Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

HTTP Basic Auth

You can add HTTP basic authentication to these Confluent Platform components:

• Control Center REST API
• REST Proxy
• Connect REST API
• KSQL
• Schema Registry

Control Center REST API

User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are documented here.

 cat <<EOF > /tmp/confluent/login.properties
admin: admin_pw,Administrators
disallowed: no_access
EOF
 cat <<EOF > /tmp/confluent/propertyfile.jaas
c3 {
  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
  file="/tmp/confluent/login.properties";
};
EOF
 cat <<EOF >> /path/to/control-center.properties
confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
confluent.controlcenter.auth.restricted.roles=Restricted
EOF

Now start Control Center to use the JAAS configuration like below:

CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/tmp/confluent/propertyfile.jaas" control-center-start /path/to/control-center.properties

Now when you access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.

UI HTTPS

HTTPS is supported for web access to Confluent Control Center. To enable HTTPS you must first add a HTTPS listener in the Control Center properties file using the confluent.controlcenter.rest.listeners parameter. You must also set the appropriate SSL configuration options. If you haven’t already this would be a good time to create SSL keys and certificates.

An example of the necessary additions to control-center.properties are shown below:

confluent.controlcenter.rest.listeners=https://0.0.0.0:9022
confluent.controlcenter.rest.ssl.keystore.location=/var/private/ssl/kafka.control-center.keystore.jks
confluent.controlcenter.rest.ssl.keystore.password=test1234
confluent.controlcenter.rest.ssl.key.password=test1234
confluent.controlcenter.rest.ssl.truststore.location=/var/private/ssl/kafka.control-center.truststore.jks
confluent.controlcenter.rest.ssl.truststore.password=test1234

To test your HTTPS configuration without a web browser you can use curl as shown below:

   curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
   curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022

Tip

For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml for a configuration reference.

REST Proxy

1. Add the following configuration to your REST Proxy properties file (etc/kafka-rest/kafka-rest.properties):

   authentication.method=BASIC
   authentication.realm=KafkaServer
   authentication.roles=thisismyusername
   

2. Create a JAAS configuration file. For an example, see etc/kafka-rest/etc/kafka-rest/rest-jaas.properties:

   KafkaServer {
       org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
       debug="true"
       file="<path-to-confluent>/etc/kafka-rest/password.properties";
   };
   

   Tip

   KafkaServer is in line with the realm specified as authentication.realm in kafka-rest.properties.

3. Create a password properties file (<path-to-confluent>/etc/kafka-rest/password.properties). For example:

   thisismyusername: thisismypass
   

4. Start REST Proxy with HTTP Basic auth:

   KAFKAREST_OPTS="-Djava.security.auth.login.config=<path-to-confluent>/etc/kafka-rest/rest-jaas.properties" \
   bin/kafka-rest-start etc/kafka-rest/kafka-rest.properties
   

5. Configure HTTPS for the REST Proxy interface.

6. Login to your REST Proxy with the username thisismyusername and the password thisismypass. The password in your password.properties file can also be hashed. For more information, see this link.

Connect REST API

1. Add the following configuration to your Connect worker properties file (etc/kafka/connect-distributed.propertes):

   rest.extension.classes=org.apache.kafka.connect.rest.basic.auth.extension.BasicAuthSecurityRestExtension
   

2. Create a JAAS configuration file. Your authentication realm is hardcoded to KafkaConnect, so your JAAS must look like this:

   KafkaConnect {
       org.apache.kafka.connect.rest.basic.auth.extension.PropertyFileLoginModule required
       file="<path-to-confluent>/etc/kafka/connect.password";
   };
   

3. Create a password properties file (<path-to-confluent>/etc/kafka/connect.password). For example:

   thisismyusername: thisismypass
   

KSQL

1. Add the following configuration in your KSQL properties file (etc/ksql/ksql-server.properties):

   authentication.method=BASIC
   authentication.roles=admin,developer,user,ksq-user
   authentication.realm=KsqlServer-Props
   

2. Create a JAAS file (jaas_config.file):

   KsqlServer-Props {
     org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
     file="/path/to/password-file"
     debug="false";
   };
   

3. Create a password properties file (<path-to-confluent>/etc/ksql/password-file):

   fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
   harry: changeme,user,developer
   tom: MD5:164c88b302622e17050af52c89945d44,user
   dick: CRYPT:adpexzg3FUZAk,admin,ksq-user
   

4. Export the JAAS file:

   export KSQL_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.file
   

5. Start the KSQL server:

   <path-to-confluent>/bin/ksql-server-start <path-to-confluent>/etc/ksql/ksql-server.properties
   

For more information, see Configuring the CLI for Basic HTTP Authentication.

Schema Registry

Schema Registry can be configured to require users to authenticate using a username and password via the Basic HTTP authentication mechanism.

Note

If you’re using Basic authentication, we recommended that you configure Schema Registry to use HTTPS for secure communication, because the Basic protocol passes credentials in plain text.

Use the following settings to configure Schema Registry to require authentication:

authentication.method=BASIC
authentication.roles=<user-role1>,<user-role2>,...
authentication.realm=<section-in-jaas_config.file>

The authentication.roles config defines a comma-separated list of user roles. To be authorized to access Schema Registry, an authenticated user must belong to at least one of these roles.

For example, if you define admin, developer, user, and sr-user roles, the following configuration assigns them for authentication:

authentication.roles=admin,developer,user,sr-user

The authentication.realm config must match a section within jaas_config.file, which defines how the server authenticates users and should be passed as a JVM option during server start:

export SCHEMA_REGISTRY_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.file
<path-to-confluent>/bin/schema-registry-start <path-to-confluent>/etc/schema-registry/schema-registry.properties

An example jaas_config.file is:

SchemaRegistry-Props {
  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
  file="/path/to/password-file"
  debug="false";
};

Assign the SchemaRegistry-Props section to the authentication.realm config setting:

authentication.realm=SchemaRegistry-Props

The example jaas_config.file above uses the Jetty PropertyFileLoginModule, which authenticates users by checking for their credentials in a password file.

You can also use other implementations of the standard Java LoginModule interface, such as the LdapLoginModule, or the JDBCLoginModule for reading credentials from a database.

The file parameter is the location of the password file, The format is:

<username>: <password-hash>[,<rolename> ...]

Here’s an example:

fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
harry: changeme,user,developer
tom: MD5:164c88b302622e17050af52c89945d44,user
dick: CRYPT:adpexzg3FUZAk,admin,sr-user

Get the password hash for a user by using the org.eclipse.jetty.util.security.Password utility:

bin/schema-registry-run-class org.eclipse.jetty.util.security.Password fred letmein

Your output should resemble:

letmein
OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x
MD5:0d107d09f5bbe40cade3de5c71e9e9b7
CRYPT:frd5btY/mvXo6

Each line of the output is the password encrypted using different mechanisms, starting with plain text.

Once Schema Registry is configured to use Basic authentication, clients must be configured with suitable valid credentials, for example:

schema.registry.basic.auth.credentials.source=USER_INFO
schema.registry.basic.auth.user.info=fred:letmein

For more information, see Schema Registry Security Overview.