Control Center Configuration Reference¶
The following settings are available for configuring Control Center.
Important
Do not use double-quotes to wrap character strings in properties files. You can, however, use double-quotes in header values.
Base settings¶
You configure Control Center with a configuration
properties file, which is passed to
Control Center on start. Several sample configuration (.properties) files are provided
with Confluent Control Center, and are provided under the $CONFLUENT_HOME/etc/confluent-control-center
directory.
For a list of sample configuration files, see Control Center Properties File.
bootstrap.servers
A list of host/port pairs to use for establishing the initial connection to the Apache Kafka® cluster. The client will make use of all servers irrespective of which servers are specified here for bootstrapping; this list only impacts the initial hosts used to discover the full set of servers. This list should be in the form
host1:port1,host2:port2,...
. Since these servers are just used for the initial connection to discover the full cluster membership (which could change dynamically), this list need not contain the full set of servers (you may want more than one, though, in case a server is down).- Type: list
- Default: localhost:9092
- Importance: high
confluent.license
Confluent issues an enterprise license key to each subscriber, allowing the subscriber to unlock the full functionality of Control Center. The license key is text that you can copy and paste. Paste the license key as the value for
confluent.license
. You can also manage the license in the Control Center web interface.A trial license allows using for a 30-day trial period. A developer license allows using Control Center and other Confluent Platform proprietary components indefinitely for single-broker development environments. Trial and developer licenses are shipped with Confluent Platform.
See Managing Confluent Platform Licenses in Control Center for more details.
If you are a subscriber, contact Confluent Support for more information about obtaining another valid enterprise license before it expires.
confluent.controlcenter.license
is a deprecated synonym for this configuration key.- Type: string
- Default: “”
- Importance: high
confluent.controlcenter.rest.csrf.prevention.enable
When enabled, uses a token-based system to help prevent Cross-Site Request Forgery (CSRF). CSRF is a malicious exploit that can result in an end user executing unwanted actions on a web application in which they’re currently authenticated. If the target user has an administrative account, CSRF can compromise the entire web application.
- Type: boolean
- Default: false
- Importance: medium
confluent.controlcenter.rest.csrf.prevention.token.expiration.minutes
Sets the CSRF prevention token expiration time, if CSRF prevention is enabled. The default expiration time should be sufficent for most use cases, however you can use this setting to increase or decrease the token expiration interval time if needed.
- Type: int
- Default: 30
- Importance: low
Production Settings¶
In production, you should run Control Center in a cluster that is separate from the Kafka clusters being monitored. Set the following configuration parameters in the Control Center properties file.
confluent.controlcenter.streams.cache.max.bytes.buffering
Maximum number of memory bytes used for record caches across all threads.
Tip
Consider setting this config value proportional to the total num.partitions. Here is an example computation:
- Each per-partition metric is stored as a key-value pair that consists of “topic-string, partition-id, cluster-name”. Control Center compacts the values as four long variables, recording the min, max, count, and total.
- X is the total topic partitions and seven per-partition metrics that Control Center collects.
- Eight threads by default.
The total cache size should be:
X (topic partitions) * 7 (per-partition metrics) * 8 (number of threads) * 150 (average bytes per metric).
For example, with 100000 topic partitions, the cache size should be 820000000 bytes.
- Type:
- Default: 10485760 bytes
- Importance: high
confluent.controlcenter.kafka.<name>.bootstrap.servers
Bootstrap servers for any additional Kafka cluster being monitored. Replace
<name>
with the name Control Center should use to identify this cluster. For example, usingconfluent.controlcenter.kafka.production-nyc.bootstrap.servers
, Control Center will show the additional cluster with the nameproduction-nyc
in the cluster list.- Type: list
- Default: “”
- Importance: high
confluent.controlcenter.kafka.<name>.<connection config>
Any additional connection configuration required to connect to the Kafka cluster identified by
<name>
can be specified using theconfluent.controlcenter.kafka.<name>.
prefix. For example, to specify thesecurity.protocol=SASL_SSL
configuration for the cluster namedproduction-nyc
, addconfluent.controlcenter.kafka.production-nyc.security.protocol=SASL_SSL
to the configuration.- Importance: medium
Tip
If you are configuring a multi-cluster deployment, see also confluent.controlcenter.streams.name.cprest.url.
Logging¶
By default, Control Center outputs its logs to stdout. Logging configuration is
defined in etc/confluent-control-center/log4j.properties
.
Confluent also provides etc/confluent-control-center/log4j-rolling.properties
as an example of setting up Control Center with rolling log
files that are easier to manage. You can select your desired log4j configuration by
setting the CONTROL_CENTER_LOG4J_OPTS
environment variable
when starting Control Center.
Optional settings¶
Confluent allows you to change some other parameters that change how Control Center behaves, such as internal topic names, data file locations, and replication settings. The default values for most of these settings are suitable for production use, but you can change these if needed.
Mode¶
Use this setting to specify the mode that Confluent Control Center starts in.
