  • Default: true
  • Importance: low
confluent.controlcenter.license.manager.enable

Enable License Manager in Control Center.

  • Type: boolean
  • Default: true
  • Importance: low
confluent.controlcenter.consumers.view.enable

Enable the Consumers view in Control Center.

  • Type: boolean
  • Default: true
  • Importance: low
confluent.controlcenter.deprecated.views.enable

Enable deprecated Streams Monitoring and System Health views.

  • Type: boolean
  • Default: false
  • Importance: low

Note

RBAC must be disabled in Control Center to access the deprecated views.

confluent.controlcenter.ksql.enable

Enable user access to the KSQL UI.

  • Type: boolean
  • Default: true
  • Importance: low
confluent.controlcenter.schema.registry.enable

Enable user access to Manage Schemas for Topics.

  • Type: boolean
  • Default: true
  • Importance: low

HTTPS Settings

If you secure web access to Control Center with SSL, you may also need to configure the following parameters.

confluent.controlcenter.rest.listeners

Comma-separated list of listeners that listen for API requests over either http or https. If a listener uses https, the appropriate SSL configuration parameters need to be set as well. The first value will be used as a Control Center link in the body of eligible alert emails sent from Control Center. For details, see Alerts History.

confluent.controlcenter.rest.ssl.keystore.location
Used for https. Location of the keystore file to use for SSL.

Important

Jetty requires that the key's CN stored in the keystore must match the FQDN.

  • Type: string
  • Default: ""
  • Importance: high
confluent.controlcenter.rest.ssl.keystore.password

Used for https. The store password for the keystore file.

  • Type: password
  • Default: ""
  • Importance: high
confluent.controlcenter.rest.ssl.key.password

Used for https. The password of the private key in the keystore file.

  • Type: password
  • Default: ""
  • Importance: high
confluent.controlcenter.rest.ssl.truststore.location

Used for https. Location of the truststore. Required only to authenticate https clients.

  • Type: string
  • Default: ""
  • Importance: high
confluent.controlcenter.rest.ssl.truststore.password

Used for https. The store password for the truststore file.

  • Type: password
  • Default: ""
  • Importance: high
confluent.controlcenter.rest.ssl.keystore.type

Used for https. The type of keystore file.

  • Type: string
  • Default: "JKS"
  • Importance: medium
confluent.controlcenter.rest.ssl.truststore.type

Used for https. The type of truststore file.

  • Type: string
  • Default: "JKS"
  • Importance: medium
confluent.controlcenter.rest.ssl.protocol

Used for https. The SSL protocol used to generate the SslContextFactory.

  • Type: string
  • Default: "TLS"
  • Importance: medium
confluent.controlcenter.rest.ssl.provider

Used for https. The SSL security provider name. Leave blank to use Jetty's default.

  • Type: string
  • Default: "" (Jetty's default)
  • Importance: medium
confluent.controlcenter.rest.ssl.client.auth

Used for https. Whether or not to require the https client to authenticate via the server's truststore.

  • Type: boolean
  • Default: false
  • Importance: medium
confluent.controlcenter.rest.ssl.enabled.protocols

Used for https. The list of protocols enabled for SSL connections. Comma-separated list. Leave blank to use Jetty's defaults.

  • Type: list
  • Default: "" (Jetty's default)
  • Importance: medium
confluent.controlcenter.rest.ssl.keymanager.algorithm

Used for https. The algorithm used by the key manager factory for SSL connections. Leave blank to use Jetty's default.

  • Type: string
  • Default: "" (Jetty's default)
  • Importance: low
confluent.controlcenter.rest.ssl.trustmanager.algorithm

Used for https. The algorithm used by the trust manager factory for SSL connections. Leave blank to use Jetty's default.

  • Type: string
  • Default: "" (Jetty's default)
  • Importance: low
confluent.controlcenter.rest.ssl.cipher.suites

Used for https. A list of SSL cipher suites. Comma-separated list. Leave blank to use Jetty's defaults.

