Confluent Control Center UI Authentication

User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are documented here.

 cat <<EOF > /tmp/confluent/
admin: admin_pw,Administrators
disallowed: no_access
 cat <<EOF > /tmp/confluent/propertyfile.jaas
c3 {
  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
 cat <<EOF >> /path/to/,Restricted

Now start Control Center to use the JAAS configuration like below:

CONTROL_CENTER_OPTS="" control-center-start /path/to/

Now when you access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.


HTTPS is supported for web access to Confluent Control Center. To enable HTTPS you must first add a HTTPS listener in the Control Center properties file using the parameter. You must also set the appropriate SSL configuration options. If you haven’t already this would be a good time to create SSL keys and certificates.

An example of the necessary additions to are shown below:

To test your HTTPS configuration without a web browser you can use curl as shown below:

   curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
   curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022

Authorization with Kafka ACLS

Standard Kafka authentication, authorization, and encryption options are available for control center and interceptors. You can use this script to create the ACLs that are required by Confluent Control Center to operate on an authorized cluster. This script must be run before you start Confluent Control Center:

export PRINCIPAL=User:username
bin/control-center-set-acls config/

You will also need to export a Confluent Control Center JAAS config before starting Confluent Control Center.

export PRINCIPAL=User:username
bin/control-center-start config/