By default, Control Center starts in Normal mode, meaning all
is specified, and monitoring is enabled.
confluent.controlcenter.mode.enable
Set the mode in which Control Center should be started. Valid values are
all
, meaning Confluent Control Center operates normally, andmanagement
meaning Confluent Control Center uses less infrastructure to operate. In Reduced infrastructure mode, Control Center is used to manage Kafka clusters only and will not display monitoring or metrics information.- Type: string
- Default: all
- Importance: high
General¶
confluent.controlcenter.connect.<connect-cluster-name>.cluster
Comma-separated list of Kafka Connect worker URLs for the Connect cluster specified by
<connect-cluster-name>
.<connect-cluster-name
can be an arbitrary string used to identify individual connect clusters and does not need to correspond to any worker setting. Control Center will connect to a single worker. If a worker fails, Control Center will try the request against a different worker. This must be set if you want to manage a Connect cluster. The URL should include the protocol (HTTP or HTTPS) and its associated port (8083 or 8443 respectively).- Type: list
- Default: “”
- Importance: high
- Example HTTP:
confluent.controlcenter.connect.myconnectclustername.cluster=http://localhost:8083
confluent.controlcenter.connect.healthcheck.endpoint
Provides the default discovery path for connect clusters. If you are using the community version of Confluent Platform, set this property to
/connectors
to display the connect clusters in Control Center.- Type: string
- Default: /v1/metadata/id
- Importance: high
confluent.controlcenter.connect.cluster
Deprecated since Confluent Platform version
6.2
. Comma-separated list of Connect worker URLs within a single cluster. This is deprecated byconfluent.controlcenter.connect.<connect-cluster-name>.cluster
.- Type: list
- Default: “”
- Importance: low
confluent.controlcenter.data.dir
Location for Control Center-specific data. Although the data stored in this directory can be recomputed, doing so is expensive and can affect the availability of Control Center’s stream monitoring functionality. For production, you should set this to a durable, writable, and secure location.
- Type: path
- Default:
/var/lib/confluent-control-center
(control-center-production.properties
) - Default:
/tmp/confluent/control-center
(control-center.properties
,control-center-dev.properties
,control-center-minimal.properties
) - Importance: high
confluent.controlcenter.rest.listeners
Comma-separated list of listeners that listen for API requests over either http or https. If a listener uses https, the appropriate SSL configuration parameters need to be set as well. The first value will be used as a Control Center link in the body of eligible alert emails sent from Control Center. For details, see Alerts history.
- Type: list
- Default:
http://0.0.0.0:9021
- Importance: high
confluent.controlcenter.rest.advertised.url
Externally visible host. Control Center uses this as an override to
rest.listeners
when generating URLs for external communications such as alert emails.- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.rest.access.control.allow.origin
Sets the value for Jetty Access-Control-Allow-Origin header.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.rest.response.http.headers.config
Use to select which HTTP headers are returned in the HTTP response for Confluent Platform components. Specify multiple values in a comma-separated string using the format
[action][header name]:[header value]
where[action]
is one of the following:set
,add
,setDate
, oraddDate
. You must use quotation marks around the header value when the header value contains commas. For example:response.http.headers.config="add Cache-Control: no-cache, no-store, must-revalidate", add X-XSS-Protection: 1; mode=block, add Strict-Transport-Security: max-age=31536000; includeSubDomains, add X-Content-Type-Options: nosniff
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.streams.cprest.url
Defines the REST endpoints for Control Center to enable HTTP servers on the broker(s). A comma-separated list with multiple values can be provided for a multi-broker cluster.
For examples, see Configure Control Center with REST endpoints and advertised listeners, Required Configurations for Control Center, and Self-Balancing Clusters documentation.
- Type: list
- Default:
http://localhost:8090
- Importance: high
To configure multiple clusters, see confluent.controlcenter.kafka.name.cprest.url.
confluent.controlcenter.kafka.<name>.cprest.url
Defines the REST endpoints for any additional Kafka clusters being monitored by Control Center to enable HTTP servers on the broker(s). Replace
<name>
with the name that identifies this cluster. This name should be consistent with the Kafka cluster name used for other Control Center configurations. A comma-separated list with multiple values can be provided for a multi-broker cluster.Note that if the REST API endpoints are secured with TLS/SSL, you must include additional properties in the Confluent Control Center properties file that provide the security information. For more information, see Configure TLS/SSL for Control Center as a server and TLS/SSL settings for web access.
The following example shows REST endpoint settings for three clusters or data centers (dc1, dc2, and dc3):
confluent.controlcenter.streams.cprest.url=https://dc1:8090 confluent.controlcenter.kafka.dc2.cprest.url=https://dc2:8090 confluent.controlcenter.kafka.dc3.cprest.url=https://dc3:8090
- Type: list
- Default: “”
- Importance: high
For an example of configuring the Control Center
cprest.url
specifically for multiple clusters, see Enabling Multi-Cluster Schema Registry.confluent.controlcenter.schema.registry.url
Schema Registry URL. For more information and examples, see the Schema Registry documentation and configuration steps for Enabling Multi-Cluster Schema Registry.
- Type: list
- Default: http://localhost:8081
- Importance: high
confluent.controlcenter.id
Identifier used as a prefix so that multiple instances of Control Center can co-exist.
- Type: string
- Default: “1”
- Importance: low
confluent.controlcenter.name
Control Center Name
- Type: string
- Default: _confluent-controlcenter-7.2.11
- Importance: low
confluent.controlcenter.internal.topics.partitions
Number of partitions used internally by Control Center.
