Control Center UI Authentication

User login is available using HTTP Basic authentication that is pluggable using JAAS. For details on all configuration options, see UI authentication settings.

To configure Control Center authentication:

  1. Specify the following options in control-center.properties:

    confluent.controlcenter.rest.authentication.method=BASIC
    confluent.controlcenter.rest.authentication.realm=c3
    confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
    confluent.controlcenter.auth.restricted.roles=Restricted
    confluent.controlcenter.auth.session.expiration.ms=600000
    

    Important

    The properties called confluent.controlcenter.rest.authentication.roles and confluent.controlcenter.auth.restricted.roles both apply to Groups.

    The values for confluent.controlcenter.rest.authentication.roles are <your_administrator_group>,<your_restricted_group>, and the value for confluent.controlcenter.auth.restricted.roles is <your_restricted_group>.

  2. Create a JAAS file (propertyfile.jaas) similar to the following–note that the authentication realm is Control Center (c3):

    c3 {
        org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
        file="/password.properties";
    };
    

    Your password file in password.properties should look similar to the following:

    bob: <bob_password>,<your_administrator_group>
    alice: <alice_password>,<your_restricted_group>
    
  3. Start Control Center to use the JAAS configuration:

    CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/propertyfile.jaas" control-center-start /control-center.properties
    

After you are granted access to Control Center, you are prompted for sign-in credentials. Logging in as bob:<bob_password> provides read and write access. Logging in as alice:<alice_password> provides read-only access.

Note

A user with membership in multiple groups is granted only the most restrictive permissions. For example, if a user is a member of two groups, admin and readonly, and readonly is a restricted role, then the user is granted only the rights for the readonly group.

For users with restricted (read-only) roles, the following user interface (UI) features and options are unavailable (hidden):

  • Add, delete, pause, or resume connectors
  • Browse connectors
  • View connector settings
  • Upload connector configs
  • Create, delete, or edit alerts (triggers or actions)
  • Edit a license
  • Edit brokers
  • Press submit on cluster forms
  • Edit, create, or delete schemas
  • Edit data flow queries
  • Inspect topics
  • Type in the ksqlDB editor
  • Run or stop ksqlDB queries
  • Add KSQL streams or tables

UI HTTPS

HTTPS is supported for web access to Confluent Control Center. To enable HTTPS, you must first add an HTTPS listener in the Control Center properties file using the confluent.controlcenter.rest.listeners parameter. You must also set the appropriate SSL configuration options. If you haven’t already, this would be a good time to create SSL keys and certificates.

An example of the necessary additions to control-center.properties are shown below:

confluent.controlcenter.rest.listeners=https://0.0.0.0:9022
confluent.controlcenter.rest.ssl.keystore.location=/var/private/ssl/kafka.control-center.keystore.jks
confluent.controlcenter.rest.ssl.keystore.password=test1234
confluent.controlcenter.rest.ssl.key.password=test1234
confluent.controlcenter.rest.ssl.truststore.location=/var/private/ssl/kafka.control-center.truststore.jks
confluent.controlcenter.rest.ssl.truststore.password=test1234
   curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
   curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022

See also

For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml file for a configuration reference.