.. _ui_authentication:

|c3-short| UI Authentication
============================

User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are :ref:`documented here<ui_authentication_settings>`.

.. codewithvars:: bash

       cat <<EOF > /tmp/confluent/login.properties
      admin: admin_pw,Administrators
      disallowed: no_access
      EOF
       cat <<EOF > /tmp/confluent/propertyfile.jaas
      c3 {
        org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
        file="/tmp/confluent/login.properties";
      };
      EOF
       cat <<EOF >> /path/to/control-center.properties
      confluent.controlcenter.rest.authentication.method=BASIC
      confluent.controlcenter.rest.authentication.realm=c3
      confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
      confluent.controlcenter.auth.restricted.roles=Restricted
      EOF

Now start |c3-short| to use the JAAS configuration like below:

.. codewithvars:: bash

       CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/tmp/confluent/propertyfile.jaas" control-center-start /path/to/control-center.properties

Now when you access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.

UI HTTPS
--------
HTTPS is supported for web access to |c3|. To enable HTTPS you must first add a HTTPS listener in the |c3-short| properties file using the ``confluent.controlcenter.rest.listeners`` parameter. You must also set the appropriate :ref:`SSL configuration options<https_settings>`. If you haven't already this would be a good time to :ref:`create SSL keys and certificates<generating_keys_certs>`.

An example of the necessary additions to ``control-center.properties`` are shown below:

.. codewithvars:: bash

    confluent.controlcenter.rest.listeners=https://0.0.0.0:9022
    confluent.controlcenter.rest.ssl.keystore.location=/var/private/ssl/kafka.control-center.keystore.jks
    confluent.controlcenter.rest.ssl.keystore.password=test1234
    confluent.controlcenter.rest.ssl.key.password=test1234
    confluent.controlcenter.rest.ssl.truststore.location=/var/private/ssl/kafka.control-center.truststore.jks
    confluent.controlcenter.rest.ssl.truststore.password=test1234

To test your HTTPS configuration without a web browser you can use ``curl`` as shown below:

.. codewithvars:: bash

       curl -vvv -X GET --tlsv1.2 https://localhost:9022
    #for cases when using a self-signed certificate
       curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022

Authorization with |ak| ACLs
-----------------------------

Standard |ak-tm| authentication, authorization, and encryption options are available for
:ref:`control center<kafka_encryption_authentication_authorization_settings>` and :ref:`interceptors<interceptor_configuration_options>`.
You can use this script to create the ACLs that are required by |c3| to operate on an authorized cluster. This script
must be run before you start |c3|:

.. codewithvars:: bash

       export PRINCIPAL=User:username
       export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf"
       bin/control-center-set-acls config/control-center.properties

You will also need to export a |c3| JAAS config before starting |c3|.

.. codewithvars:: bash

       export PRINCIPAL=User:username
       export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'
       bin/control-center-start config/control-center.properties