- Type: int
- Default: 12
- Importance: low
confluent.controlcenter.internal.topics.replication
Replication factor used internally by Control Center. It is not recommended to reduce this value except in a development environment.
- Type: int
- Default: 3
- Importance: low
confluent.controlcenter.internal.topics.retention.ms
Maximum time in milliseconds that internal data is stored in Kafka. For more information, see data retention.
- Type: long
- Default: 604800000 (7 days)
- Importance: low
confluent.controlcenter.internal.topics.changelog.segment.bytes
Segment size in bytes for internal changelog topics in Kafka. This must be as small as broker settings
log.cleaner.dedupe.buffer.size
/log.cleaner.threads
to guarantee enough space in the broker’s dedupe buffer for compaction to work.- Type: long
- Default: 134217728
- Importance: low
confluent.metrics.topic
Topic from which metrics data will be read. For multiple instances of Control Center using the same Kafka cluster for monitoring purposes, it may be helpful to use separate metrics and command topics (if each Control Center installation is monitoring different Kafka clusters).
- Type: string
- Default: _confluent-metrics
- Importance: low
confluent.metrics.topic.retention.ms
Maximum time in milliseconds that metrics data is stored in Kafka. For more information, see data retention.
- Type: long
- Default: 259200000 (3 days)
- Importance: low
confluent.metrics.topic.replication
Replication factor for metrics topic. It is not recommended to reduce this value except in a development environment.
- Type: int
- Default: 3
- Importance: low
confluent.metrics.topic.partitions
Partition count for metrics topic.
- Type: int
- Default: 12
- Importance: low
confluent.metrics.topic.skip.backlog.minutes
Skip backlog older than x minutes ago for broker metrics data. Set this to 0 if you want to process from the latest offsets. This config overrides
confluent.controlcenter.streams.consumer.auto.offset.reset
(deprecated) for the metrics input topic.- Type: long
- Default: 15
confluent.controlcenter.disk.skew.warning.min.bytes
Threshold for the max difference in disk usage across all brokers before disk skew warning is published.
- Type: long
- Default: 1073741824
- Importance: low
confluent.controlcenter.max.trigger.events.per.alert.config
The maximum number of trigger events in one alert.
- Type: int
- Default: 1000
- Importance: low
confluent.controlcenter.alert.cluster.down.autocreate
Auto create a trigger and an email action for Control Center’s cluster down alerts. For more information, see Control Center cluster down status.
- Type: boolean
- Default: false
- Importance: low
confluent.controlcenter.alert.cluster.down.to.email
Email to send alerts to when Control Center’s cluster is down.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.alert.cluster.down.to.webhookurl.slack
The Slack webhook URL to post alerts to when Control Center’s cluster is down.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.alert.cluster.down.to.pagerduty.integration.key
The PagerDuty integration key to post alerts to a certain service when Control Center’s cluster is down.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.alert.cluster.down.send.rate
Send rate per hour for auto-created cluster down alerts. Default: 12 times per hour (every 5 minutes).
- Type: int
- Default: 12
- Importance: low
confluent.controlcenter.ui.data.expired.threshold
Configure a threshold (in seconds) before data is considered out of date. Default: 120 seconds (2 minutes).
- Type: int
- Default: 120
- Importance: low
confluent.controlcenter.service.healthcheck.interval.sec
The interval (in seconds) used for checking the health of Confluent Platform nodes. This includes ksqlDB, Connect, Schema Registry, REST Proxy, and Metadata Service (MDS).
- Type: int
- Default: 20
- Importance: low
confluent.controlcenter.request.buffer.size.bytes
Allows adjustment of the RequestBuffer size of HttpClient.
- Type: int
- Default: 10000
- Importance: low
confluent.controlcenter.topic.inspection.max.message.bytes
Maximum size of messages to display on the Messages page for a topic. Messages larger than this value are suppressed and an error (MESSAGE_TOO_BIG_FOR_UI) is shown. Metadata is displayed even if the the message is suppressed.
Large messages can slow down or crash the Messages page.
- Type: long
- Default: 1048576 (1 Mb)
- Importance: low
confluent.controlcenter.one.minute.rollup.topics.retention.ms
The retention period, in milliseconds, for one-minute aggregated metrics topics. Default: 345,600,000 milliseconds (4 days).
To change the default value, append a new value in milliseconds to the property, then increment
confluent.controlcenter.id
and restart Confluent Control Center. For example,confluent.controlcenter.one.minute.rollup.topics.retention.ms=864000000
The minimum retention of roll up is
60000
(one minute).- Type: long
- Default: 345600000
- Importance: low
confluent.controlcenter.three.hour.rollup.topics.retention.ms
The retention period, in milliseconds, for three-hour aggregated metrics topics. Default: 60,566,400,000 milliseconds (701 days).
