Use HTTP Basic Authentication in Confluent Platform

You can add HTTP Basic authentication to these Confluent Platform components:

Note

Role-based access control (RBAC) can be used to support security for all components. For details, see Kafka Connect and RBAC.

Connect REST API

  1. Add the following configuration to your Connect worker properties file (etc/kafka/connect-distributed.propertes):

    rest.extension.classes=org.apache.kafka.connect.rest.basic.auth.extension.BasicAuthSecurityRestExtension

  2. Create a JAAS configuration file. Your authentication realm is hardcoded to KafkaConnect, so your JAAS must look like this:

    KafkaConnect {
    org.apache.kafka.connect.rest.basic.auth.extension.PropertyFileLoginModule required
    file="${CONFLUENT_HOME}/etc/kafka/connect.password";
};

  3. Export KAFKA_OPTS with the path to the JAAS configuration file:

    export KAFKA_OPTS="-Djava.security.auth.login.config=<path-to-jaas-file>"

  4. Create a password properties file (CONFLUENT_HOME/etc/kafka/connect.password). For example:

    thisismyusername: thisismypass

ksqlDB

  1. Add the following configuration in your ksqlDB properties file (etc/ksqldb/ksql-server.properties):

    authentication.method=BASIC
authentication.roles=admin,developer,user,ksq-user
authentication.realm=KsqlServer-Props

  2. Create a JAAS file (jaas_config.conf):

    KsqlServer-Props {
  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
  file="/path/to/password-file"
  debug="false";
};

  3. Create a password properties file (CONFLUENT_HOME/etc/ksqldb/password-file). The file parameter is the location of the password file. The format is:

    <username>: <password-hash>,<role1>[,<role2>,...]

    Following is an example:

    fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
harry: changeme,user,developer
tom: MD5:164c88b302622e17050af52c89945d44,user
dick: CRYPT:adpexzg3FUZAk,admin,ksq-user

  4. Export the JAAS file:

    export KSQL_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.conf

  5. Start the ksqlDB server:

    ksql-server-start ${CONFLUENT_HOME}/etc/ksqldb/ksql-server.properties

For more information, see Configure ksqlDB for Basic HTTP authentication.

Schema Registry

Schema Registry can be configured to require users to authenticate using a username and password via the Basic HTTP authentication mechanism.

Note

If you’re using Basic authentication, we recommended that you configure Schema Registry to use HTTPS for secure communication, because the Basic protocol passes credentials in plain text.

Use the following settings to configure Schema Registry to require authentication:

authentication.method=BASIC
authentication.roles=<user-role1>,<user-role2>,...
authentication.realm=<section-in-jaas_config.conf>

The authentication.roles configuration defines a comma-separated list of user roles. To be authorized to access Schema Registry, an authenticated user must belong to at least one of these roles.

For example, if you define admin, developer, user, and sr-user roles, the following configuration assigns them for authentication:

authentication.roles=admin,developer,user,sr-user

The authentication.realm configuration must match a section within jaas_config.conf, which defines how the server authenticates users and should be passed as a JVM option during server start:

export SCHEMA_REGISTRY_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.conf
schema-registry-start ${CONFLUENT_HOME}/etc/schema-registry/schema-registry.properties

An example jaas_config.conf is:

SchemaRegistry-Props {
  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
  file="/path/to/password-file"
  debug="false";
};

Assign the SchemaRegistry-Props section to the authentication.realm configuration setting:

authentication.realm=SchemaRegistry-Props

The example jaas_config.conf above uses the Jetty PropertyFileLoginModule, which authenticates users by checking for their credentials in a password file.

You can also use other implementations of the standard Java LoginModule interface, such as the LdapLoginModule, or the JDBCLoginModule for reading credentials from a database.

The file parameter is the location of the password file. The format is:

<username>: <password-hash>,<role1>[,<role2>,...]

Here’s an example:

fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
barney: changeme,user,developer
betty: MD5:164c88b302622e17050af52c89945d44,user
wilma: CRYPT:adpexzg3FUZAk,admin,sr-user

Get the password hash for a user by using the org.eclipse.jetty.util.security.Password utility:

schema-registry-run-class org.eclipse.jetty.util.security.Password fred letmein

Your output should resemble:

letmein
OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x
MD5:0d107d09f5bbe40cade3de5c71e9e9b7
CRYPT:frd5btY/mvXo6

Each line of the output is the password encrypted using different mechanisms, starting with plain text.

Once Schema Registry is configured to use Basic authentication, clients must be configured with suitable valid credentials, for example:

basic.auth.credentials.source=USER_INFO
basic.auth.user.info=fred:letmein

Tip

The schema.registry prefixed versions of these properties were deprecated in Confluent Platform 5.0.

  • schema.registry.basic.auth.credentials.source is deprecated.
  • schema.registry.basic.auth.user.info is deprecated.

For more information, see Secure Schema Registry for Confluent Platform.

