HTTP Basic Auth

You can add HTTP basic authentication to these Confluent Platform components:

Control Center REST API

  1. Add the following configuration in your Control Center properties file (control-center.properties):

    confluent.controlcenter.rest.authentication.method=BASIC
    confluent.controlcenter.rest.authentication.realm=c3
    confluent.controlcenter.rest.authentication.roles=thisismyusername
    

    Tip

    The confluent.controlcenter.rest.authentication.roles file can be a CSV.

  2. Create a JAAS file. The authentication realm in this example is c3. For example:

    c3 {
        org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
        debug="true"
        file="<path-to-confluent>/etc/confluent-control-center/password.properties";
    };
    
  3. Create a password properties file (<path-to-confluent>/etc/confluent-control-center/password.properties). For example:

    thisismyusername: thisismypass
    

REST Proxy

  1. Add the following configuration to your REST Proxy properties file (etc/kafka-rest/kafka-rest.properties):

    authentication.method=BASIC
    authentication.realm=KafkaServer
    authentication.roles=thisismyusername
    
  2. Create a JAAS configuration file. For an example, see etc/kafka-rest/etc/kafka-rest/rest-jaas.properties:

    KafkaServer {
        org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
        debug="true"
        file="<path-to-confluent>/etc/kafka-rest/password.properties";
    };
    

    Tip

    KafkaServer is in line with the realm specified as authentication.realm in kafka-rest.properties.

  3. Create a password properties file (<path-to-confluent>/etc/kafka-rest/password.properties). For example:

    thisismyusername: thisismypass
    
  4. Start REST Proxy with HTTP Basic auth:

    KAFKAREST_OPTS="-Djava.security.auth.login.config=<path-to-confluent>/etc/kafka-rest/rest-jaas.properties" \
    bin/kafka-rest-start etc/kafka-rest/kafka-rest.properties
    
  5. Configure HTTPS for the REST Proxy interface.

  6. Login to your REST Proxy with the username thisismyusername and the password thisismypass. The password in your password.properties file can also be hashed. For more information, see this link.

Connect REST API

  1. Add the following configuration to your Connect worker properties file (etc/kafka/connect-distributed.propertes):

    rest.extension.classes=org.apache.kafka.connect.rest.basic.auth.extension.BasicAuthSecurityRestExtension
    
  2. Create a JAAS configuration file. Your authentication realm is hardcoded to KafkaConnect, so your JAAS must look like this:

    KafkaConnect {
        org.apache.kafka.connect.rest.basic.auth.extension.PropertyFileLoginModule required
        file="<path-to-confluent>/etc/kafka/connect.password";
    };
    
  3. Create a password properties file (<path-to-confluent>/etc/kafka/connect.password). For example:

    thisismyusername: thisismypass
    

KSQL

  1. Add the following configuration in your KSQL properties file (etc/ksql/ksql-server.properties):

    authentication.method=BASIC
    authentication.roles=admin,developer,user,ksq-user
    authentication.realm=KsqlServer-Props
    
  2. Create a JAAS file (jaas_config.file):

    KsqlServer-Props {
      org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
      file="/path/to/password-file"
      debug="false";
    };
    
  3. Create a password properties file (<path-to-confluent>/etc/ksql/password-file):

    fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
    harry: changeme,user,developer
    tom: MD5:164c88b302622e17050af52c89945d44,user
    dick: CRYPT:adpexzg3FUZAk,admin,ksq-user
    
  4. Export the JAAS file:

    export KSQL_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.file
    
  5. Start the KSQL server:

    <path-to-confluent>/bin/ksql-server-start <path-to-confluent>/etc/ksql/ksql-server.properties
    

For more information, see Configuring the CLI for Basic HTTP Authentication.

Schema Registry REST API

  1. Add the following configuration in your Schema Registry properties file (schema-registry.properties):

    authentication.method=BASIC
    authentication.realm=SchemaRegistry
    authentication.roles=thisismyusername
    

    Tip

    The authentication.roles file can be a CSV.

  2. Create a JAAS configuration file. You must also create a JAAS file. The authentication realm in this example is SchemaRegistry. For example:

    SchemaRegistry {
        org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
        debug="true
        file="<path-to-confluent>/etc/schema-registry/schema_registry.password";
    };
    
  3. Create a password properties file (<path-to-confluent>/etc/schema-registry/schema_registry.password). For example:

    thisismyusername: thisisnotmypass
    
  4. Start Schema Registry with this command, where <path-to-confluent> is customized for your environment:

    SCHEMA_REGISTRY_OPTS="-Djava.security.auth.login.config=<path-to-confluent>/etc/schema-registry/schema_registry.jaas" \
    bin/schema-registry-start etc/schema-registry/schema-registry.properties