To change the default value, append the new value in milliseconds to the property, then increment
confluent.controlcenter.id
and restart Confluent Control Center. For example,confluent.controlcenter.three.hour.rollup.topics.retention.ms=864000000
The minimum retention of roll up is
10800000
(three hours).- Type: long
- Default: 60566400000
- Importance: low
Broker UI settings¶
Starting with Confluent Platform version 7.0.0, Control Center uses an embedded REST proxy and as a result provides an updated UI to display broker settings. The new settings UI is enabled by default, but you can revert back to the old view with the following settings:
confluent.controlcenter.embedded.kafkarest.enable
Enables or disables the use of an embedded REST proxy for Control Center, which must be enabled for Confluent Control Center to display the new broker settings UI.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.ui.brokersettings.kafkarest.enable
Enables or disables new broker settings UI. This setting will be forced to false if
confluent.controlcenter.ui.brokersettings.kafkarest.enable
is also false.- Type: boolean
- Default: true
- Importance: low
Monitoring settings¶
These optional settings are for consumption and end-to-end latency monitoring. The default settings work for the majority of use cases and scales.
confluent.monitoring.interceptor.topic
The Kafka topic that stores monitoring interceptor data. This setting must match the
confluent.monitoring.interceptor.topic
configuration used by the interceptors in your application. Usually you should not change this setting unless you are running multiple instances of Control Center with client monitoring interceptor data being reported to the same Kafka cluster.- Type: string
- Default: _confluent-monitoring
- Importance: high
confluent.monitoring.interceptor.topic.partitions
Number of partitions for the monitoring interceptor data topic.
- Type: int
- Default: 12
- Importance: low
confluent.monitoring.interceptor.topic.replication
Replication factor for monitoring topic. It is not recommended to reduce this value except in a development environment.
- Type: int
- Default: 3
- Importance: low
confluent.monitoring.interceptor.topic.retention.ms
Maximum time in milliseconds that interceptor data is stored in Kafka. For more information, see data retention.
- Type: long
- Default: 259200000 (3 days)
- Importance: low
confluent.monitoring.interceptor.topic.skip.backlog.minutes
Skip backlog older than x minutes ago for monitoring interceptor data. Set this to 0 if you want to process from the latest offsets. This config overrides
confluent.controlcenter.streams.consumer.auto.offset.reset
(deprecated) for the monitoring input topic.- Type: long
- Default: 15
- Importance: low
Basic Authentication settings for web access¶
These optional settings allow you to enable and configure authentication for accessing the Control Center web interface. See the UI Authentication guide for more details on configuring authentication.
confluent.controlcenter.rest.authentication.method
Authentication method to use. Available options: NONE, BASIC, BEARER.
Important
When RBAC is enabled in Control Center, the method must be
BEARER
. For more information, see Configure RBAC for Control Center.- Type: string
- Default: NONE
- Importance: low
confluent.controlcenter.rest.authentication.realm
Realm to be used by Control Center when authenticating.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.rest.authentication.roles
Roles that are authenticated to access Control Center.
- Type: string
- Default: *
- Importance: low
confluent.controlcenter.auth.restricted.roles
List of roles with limited read-only access. No editing or creating using the UI. Add topic and Edit Topic Configs options are disabled. Roles added here must also be included in
confluent.controlcenter.rest.authentication.roles
.- Type: list
- Default: “”
- Importance: low
Important
For users with restricted (read-only) roles, the following user interface (UI) features and options are unavailable (hidden):
- Add, delete, pause, or resume connectors
- Browse connectors
- View connector settings
- Upload connector configs
- Create, delete, or edit alerts (triggers or actions)
- Edit a license
- Edit brokers
- Press submit on cluster forms
- Edit, create, or delete schemas
- Edit data flow queries
- Inspect topics
- Type in the KSQL editor
- Run or stop ksqlDB querie
- Add ksqlDB streams or table
Note
For fine-grained access control, consider configuring role-based access control (RBAC).
confluent.controlcenter.auth.session.expiration.ms
Timeout in milliseconds after which a user session will have to be re-authenticated with the authentication service (e.g. LDAP). Defaults to 0, which means authentication is done for every request. Increase this value to avoid calling the LDAP service for each request.
- Type: long
- Default: 0
- Importance: low
TLS/SSL settings for web access¶
Configure the following properties to secure web access (HTTPS) to Control Center with TLS/SSL.
To configure TLS/SSL settings when Control Center acts as a proxy server to other Confluent Platform components, see Configure TLS/SSL for Control Center.
confluent.controlcenter.rest.listeners
Comma-separated list of listeners that listen for API requests over either http or https. If a listener uses https, the appropriate SSL configuration parameters need to be set as well. The first value will be used as a Control Center link in the body of eligible alert emails sent from Control Center. For details, see Alerts history.
- Type: list
- Default:
http://0.0.0.0:9021
- Importance: high
confluent.controlcenter.rest.ssl.keystore.location
Used for HTTPS. Location of the keystore file to use for TLS/SSL.
Important
Jetty requires that the key’s CN stored in the keystore must match the FQDN.
- Type: string
- Default: “”
- Importance: high
confluent.controlcenter.rest.ssl.keystore.password
Used for HTTPS. The store password for the keystore file.
- Type: password
- Default: “”
- Importance: high
confluent.controlcenter.rest.ssl.key.password
Used for HTTPS. The password of the private key in the keystore file.
- Type: password
- Default: “”
- Importance: high
confluent.controlcenter.rest.ssl.truststore.location
Used for HTTPS. Location of the truststore. Required only to authenticate HTTPS clients.
- Type: string
- Default: “”
- Importance: high
confluent.controlcenter.rest.ssl.truststore.password
Used for HTTPS. The store password for the truststore file.
