Configure Control Center with LDAP authentication on Confluent Platform¶
Control Center provides HTTP Basic authentication through JAAS.
The following tutorial describes the steps necessary to enable HTTP Basic authentication backed by LDAP. This includes but is not limited to the Active Directory (AD) LDAP implementation.
Escaping special characters¶
Important
Escape any restricted LDAP characters. For best results, avoid characters that require escaping. Follow Best Practices for LDAP Naming Attributes.
Character | Description |
---|---|
, |
Comma [1] |
\ |
Backslash |
# |
Pound (hash) [2] |
+ |
Plus sign |
= |
Equals sign |
< |
Less than |
> |
Greater than |
; |
Semi-colon |
'' |
Double quote |
Spaces [3] |
[1] | Requires escaping with a double backslash or \5c . See RFC 2254. |
[2] | You only need to escape pound (hash) # if it occurs at the beginning of a string. |
[3] | Leading or trailing spaces must be escaped. Embedded spaces are not escaped. |
Configure Control Center JAAS¶
Create a JAAS configuration file with the following content and save as
control-center-jaas.conf
.Note
Do not enter any commented lines within the JAAS configuration file. The
#
character is not allowed. Comments in the JAAS file interfere with parsing the configuration parameters when running Control Center.c3 { org.eclipse.jetty.jaas.spi.LdapLoginModule required useLdaps="false" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname="ad.confluent.io" port="389" bindDn="cn=admin,dc=confluent,dc=io" bindPassword="password" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="ou=People,dc=confluent,dc=io" userRdnAttribute="sAMAccountName" userIdAttribute="sAMAccountName" userPasswordAttribute="userPassword" userObjectClass="user" roleBaseDn="ou=Groups,DC=confluent,DC=org" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="group"; };
Important
If the
bindDn
,userBaseDn
, orroleBaseDn
contains special characters, escape them with a backslash. The comma character is designated by the LDAP filter specification as a reserved separator character forCN
andOU
. AnyCN
orOU
that contains a comma,
character needs to be escaped with a double backslash in the LDAP JAAS configuration file. For example,"CN=adminstrator, firstclass,
is escaped as follows:"CN=administrator\\, firstclass,OU=users,DC=confluent,DC=io"
. For further discussion about LDAP filtering and escaping, refer to this Stack Overflow article.Add these configuration options to the Control Center configuration file (
control-center.properties
).1 # The name of the configuration block in the JAAS configuration 2 confluent.controlcenter.rest.authentication.realm=c3 3 # HTTP authentication type 4 confluent.controlcenter.rest.authentication.method=BASIC 5 # To enabled restricted access, add this line 6 confluent.controlcenter.auth.restricted.roles=RestrictedGroupName 7 # Add roles defined in the JAAS configuration file here 8 confluent.controlcenter.rest.authentication.roles=c3users,RestrictedGroupName
Be aware that Control Center allows restricted access as shown above in lines 5 and 6; no editing or creating is allowed using the UI. For more information about Control Center configuration, see Control Center Configuration Reference for Confluent Platform.
Note
- A user with membership in multiple groups is granted only the most restrictive permissions. For example, if a user is a member of two groups,
admin
andreadonly
, andreadonly
is a restricted role, then the user is granted only the rights for thereadonly
group. - Enabling restricted roles also prevents users from inspecting topics and running ksqlDB queries.
- For fine-grained access control, consider configuring role-based access control (RBAC).
- Messages cannot be viewed if LDAP Basic Auth is implemented and the user is a member of a restricted group. If users need to view messages, consider using RBAC instead of LDAP Basic Auth.
Start Control Center¶
You must pass a few system flags to the JVM at Control Center start-up. To do so,
export the CONTROL_CENTER_OPTS
flag as shown below.
Note
Replace /path/to
with the actual filepath.
CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/propertyfile.jaas" \
control-center-start /path/to/control-center.properties``
When a user accesses Control Center, they are shown a dialog similar to the one that follows, which prompts them for sign-in credentials.
For more information about Control Center properties files, see Control Center Configuration Examples for Confluent Platform.
Configure LdapLoginModule¶
Configure the LdapLoginModule.
- debug
- Indicate whether to turn on debug output.
- contextFactory
- Specify the LDAP context factory class; for example,
com.sun.jndi.ldap.LdapCtxFactory
. - hostname
- Specify the hostname of the LDAP server.
- port
- Specify the port on which the LDAP server should listen. Default port is 389 for non-TLS/SSL LDAP and AD; 636 for TLS/SSL LDAP and AD.
- bindDn
Required. If not using binding authentication, set this to the root DN that should bind; for example,
cn=administrator,dc=confluent,dc=io
.- bindPassword
Specify the password for bindDn.
- authenticationMethod
- Use
authenticationMethod=simple
. This is the only LDAP authentication method currently supported by Control Center. - forceBindingLogin
- Indicate whether to bind as the user that is authenticating (true), otherwise bind as the manager and perform a search to verify user password (false).
- useLdaps
- Indicate whether to use Secure LDAP (LDAPS), required when TLS/SSL is enabled. Set to
true
to use LDAPS. The default value isfalse
. - userBaseDn
Specify the base DN to search for users; for example:
ou=People,dc=cops,dc=confluent,dc=io
.- userRdnAttribute
- Specify the attribute name for username, used when searching
for user role membership by DN, default
uid
. - userIdAttribute
- Specify the attribute name to identify user by username.
The default value is
acn
. - userPasswordAttribute
- Specify the attribute name for user password. The default value is
userPassword
. - userObjectClass
- Specify the attribute name for user object class. The default value is
inetOrgPerson
. - roleBaseDn
Specify the base DN for role membership search; for example,
ou=Groups,dc=cops,dc=confluent,dc=io
.- roleNameAttribute
- Specify the attribute name for role name. The default value is
roleName
. - roleMemberAttribute
- Specify the attribute name for a role that would contain a
user’s DN. The default value is
uniqueMember
. - roleUsernameMemberAttribute
- Specify the attribute name for a role that would contain a user’s username. If set, this overrides the roleMemberAttribute behavior.
- roleObjectClass
- Specify the object class for role. The default value is
groupOfUniqueNames
. - rolePrefix
- Specify the prefix string to remove from role names before returning
to the application, for example,
confluent\_
.