Configure Control Center to work with Kafka ACLs¶
Before attempting to create and use Access Control Lists (ACLs), you should familiarize yourself with ACL concepts. Doing so can help you avoid common pitfalls that can occur when creating and using ACLs to manage access to components and cluster data.
Standard Apache Kafka® authorization and encryption options are available for control center and interceptors.
Note
Only export PRINCIPAL
if you have already defined the JAAS properties or
user certificates. Also, you must create the Kafka ACLs before starting Control Center.
You must then configure Control Center to authenticate to Kafka as the principal
that is specified for the ACL.
Use the following script to create the ACLs that are required by Control Center to operate on an authorized cluster. The script creates ACLs on specific topics and consumer groups, and grants permission to the user identified here as the principal. You must run this script before you start Control Center:
export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=<path-to-kafka-jaas.conf>"
bin/control-center-set-acls config/control-center.properties
Important
The principal specified above is the Kafka user, the same as specified in Kafka Broker.
For each Kafka topic that Confluent Control Center creates, ACLs are created to grant the specified principal the following privileges:
- CREATE
- WRITE
- DESCRIBE
- DESCRIBE_CONFIGS
- READ
The following ACLs are created to grant the specified principal privileges for the consumer group related to the Confluent Control Center Streams application:
- READ
ACLs granting the following privileges are also created for the cluster:
- DESCRIBE
- DESCRIBE_CONFIGS
You must export a Control Center JAAS configuration before starting Control Center.
export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=<path-to-c3-jaas.conf>'
bin/control-center-start config/control-center.properties
Deleting Control Center ACLs¶
There may be instances where you execute control-center-set-acls
with the wrong
Control Center principal. To revert this action, run the script again using the
--delete
option. This deletes Control Center ACLs only for the same topics
and consumer groups in which the principal was originally specified.
To delete a Control Center ACL:
export PRINCIPAL=User:username
export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/<path-to-kafka-jaas.conf>"
bin/control-center-set-acls config/control-center.properties --delete