- Type: password
- Default: “”
- Importance: high
confluent.controlcenter.rest.ssl.keystore.type
Used for HTTPS. The type of keystore file.
- Type: string
- Default: JKS
- Importance: medium
confluent.controlcenter.rest.ssl.truststore.type
Used for HTTPS. The type of truststore file.
- Type: string
- Default: JKS
- Importance: medium
confluent.controlcenter.rest.ssl.protocol
Used for HTTPS. The TLS/SSL protocol used to generate the SslContextFactory.
- Type: string
- Default: TLS
- Importance: medium
confluent.controlcenter.rest.ssl.provider
Used for HTTPS. The TLS/SSL security provider name. Leave blank to use the defaults for Jetty.
- Type: string
- Default: “” (Jetty default)
- Importance: medium
confluent.controlcenter.rest.ssl.client.auth
Deprecated. Used for HTTPS. Whether to require the HTTPS client to authenticate using the server’s truststore. This is deprecated by
confluent.controlcenter.rest.ssl.client.authentication
.- Type: boolean
- Default: false
- Importance: medium
confluent.controlcenter.rest.ssl.client.authentication
Used for HTTPS. Valid values: NONE, REQUESTED or REQUIRED. NONE disables TLS/SSL client authentication, REQUESTED requests but doesn’t require TLS/SSL client authentication, and REQUIRED requires HTTPS clients to authenticate using the server’s truststore. This config overrides
confluent.controlcenter.rest.ssl.client.auth
(deprecated).- Type: string
- Default: NONE
- Importance: medium
confluent.controlcenter.rest.ssl.enabled.protocols
Used for HTTPS. The list of protocols enabled for TLS/SSL connections. Comma-separated list. Leave blank to use the Jetty default.
- Type: list
- Default: “” (Jetty default)
- Importance: medium
confluent.controlcenter.rest.ssl.keymanager.algorithm
Used for HTTPS. The algorithm used by the key manager factory for TLS/SSL connections. Leave blank to use the Jetty default.
- Type: string
- Default: “” (Jetty default)
- Importance: low
confluent.controlcenter.rest.ssl.trustmanager.algorithm
Used for HTTPS. The algorithm used by the trust manager factory for TLS/SSL connections. Leave blank to use the Jetty default.
- Type: string
- Default: “” (Jetty default)
- Importance: low
confluent.controlcenter.rest.ssl.cipher.suites
- A comma-separated list of TLS/SSL cipher suites used for HTTPS. Leave blank to use the Jetty default or specify any combination of the following suites:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Using another cipher suite name will cause Confluent Control Center to fail to start. Ciphers listed here are not supported. Do not use them.
- Type: list
- Default: “” (Jetty default)
- Importance: low
confluent.controlcenter.rest.ssl.endpoint.identification.algorithm
Used for HTTPS. The endpoint identification algorithm to validate the server hostname using the server certificate. Leave blank to use the Jetty default.
- Type: string
- Default: https
- Importance: low
confluent.controlcenter.use.default.jvm.truststore
Enable Control Center to fallback to use the default JVM trust store.
- Type: string
- Default: false
- Importance: low
confluent.controlcenter.use.default.os.truststore
Enable Control Center to fallback to use the default operating system trust store.
- Type: string
- Default: false
- Importance: low
Security for Confluent Platform components¶
The following settings control TLS/SSL encryption between Control Center and Confluent Platform components or features. You can also configure Basic authentication for Schema Registry.
You should configure these settings if you have configured your Kafka cluster with these security features. For TLS/SSL, you can choose to configure each component separately, or set a single store.
Streams¶
These settings are the standard Kafka authentication and authorization settings
prefixed with confluent.controlcenter.streams.
.
confluent.controlcenter.streams.security.protocol
Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL.
- Type: string
- Default: PLAINTEXT
- Importance: low
confluent.controlcenter.streams.ssl.keystore.location
The location of the keystore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.streams.ssl.keystore.password
The store password for the keystore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.streams.ssl.key.password
The password of the private key in the keystore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.streams.ssl.truststore.location
The location of the truststore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.streams.ssl.truststore.password
The password for the truststore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.streams.sasl.mechanism
SASL mechanism used for client connections. This may be any mechanism for which a security provider is available. GSSAPI is the default mechanism.
- Type: string
- Default: GSSAPI
- Importance: low
confluent.controlcenter.streams.sasl.kerberos.service.name
The Kerberos principal name that Kafka runs as. This can be defined either in Kafka’s JAAS config or in Kafka’s config.
- Type: string
- Default: null
- Importance: low
Schema Registry¶
Specify the following property when Basic Authentication is enabled for Schema Registry.
confluent.controlcenter.schema.registry.basic.auth.credentials.source
Defines how to select the credentials for HTTP Basic Authentication header for a single Schema Registry cluster, or the first Schema Registry in a multi-cluster Schema Registry deployment. The supported values are URL, USER_INFO, and SASL_INHERIT.
- Type: string
- Default: URL
- Importance: medium
Note
Specifying
control.center.schema.registry.basic.auth.credentials.source
, as shown, passesbasic.auth.credentials.source
to the Schema Registry client.confluent.controlcenter.schema.registry.<sr-cluster-name>.basic.auth.credentials.source
Defines how to pick the credentials for HTTP Basic Authentication header on a Schema Registry cluster in a multi-cluster Schema Registry deployment. The supported values are URL, USER_INFO, and SASL_INHERIT.
