Configure HTTP Basic Authentication with Control Center¶

HTTP Basic authentication is a simple way to implement access control. You can configure Confluent Control Center UI access control using HTTP Basic authentication. This authenticates users’ access to Control Center.

Note

For more sophisticated access control, Configure Role-based Access Control for Control Center.

Enable Basic authentication for Control Center¶

You can require a user to log in to Control Center by configuring HTTP Basic authentication using Java Authentication and Authorization Service (JAAS). JAAS provides a pluggable model, with details specified at runtime. For details on all configuration options, see UI authentication settings.

To configure Control Center authentication:

Specify the following options in the appropriate Control Center property file. Use the confluent.controlcenter.rest.authentication.roles and confluent.controlcenter.auth.restricted.roles to create groups of users; either administrators, which have full read and write access, or restricted users that have only read access.
- Specify values for confluent.controlcenter.rest.authentication.roles in the following format: <administrator_group_name>,<restricted_group_name>
- The restricted value is the name of your restricted group: confluent.controlcenter.auth.restricted.roles is <restricted_group_name>.
```
confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
confluent.controlcenter.auth.restricted.roles=Restricted
confluent.controlcenter.auth.session.expiration.ms=600000
```
Create a JAAS file (propertyfile.jaas) similar to the following. In the file, you specify the authentication realm as Control Center (c3), and provide the name of password file that will contain the Control Center users and passwords.
```
c3 {
    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
    file="/path/to/password.properties";
};
```
Your password file in password.properties should look similar to the following, specifying a username followed by a password and that user’s group, either the administrative group or the restricted group.

Note

A user with membership in multiple groups is granted only the most restrictive permissions. For example, if a user is a member of two groups, admin and readonly, and readonly is a restricted role, then the user is granted only the rights for the readonly group.
```
admin: <admin-password>,<administrator_group_name>
bob: <bob-password>,<administrator_group_name>
alice: <alice-password>,<your_restricted_group>
```

Start Control Center passing in an argument to use the JAAS configuration, and specify the properties file that contains the HTTP Basic authentication settings:

CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/propertyfile.jaas" \
control-center-start ./etc/confluent-control-center/control-center.properties

When a user accesses Control Center, they are prompted for sign-in credentials. For this example, logging in as bob:<bob_password> provides read and write access. Logging in as alice:<alice_password> provides read-only access.

Restricted users¶

For users with restricted (read-only) roles, the following user interface (UI) features and options are unavailable/hidden:

Upload Connect configs
Browse connectors
Add, delete, pause, or resume connectors
View connectors settings
Create, delete, or edit alerts (triggers or actions)
Edit licenses
Edit brokers
Press submit on cluster forms
Edit, create, or delete schemas
Inspect topics
Run or stop ksqlDB queries
Type in the ksqlDB editor
Add ksqlDB streams or tables