HTTP Basic authentication¶
You can add HTTP Basic authentication to these Confluent Platform components:
Note
If HTTP Basic authentication is enabled on Confluent Control Center, the Control Center REST API does not support passing usernames and passwords to the Kafka Connect REST API. Role-based access control (RBAC) can be used to support security for all components. For details, see Kafka Connect and RBAC.
Control Center REST API¶
User login is available using HTTP Basic authentication that is pluggable using JAAS. For details on all configuration options, see UI authentication settings.
To configure Control Center authentication:
Specify the following options in
control-center.properties:confluent.controlcenter.rest.authentication.method=BASIC confluent.controlcenter.rest.authentication.realm=c3 confluent.controlcenter.rest.authentication.roles=Administrators,Restricted confluent.controlcenter.auth.restricted.roles=Restricted confluent.controlcenter.auth.session.expiration.ms=600000
Important
The properties called
confluent.controlcenter.rest.authentication.rolesandconfluent.controlcenter.auth.restricted.rolesboth apply to Groups.The values for
confluent.controlcenter.rest.authentication.rolesare<your_administrator_group>,<your_restricted_group>, and the value forconfluent.controlcenter.auth.restricted.rolesis<your_restricted_group>.Create a JAAS file (
propertyfile.jaas) similar to the following–note that the authentication realm is Control Center (c3):c3 { org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required file="/password.properties"; };
Your password file in
password.propertiesshould look similar to the following:bob: <bob_password>,<your_administrator_group> alice: <alice_password>,<your_restricted_group>
Start Control Center to use the JAAS configuration:
CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/propertyfile.jaas" control-center-start /control-center.properties
After you are granted access to Control Center, you are prompted for sign-in credentials.
Logging in as bob:<bob_password> provides read and write access. Logging in as
alice:<alice_password> provides read-only access.
Note
A user with membership in multiple groups is granted only the most restrictive permissions. For example, if a user is a member of two groups, admin and readonly, and readonly is a restricted role, then the user is granted only the rights for the readonly group.
For users with restricted (read-only) roles, the following user interface (UI) features and options are unavailable (hidden):
- Add, delete, pause, or resume connectors
- Browse connectors
- View connector settings
- Upload connector configs
- Create, delete, or edit alerts (triggers or actions)
- Edit a license
- Edit brokers
- Press submit on cluster forms
- Edit, create, or delete schemas
- Edit data flow queries
- Inspect topics
- Type in the ksqlDB editor
- Run or stop ksqlDB queries
- Add KSQL streams or tables
See also
For an example that shows this in action, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml file for a configuration reference.
REST Proxy¶
Connect REST API¶
Add the following configuration to your Connect worker properties file (
etc/kafka/connect-distributed.propertes):rest.extension.classes=org.apache.kafka.connect.rest.basic.auth.extension.BasicAuthSecurityRestExtension
Create a JAAS configuration file. Your authentication realm is hardcoded to
KafkaConnect, so your JAAS must look like this:KafkaConnect { org.apache.kafka.connect.rest.basic.auth.extension.PropertyFileLoginModule required file="<path-to-confluent>/etc/kafka/connect.password"; };Export
KAFKA_OPTSwith the path to the JAAS configuration file:export KAFKA_OPTS="-Djava.security.auth.login.config=<path-to-jaas-file>"
Create a password properties file (
<path-to-confluent>/etc/kafka/connect.password). For example:thisismyusername: thisismypass
ksqlDB¶
Add the following configuration in your ksqlDB properties file (
etc/ksqldb/ksql-server.properties):authentication.method=BASIC authentication.roles=admin,developer,user,ksq-user authentication.realm=KsqlServer-Props
Create a JAAS file (
jaas_config.conf):KsqlServer-Props { org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required file="/path/to/password-file" debug="false"; };Create a password properties file (
<path-to-confluent>/etc/ksqldb/password-file). The file parameter is the location of the password file. The format is:<username>: <password-hash>,<role1>[,<role2>,...]
Following is an example:
fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin harry: changeme,user,developer tom: MD5:164c88b302622e17050af52c89945d44,user dick: CRYPT:adpexzg3FUZAk,admin,ksq-user
Export the JAAS file:
export KSQL_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.conf
Start the ksqlDB server:
<path-to-confluent>/bin/ksql-server-start <path-to-confluent>/etc/ksqldb/ksql-server.properties
For more information, see Configure ksqlDB for Basic HTTP authentication.
Schema Registry¶
Schema Registry can be configured to require users to authenticate using a username and password via the Basic HTTP authentication mechanism.
Note
If you’re using Basic authentication, we recommended that you configure Schema Registry to use HTTPS for secure communication, because the Basic protocol passes credentials in plain text.
Use the following settings to configure Schema Registry to require authentication:
authentication.method=BASIC
authentication.roles=<user-role1>,<user-role2>,...
authentication.realm=<section-in-jaas_config.conf>
The authentication.roles config defines a comma-separated list of user roles. To be authorized
to access Schema Registry, an authenticated user must belong to at least one of these roles.
For example, if you define admin, developer, user, and sr-user roles,
the following configuration assigns them for authentication:
authentication.roles=admin,developer,user,sr-user
The authentication.realm config must match a section within jaas_config.conf, which
defines how the server authenticates users and should be passed as a JVM option during server start:
export SCHEMA_REGISTRY_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.conf
<path-to-confluent>/bin/schema-registry-start <path-to-confluent>/etc/schema-registry/schema-registry.properties
An example jaas_config.conf is:
SchemaRegistry-Props {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
file="/path/to/password-file"
debug="false";
};
Assign the SchemaRegistry-Props section to the authentication.realm config setting:
authentication.realm=SchemaRegistry-Props
The example jaas_config.conf above uses the Jetty PropertyFileLoginModule, which
authenticates users by checking for their credentials in a password file.
You can also use other implementations of the standard Java LoginModule interface, such as
the LdapLoginModule, or the JDBCLoginModule for reading credentials from a database.
The file parameter is the location of the password file. The format is:
<username>: <password-hash>,<role1>[,<role2>,...]
Here’s an example:
fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
barney: changeme,user,developer
betty: MD5:164c88b302622e17050af52c89945d44,user
wilma: CRYPT:adpexzg3FUZAk,admin,sr-user
Get the password hash for a user by using the org.eclipse.jetty.util.security.Password utility:
bin/schema-registry-run-class org.eclipse.jetty.util.security.Password fred letmein
Your output should resemble:
letmein
OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x
MD5:0d107d09f5bbe40cade3de5c71e9e9b7
CRYPT:frd5btY/mvXo6
Each line of the output is the password encrypted using different mechanisms, starting with plain text.
Once Schema Registry is configured to use Basic authentication, clients must be configured with suitable valid credentials, for example:
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=fred:letmein
Tip
The schema.registry prefixed versions of these properties were deprecated in Confluent Platform 5.0.
schema.registry.basic.auth.credentials.sourceis deprecated.schema.registry.basic.auth.user.infois deprecated.
For more information, see Schema Registry Security Overview.