- Type: string
- Default: URL
- Importance: medium
confluent.controlcenter.schema.registry.basic.auth.user.info
Specifies the user credentials for HTTP Basic Authentication in the form of
{username}:{password}
for a single Schema Registry cluster, or the first Schema Registry cluster in a multi-cluster Schema Registry deployment.- Type: string
- Default: “”
- Importance: medium
confluent.controlcenter.schema.registry.<sr-cluster-name>.basic.auth.user.info
Specifies the user credentials for HTTP Basic Authentication in the form of
<username>:<password>
for Schema Registry clusters in a multi-cluster Schema Registry deployment (associated with the URL fields by<sr-cluster-name>
).- Type: string
- Default: “”
- Importance: medium
Specify the following set of properties when TLS/SSL is enabled for Schema Registry.
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.location
The location of the truststore file for Schema Registry.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.schema.registry.schema.registry.ssl.truststore.password
The password for the truststore file for Schema Registry.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.location
The location of the keystore file for Schema Registry.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.schema.registry.schema.registry.ssl.keystore.password
The store password for the keystore file for Schema Registry.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.schema.registry.schema.registry.ssl.key.password
The password of the private key in the keystore file for Schema Registry.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.schema.registry.schema.registry.alias.name
Specifies an alias for the certificate Schema Registry uses during mTLS. Use the following format to specify
<Certificate-Alias>
as an alias.confluent.controlcenter.schema.registry.schema.registry.alias.name=<Certificate-Alias>
If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.
- Type: string
- Default: “”
- Importance: low
Connect¶
Specify the following property when Basic Authentication is enabled for Connect.
confluent.controlcenter.connect.<connect-cluster-name>.basic.auth.user.info
Specifies the user credentials for HTTP Basic Authentication in the form of
<username>:<password>
for connectors. (associated with the URL fields by<connect-cluster-name>
.- Type: string
- Default: “”
- Importance: medium
Specify the following set of properties when TLS/SSL is enabled for Connect.
confluent.controlcenter.connect.connect.ssl.truststore.location
The location of the truststore file for Connect.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.connect.connect.ssl.truststore.password
The stored password for the truststore for Connect.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.connect.connect.ssl.keystore.location
The location of the keystore file for Connect.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.connect.connect.ssl.keystore.password
The store password for the keystore file for Connect.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.connect.connect.ssl.key.password
The password of the private key in the keystore file for Connect.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.connect.connect.alias.name
Specifies an alias for the certificate Connect uses during mTLS. Use the following format to specify
<Certificate-Alias>
as an alias.confluent.controlcenter.connect.connect.alias.name=<Certificate-Alias>
If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.
- Type: string
- Default: “”
- Importance: low
ksqlDB¶
Specify the following property when Basic Authentication is enabled for ksqlDB.
confluent.controlcenter.ksql.<ksql-cluster-name>.basic.auth.user.info
Specifies the user credentials for HTTP Basic Authentication in the form of
<username>:<password>
for ksqlDB clusters associated with the URL fields by<ksqldb-cluster-name>
.- Type: string
- Default: “”
- Importance: medium
Specify the following set of properties when TLS/SSL is enabled for ksqlDB.
confluent.controlcenter.ksql.ksql.ssl.truststore.location
The location of the truststore file for ksqlDB.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.ksql.ksql.ssl.truststore.password
The stored password for the truststore file for ksqlDB.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.ksql.ksql.ssl.keystore.location
The location of the keystore file for ksqlDB.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.ksql.ksql.ssl.keystore.password
The stored password for the keystore file for ksqlDB.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.ksql.ksql.ssl.key.password
The password of the private key in the keystore file for ksqlDB.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.ksql.ksql.alias.name
Specifies an alias for the certificate ksqlDB uses during mTLS. Use the following format to specify
<Certificate-Alias>
as an alias.confluent.controlcenter.ksql.ksql.alias.name=<Certificate-Alias>
If you have multiple trustStores, each certificate should have a unique alias, even if you are using the same certificate for multiple connections.
- Type: string
- Default: “”
- Importance: low
Single proxy server store¶
Instead of specifying TLS/SSL settings for each component, you can specify that Confluent Control Center use a single proxy server truststore and keystore that contain all the TLS/SSL settings for all the components.
confluent.controlcenter.rest.proxy.ssl.truststore.location
The location of the the truststore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.rest.proxy.ssl.truststore.password
The stored password for the truststore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.rest.proxy.ssl.keystore.location
The location of the keystore file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.rest.proxy.ssl.keystore.password
The stored password for the password file.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.rest.proxy.ssl.key.password
The password of the private key in the keystore file.
- Type: string
- Default: “”
- Importance: low
RBAC settings¶
Metadata Service (MDS) and other settings required for implementing RBAC in Control Center. For a complete configuration example of essential settings, see Configure RBAC for Control Center.
confluent.metadata.bootstrap.server.urls
A comma-separated list of valid URLs that specify where the RBAC metadata server or servers can be reached. This configuration is required to run Control Center inside an RBAC environment.