  • Type: list
  • Default: "" (Jetty's default)
  • Importance: low
confluent.controlcenter.rest.ssl.endpoint.identification.algorithm

Used for https. The endpoint identification algorithm to validate the server hostname using the server certificate. Leave blank to use Jetty's default.

  • Type: string
  • Default: https
  • Importance: low

KSQL Settings

You can use Control Center to interact with KSQL Server, which runs separately from your Kafka clusters. For access control configuration related to KSQL, see controlcenter_access-control_settings.

confluent.controlcenter.ksql.<name>.advertised.url

Comma-separated list of advertised URLs to access the KSQL cluster on Control Center. Replace <name> with the name Control Center should use to identify this KSQL cluster. By default this is set to the value specified in confluent.controlcenter.ksql.<name>.url. These hostnames must be reachable from any browser that will use the KSQL web interface in Control Center.

For example, if KSQL is communicating over an internal DNS that is not externally resolvable or routeable (e.g. if running in Docker for Mac), then the advertised URL must be set so the browser can resolve the externally available DNS that KSQL is available at. For more information, see Integrate KSQL with Confluent Control Center.

  • Type: list
  • Default: []
  • Importance: low
confluent.controlcenter.ksql.<name>.url

Comma-separated list of the KSQL server hostnames and listener ports for the KSQL cluster specified by <name>. By default this is empty. These hostnames must be reachable from the machine Control Center is installed on. For more information, see Integrate KSQL with Confluent Control Center.

  • Type: list
  • Default: []
  • Importance: low
confluent.controlcenter.ksql.advertised.url

DEPRECATED: The advertised URL to access the KSQL cluster on Control Center. By default this is set to the value specified in confluent.controlcenter.ksql.url.

  • Type: string
  • Default: ""
  • Importance: low
confluent.controlcenter.ksql.url

DEPRECATED: The KSQL server hostname and listener port. This is deprecated by confluent.controlcenter.ksql.<name>.url. If this deprecated configuration is supplied, then Control Center will ignore any named KSQL configurations.

  • Type: string
  • Default: ""
  • Importance: low

Internal Kafka Streams Settings

Because Control Center reads and writes data to Kafka, you are allowed to change some producer and consumer configurations. Changing these values is not recommended unless advised by Confluent Support. Some examples of values used internally are given. These settings map 1:1 with producer/consumer configs used internally by Confluent Control Center and all use the prefix confluent.controlcenter.streams.{producer,consumer}..

confluent.controlcenter.streams.num.stream.threads

The number of threads to execute stream processing.

  • Type: integer
  • Default: 8
  • Importance: low
confluent.controlcenter.streams.retries

Number of times to retry client requests failing with transient errors. Does not apply to producer retries, which are defined using the confluent.controlcenter.streams.producer.retries setting described below.

  • Type: integer
  • Default: maximum integer (effectively infinite)
  • Importance: low
confluent.controlcenter.streams.producer.retries

Number of retries in case of production failure.

  • Type: integer
  • Default: maximum integer (effectively infinite)
  • Importance: low
confluent.controlcenter.streams.producer.retry.backoff.ms

Time to wait before retrying in case of production failure.

  • Type: long
  • Default: 100
  • Importance: low
confluent.controlcenter.streams.producer.compression.type

Compression type to use on internal topic production.

  • Type: string
  • Default: lz4
  • Importance: low

Internal Command Settings

The command topic is used to store internal configuration data for Control Center. The command topic reuses the defaults/overrides for Kafka Streams, but allows the following overrides.

confluent.controlcenter.command.topic

Topic used to store Control Center configuration.

  • Type: string
  • Default: "_confluent-command"
  • Importance: low
confluent.controlcenter.command.topic.replication
Replication factor for command topic.

Important

It is not recommended to reduce the replication value except in a development environment.

  • Type: int
  • Default: 3
  • Importance: low