HTTP Basic authentication

You can add HTTP Basic authentication to these Confluent Platform components:


If HTTP Basic authentication is enabled on Confluent Control Center, the Control Center REST API does not support passing usernames and passwords to the Kafka Connect REST API. Role-based access control (RBAC) can be used to support security for all components. For details, see Kafka Connect and RBAC.

Control Center REST API

User login is available using HTTP Basic authentication that is pluggable using JAAS. For details on all configuration options, see UI authentication settings.

To configure Control Center authentication:

  1. Specify the following options in,Restricted


    The properties called and confluent.controlcenter.auth.restricted.roles both apply to Groups.

    The values for are <your_administrator_group>,<your_restricted_group>, and the value for confluent.controlcenter.auth.restricted.roles is <your_restricted_group>.

  2. Create a JAAS file (propertyfile.jaas) similar to the following–note that the authentication realm is Control Center (c3):

    c3 {
        org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required

    Your password file in should look similar to the following:

    bob: <bob_password>,<your_administrator_group>
    alice: <alice_password>,<your_restricted_group>
  3. Start Control Center to use the JAAS configuration:

    CONTROL_CENTER_OPTS="" control-center-start /

After you are granted access to Control Center, you are prompted for sign-in credentials. Logging in as bob:<bob_password> provides read and write access. Logging in as alice:<alice_password> provides read-only access.


A user with membership in multiple groups is granted only the most restrictive permissions. For example, if a user is a member of two groups, admin and readonly, and readonly is a restricted role, then the user is granted only the rights for the readonly group.

For users with restricted (read-only) roles, the following user interface (UI) features and options are unavailable (hidden):

  • Add, delete, pause, or resume connectors
  • Browse connectors
  • View connector settings
  • Upload connector configs
  • Create, delete, or edit alerts (triggers or actions)
  • Edit a license
  • Edit brokers
  • Press submit on cluster forms
  • Edit, create, or delete schemas
  • Edit data flow queries
  • Inspect topics
  • Type in the ksqlDB editor
  • Run or stop ksqlDB queries
  • Add KSQL streams or tables

See also

For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml file for a configuration reference.

Connect REST API

  1. Add the following configuration to your Connect worker properties file (etc/kafka/connect-distributed.propertes):
  2. Create a JAAS configuration file. Your authentication realm is hardcoded to KafkaConnect, so your JAAS must look like this:

    KafkaConnect { required
  3. Export KAFKA_OPTS with the path to the JAAS configuration file:

    export KAFKA_OPTS="<path-to-jaas-file>"
  4. Create a password properties file (<path-to-confluent>/etc/kafka/connect.password). For example:

    thisismyusername: thisismypass


  1. Add the following configuration in your ksqlDB properties file (etc/ksqldb/

  2. Create a JAAS file (jaas_config.conf):

    KsqlServer-Props {
      org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
  3. Create a password properties file (<path-to-confluent>/etc/ksqldb/password-file). The file parameter is the location of the password file. The format is:

    <username>: <password-hash>,<role1>[,<role2>,...]

    Following is an example:

    fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
    harry: changeme,user,developer
    tom: MD5:164c88b302622e17050af52c89945d44,user
    dick: CRYPT:adpexzg3FUZAk,admin,ksq-user
  4. Export the JAAS file:

  5. Start the ksqlDB server:

    <path-to-confluent>/bin/ksql-server-start <path-to-confluent>/etc/ksqldb/

For more information, see Configure ksqlDB for Basic HTTP authentication.

Schema Registry

Schema Registry can be configured to require users to authenticate using a username and password via the Basic HTTP authentication mechanism.


If you’re using Basic authentication, we recommended that you configure Schema Registry to use HTTPS for secure communication, because the Basic protocol passes credentials in plain text.

Use the following settings to configure Schema Registry to require authentication:


The authentication.roles config defines a comma-separated list of user roles. To be authorized to access Schema Registry, an authenticated user must belong to at least one of these roles.

For example, if you define admin, developer, user, and sr-user roles, the following configuration assigns them for authentication:


The authentication.realm config must match a section within jaas_config.conf, which defines how the server authenticates users and should be passed as a JVM option during server start:

<path-to-confluent>/bin/schema-registry-start <path-to-confluent>/etc/schema-registry/

An example jaas_config.conf is:

SchemaRegistry-Props {
  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required

Assign the SchemaRegistry-Props section to the authentication.realm config setting:


The example jaas_config.conf above uses the Jetty PropertyFileLoginModule, which authenticates users by checking for their credentials in a password file.

You can also use other implementations of the standard Java LoginModule interface, such as the LdapLoginModule, or the JDBCLoginModule for reading credentials from a database.

The file parameter is the location of the password file. The format is:

<username>: <password-hash>,<role1>[,<role2>,...]

Here’s an example:

fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
barney: changeme,user,developer
betty: MD5:164c88b302622e17050af52c89945d44,user
wilma: CRYPT:adpexzg3FUZAk,admin,sr-user

Get the password hash for a user by using the utility:

bin/schema-registry-run-class fred letmein

Your output should resemble:


Each line of the output is the password encrypted using different mechanisms, starting with plain text.

Once Schema Registry is configured to use Basic authentication, clients must be configured with suitable valid credentials, for example:



The schema.registry prefixed versions of these properties were deprecated in Confluent Platform 5.0.

  • schema.registry.basic.auth.credentials.source is deprecated.
  • is deprecated.

For more information, see Schema Registry Security Overview.