- Type: long
- Default: 0
- Importance: low
confluent.metadata.basic.auth.user.info
Formatted as
USERNAME:PASSWORD
, the credentials of an RBAC user for Control Center to act on behalf of. This includes running Kafka Streams, authorizing requests, and interacting with other Confluent Platform services. This configuration is required to run Control Center inside an RBAC environment.- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.auth.bearer.issuer
JWT token issuer.
- Type: string
- Default: “”
- Importance: low
public.key.path
Path to public key for authenticating JWT tokens.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.auth.bearer.roles.claim
JWT roles claim.
- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.auth.bearer.token.max.lifetime.ms
Bearer token issued during login cannot renew itself beyond this duration. The maximum value: 86400000 (24 hours). If you set this to more than 24 hours, the system overrides your setting and uses 24 hours.
- Type: long
- Default: “”
- Importance: low
Cluster Registry settings¶
Version 6.0.1 of Confluent Platform and later includes the option to enable the Cluster Registry for Control Center, which creates a more user-friendly RBAC role binding experience and enables centralized audit logging.
confluent.metadata.cluster.registry.enable
The value for this flag is True if the cluster registry is enabled. When enabled, cluster information will be read from the cluster registry.
- Type: boolean
- Default: false
Note
If this feature flag is enabled, the following flags will be ignored:
confluent.controlcenter.kafka.<name>.bootstrap.servers
confluent.controlcenter.kafka.<name>.<connection config>
An exception to this rule occurs when you need to specify additional flags, such as
confluent.controlcenter.kafka.<name>.ssl.keystore.location
.confluent.metadata.cluster.registry.merge.configuration.enable
When enabled, the configuration information for Kafka clusters in the properties file is merged with the one from cluster registry. This enables users to configure additional properties that cannot be added to cluster registry (for example,
confluent.controlcenter.kafka.<name>.ssl.keystore.location
).- Type: boolean
- Default: true
confluent.controlcenter.purge.stale.cluster.enable
When enabled, Control Center will purge stale cluster information from the command store.
- Type: boolean
- Default: false
Email settings¶
These optional settings control the SMTP server and account used when an alerts triggers the email action.
Important
The body of the email alert is populated with the first hostname
specified in the confluent.controlcenter.rest.listeners
property. The default value is localhost:9021
.
confluent.controlcenter.mail.enabled
Enable email alerts. If this setting is false, you cannot add email alert actions in the web user interface.
- Type: boolean
- Default: false
- Importance: low
confluent.controlcenter.mail.host.name
Hostname of outgoing SMTP server.
- Type: string
- Default: localhost
- Importance: low
confluent.controlcenter.mail.port
SMTP port open on
confluent.controlcenter.mail.host.name
.- Type: int
- Default: 587
- Importance: low
confluent.controlcenter.mail.ssl.checkserveridentity
Forces the use of SSL and validation of the server’s certificate. Enabling this flag causes Control Center to use the port set by
confluent.controlcenter.mail.ssl.port
instead ofconfluent.controlcenter.mail.port
.- Type: boolean
- Default: false
- Importance: low
confluent.controlcenter.mail.ssl.port
SSL-specific SMTP port to open on
confluent.controlcenter.mail.host.name
. Settingconfluent.controlcenter.mail.ssl.checkserveridentity
totrue
forces the use of this port and not theconfluent.controlcenter.mail.port
.- Type: int
- Default: 465
- Importance: low
confluent.controlcenter.mail.from
The originating address for emails sent from Control Center.
- Type: string
- Default: c3@confluent.io
- Importance: low
confluent.controlcenter.mail.bounce.address
Override for
confluent.controlcenter.mail.from
config to send message bounce notifications.- Type: string
- Importance: low
confluent.controlcenter.mail.starttls.required
Forces using STARTTLS.
- Type: boolean
- Default: false
- Importance: low
confluent.controlcenter.mail.username
Username for username/password authentication. Authentication with your SMTP server only performs if this value is set.
- Type: string
- Importance: low
confluent.controlcenter.mail.password
Password for username/password authentication.
- Type: string
- Importance: low
Webhook settings¶
confluent.controlcenter.webhook.enabled
Enable supported webhook alerts. If this setting is false, you cannot add webhook alert actions in the web user interface.
- Type: boolean
- Default: true
- Importance: low
Feature settings¶
These settings enable Confluent Control Center features such as message inspection, broker configurations, license manager, ksqlDB Overview, and Schema Registry. They apply to all clusters managed by the current Control Center installation. Most features are enabled by default except the deprecated views for legacy System Health and Streams Monitoring.
confluent.controlcenter.topic.inspection.enable
Enable users to inspect topics.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.broker.config.edit.enable
Enable user access to Edit dynamic cluster configuration settings.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.license.manager.enable
Enable License Manager in Control Center.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.consumers.view.enable
Enable the Consumers view in Control Center.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.ksql.enable
Enable user access to the ksqlDB GUI.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.schema.registry.enable
Enable user access to Manage Schemas for Topics in Control Center.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.ui.autoupdate.enable
Enable auto updating the Control Center UI.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.usage.data.collection.enable
Data collection is disabled, and this property has no effect regardless of its value. Enable or disable data collection in Control Center.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.ui.replicator.monitoring.enable
Enable Replicator monitoring in the Control Center UI.
