Configure Authentication for Confluent Manager for Apache Flink
Flink applications are deployed in Confluent Platform with Confluent Manager for Apache Flink® (CMF), a central management component that enables users to securely manage a fleet of Flink jobs across multiple environments.
By default, CMF installs with authentication disabled, and it must be enabled. This topic describes how to configure authentication for CMF.
CMF supports mutual TLS (mTLS) authentication and OAuth authentication only.
Understanding SSL configuration in CMF
CMF uses SSL/TLS in two independent contexts. These are configured separately and do not share any settings:
cmf.ssl.*— Server SSL/TLSConfigures HTTPS for incoming client connections to the CMF server. These settings map to Spring Boot
server.ssl.*properties and control the server’s keystore, truststore, and client certificate requirements. They do not affect outbound connections from CMF.confluent.metadata.ssl.*— CMF-to-MDS SSLConfigures how CMF connects to the Confluent Platform Metadata Service (MDS) over HTTPS. These settings are part of the authorization configuration under
cmf.authorization.mdsRestConfig.authentication.configand are completely separate from the server SSL settings. For details, see Configure Authorization for Confluent Manager for Apache Flink.cmf.authentication.*— Client authenticationConfigures how CMF identifies the client principal from incoming requests. For mTLS, this extracts the principal from the client certificate. For OAuth, this validates the bearer token. Authentication is independent of the transport-level SSL configuration.
mTLS authentication
mTLS provides two-way authentication to ensure that traffic between clients and the CMF node is secure, and that content from both directions can be trusted. For a review of mTLS and RBAC terminology, see Terminology.
Example
The following configuration file shows how to provision Confluent Manager for Apache Flink with a keystore and truststore to specify mTLS for all communication. It also shows how to configure a mounted volume to store certificates. You pass the configuration file to Helm when you install CMF.
# mtls-values.yaml
cmf:
# Server SSL/TLS: Configures HTTPS for incoming client connections to |cmf|.
# These settings map to Spring Boot server.ssl.* properties.
ssl:
keystore: /store/my-keystore
keystore-password: #Optional in case the key store is password protected
trust-store: /store/my-trust-store
trust-store-password: #Optional in case the trust store is password protected
client-auth: need # require clients to present a valid certificate
# Authentication: Configures how |cmf| identifies the client principal
# from the client certificate presented during the mTLS handshake.
authentication:
type: mtls
config:
auth.ssl.principal.mapping.rules: #Optional to extract a specific principal from the certificate https://docs.confluent.io/platform/current/security/authentication/mutual-tls/tls-principal-mapping.html
# Example to mount the certificate stores into your installation
mountedVolumes:
volumes:
- name: certificates
azureFile:
secretName: azure-secret
shareName: aksshare
readOnly: true
volumeMounts:
- name: certificates
mountPath: /store
When you make the helm install call, use the -f flag to pass the YAML file with the security information like the following:
helm upgrade --install cmf confluentinc/confluent-manager-for-apache-flink \
-f mtls-values.yaml
OAuth authentication
Note
OAuth is available starting with Confluent Platform version 7.9, but only with REST APIs. It is NOT available with the Confluent CLI or the Confluent for Kubernetes operator.
Starting with Confluent Platform version 7.9, the CMF server can be configured for Open Authentication (OAuth) to secure its services.
Example
The following configuration file shows how to provision Confluent Manager for Apache Flink with OAuth authentication.
# oauth-values.yaml
cmf:
# Optional: Uncomment to enable HTTPS for incoming client connections
# to the |cmf| server. This is independent of OAuth authentication.
# ssl:
# keystore: /store/my-keystore
# keystore-password: #password if the keystore is password protected
# trust-store: /store/my-trust-store
# trust-store-password: #password if the truststore is password protected
# Authentication: Configures how |cmf| validates OAuth bearer tokens
# from incoming client requests.
authentication:
type: oauth
config:
# OAuth token validation settings
oauthbearer.jwks.endpoint.url: <jwks-endpoint-url>
token.issuer: Confluent
oauthbearer.expected.issuer: <idp-issuer-url>
oauthbearer.sub.claim.name: <sub-claim-name>
oauthbearer.groups.claim.name: <groups-claim-name>
oauthbearer.expected.audience: <audience>
# MDS connectivity settings for authorization and token validation.
# These configure how |cmf| connects to the Metadata Service (MDS).
public.key.path: /path/to/metadata-public-key
confluent.metadata.bootstrap.server.urls: <mds-url>:<mds-port>
confluent.metadata.http.auth.credentials.provider: OAUTHBEARER
confluent.metadata.oauthbearer.token.endpoint.url: <idp-token-url>
confluent.metadata.oauthbearer.login.client.id: <client-id-for-cmf>
confluent.metadata.oauthbearer.login.client.secret: <client-secret-for-cmf>
# Required when MDS uses HTTPS: truststore to trust the MDS
# server certificate.
confluent.metadata.ssl.truststore.location: /path/to/mds-truststore
confluent.metadata.ssl.truststore.password: <truststore-password>