- Type: boolean
- Default: true
- Importance: low
confluent.controlcenter.ui.controller.chart.enable
Enable the Active Controller chart to display within the Broker uptime panel in the Control Center UI.
- Type: boolean
- Default: false
- Importance: low
ksqlDB settings¶
You can use Control Center to interact with ksqlDB Server, which runs separately from your Kafka clusters. For access control configuration related to ksqlDB, see Feature settings.
confluent.controlcenter.ksql.<ksql-cluster-name>.advertised.url
Comma-separated list of advertised URLs to access the ksqlDB cluster on Control Center. Replace
<ksql-cluster-name>
with the name Control Center should use to identify this ksqlDB cluster. By default, this is set to the value specified inconfluent.controlcenter.ksql.<ksql-cluster-name>.url
. These hostnames must be reachable from any browser that will use the ksqlDB web interface in Control Center.For example, if ksqlDB is communicating over an internal DNS that is not externally resolvable or routeable (for example, if running in Docker for Mac), then the advertised URL must be set so that the browser can resolve the externally available DNS that ksqlDB is available at. For more information, see Integrate ksqlDB with Confluent Control Center.
- Type: list
- Default: “”
- Importance: low
confluent.controlcenter.ksql.<ksql-cluster-name>.url
Comma-separated list of the ksqlDB server hostnames and listener ports for the ksqlDB cluster specified by
<ksql-cluster-name>
. By default, this is empty. These hostnames must be reachable from the machine Control Center is installed on. For more information, see Integrate ksqlDB with Confluent Control Center.- Type: list
- Default: “”
- Importance: low
confluent.controlcenter.ksql.advertised.url
Deprecated. The advertised URL to access the ksqlDB cluster on Control Center. By default, this is set to the value specified in
confluent.controlcenter.ksql.url
.- Type: string
- Default: “”
- Importance: low
confluent.controlcenter.ksql.url
Deprecated. The ksqlDB server hostname and listener port. This is deprecated by
confluent.controlcenter.ksql.<ksql-cluster-name>.url
. If this deprecated configuration is supplied, then Control Center will ignore any named ksqlDB configurations.- Type: string
- Default: “”
- Importance: low
Internal Kafka Streams settings¶
Because Control Center reads and writes data to Kafka, you are allowed to change some producer and consumer configurations.
Caution
Changing these values is not recommended unless advised by Confluent Support.
Some examples of values used internally are
given. These settings map 1:1 with producer/consumer configs used internally by
Control Center and all use the
prefix confluent.controlcenter.streams.{producer,consumer}.
.
confluent.controlcenter.streams.num.stream.threads
The number of threads to execute stream processing.
- Type: int
- Default: 12
- Importance: low
confluent.controlcenter.streams.producer.compression.type
Compression type to use on internal topic production.
- Type: string
- Default: lz4
- Importance: low
confluent.controlcenter.streams.producer.retries
Number of retries in case of production failure.
- Type: int
- Default: maximum integer (effectively infinite)
- Importance: low
confluent.controlcenter.streams.producer.retry.backoff.ms
Time to wait before retrying in case of production failure.
- Type: long
- Default: 100
- Importance: low
confluent.controlcenter.streams.retries
- Deprecated. Number of times to retry client requests failing with transient errors.
This is deprecated and replaced by
confluent.controlcenter.streams.task.timeout.ms
. Does not apply to producer retries, which are defined using theconfluent.controlcenter.streams.producer.retries
setting. confluent.controlcenter.streams.task.timeout.ms
The maximum amount of time, in milliseconds, a task will wait due to internal errors and retry the task before an external error is raised. Replaces the deprecated
confluent.controlcenter.streams.retries
setting. If the timeout value set to 0 ms, a task would raise an external error when the first internal error occurs. For any timeout value larger than 0 ms, a task retries at least once before an error is raised.- Type: int
- Default: 0
- Importance: medium
Internal Command settings¶
The command topic is used to store internal configuration data for Control Center.
Note
For multiple instances of Control Center using the same Kafka cluster for monitoring purposes, it may be helpful to use separate metrics and command topics (if each Control Center installation is monitoring different Kafka clusters).
The command topic reuses the defaults/overrides for Kafka Streams, but allows the following overrides.
confluent.controlcenter.command.topic
Topic used to store Control Center configuration.
- Type: string
- Default: _confluent-command
- Importance: low
confluent.controlcenter.command.topic.replication
Replication factor for command topic.
Important
Reducing the replication value is not recommended, except in a development environment.
- Type: int
- Default: 3
- Importance: low
confluent.controlcenter.command.topic.retention.ms
Maximum time in milliseconds that command data is stored in Kafka. For more information, see data retention.
- Type: long
- Default: 86400000 (1 day)
- Importance: low
Consumer Group settings¶
If you find that the Consumer Group page is not returning data, you can change the timeout value for the page. The default value is 15 seconds (or 15000 milliseconds); try increasing the value to 30 seconds (30000 milliseconds) if you are having timeout issues.
confluent.controlcenter.consumer.metadata.timeout.ms
Time to wait when attempting to retrieve Consumer Group metadata.
- Type: int
- Default: 15000
- Importance: low