Control Center

You can configure HTTP Basic authentication for Control Center or configure Control Center client authentication with other Confluent Platform components that have HTTP Basic authentication enabled.

Basic authentication for Control Center

You can require a user to log in to Control Center by configuring HTTP Basic authentication using Java Authentication and Authorization Service (JAAS). JAAS provides a pluggable model, with details specified at runtime. For details on all configuration options, see UI authentication settings.

To configure Control Center authentication:

  1. Specify the following options in the appropriate Control Center property file. Use the confluent.controlcenter.rest.authentication.roles and confluent.controlcenter.auth.restricted.roles to create groups of users; either administrators, which have full read and write access, or restricted users that have only read access. Restricted users cannot add or delete topics.

    • Specify values for confluent.controlcenter.rest.authentication.roles in the following format: <administrator_group_name>,<restricted_group_name>

    • The restricted value is the name of your restricted group: confluent.controlcenter.auth.restricted.roles is <restricted_group_name>.

      confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
confluent.controlcenter.auth.restricted.roles=Restricted
confluent.controlcenter.auth.session.expiration.ms=600000

  2. Create a JAAS file (propertyfile.jaas) similar to the following. In the file, you specify the authentication realm as Control Center (c3), and provide the name of password file that will contain the Control Center users and passwords.

    c3 {
    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
    file="/path/to/password.properties";
};

    Your password file in password.properties should look similar to the following, specifying a username followed by a password and that user’s group, either the administrative group or the restricted group.

    Note

    A user with membership in multiple groups is granted only the most restrictive permissions. For example, if a user is a member of two groups, admin and readonly, and readonly is a restricted role, then the user is granted only the rights for the readonly group.

    admin: <admin-password>,<administrator_group_name>
bob: <bob-password>,<administrator_group_name>
alice: <alice-password>,<your_restricted_group>

  3. Start Control Center passing in an argument to use the JAAS configuration, and specify the properties file that contains the HTTP Basic authentication settings:

    CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/propertyfile.jaas" \
control-center-start ./etc/confluent-control-center/control-center.properties

When a user accesses Control Center, they are shown a dialog similar to the one that follows, which prompts them for sign-in credentials.

../../../_images/c3-auth-sign-in.png

For this example, logging in as bob:<bob_password> provides read and write access. Logging in as alice:<alice_password> provides read-only access.

Restricted users

For users with restricted (read-only) roles, the following user interface (UI) features and options are unavailable/hidden:

See also

For an example that shows how to set Docker environment variables for Confluent Platform running in ZooKeeper mode, see the Confluent Platform demo. Refer to the demo’s docker-compose.yml file for a configuration reference.

Confluent Control Center and other components

When HTTP Basic authentication is enabled on other Confluent Platform components, you must configure Control Center with a valid username and password for that component.

HTTP Basic authentication enabled for Schema Registry

Whenever you have HTTP Basic authentication configured for Schema Registry, you must provide a username and password for Control Center to communicate correctly with Schema Registry. For a single cluster or the first cluster in a multi-cluster deployment, set the following properties, where the user.info contains a <username>:<password> that you have configured for Schema Registry.

confluent.controlcenter.schema.registry.basic.auth.credentials.source=USER_INFO
confluent.controlcenter.schema.registry.basic.auth.user.info=<sr-username>:<sr-password>

For multi-cluster deployment, to set the remaining clusters, use:

confluent.controlcenter.schema.registry.<sr-cluster-name>.basic.auth.credentials.source=USER_INFO
onfluent.controlcenter.schema.registry.<sr-cluster-name>.basic.auth.user.info=<sr-username>:<sr-password>

A multi-cluster deployment Schema Registry might look like the following:

// first Schema Registry cluster
confluent.controlcenter.schema.registry.url=<sr1-endpoint>
confluent.controlcenter.schema.registry.basic.auth.credentials.source=USER_INFO
confluent.controlcenter.schema.registry.basic.auth.user.info=<sr1-username>:<sr1-password>

// additional Schema Registry clusters
confluent.controlcenter.schema.registry.<sr2-name>.url=<sr2-endpoint>
confluent.controlcenter.schema.registry.<sr2-name>.basic.auth.credentials.source=USER_INFO
confluent.controlcenter.schema.registry.<sr2-name>.basic.auth.user.info=<sr2-username>:<sr2-password>

See Schema Registry for steps to configure HTTP Basic authentication for Schema Registry.

HTTP Basic authentication for REST Proxy

To learn about using HTTP Basic authentication with REST Proxy, see HTTP Basic Authentication.

HTTP Basic authentication enabled for Connect

Whenever you have HTTP Basic authentication configured for Connect, you must provide a username and password for Control Center to communicate correctly with Connect. Set the confluent.controlcenter.connect.<connect-cluster-name>.basic.auth.user.info property to a value that contains <username>:<password> that you have configured for Connect.

confluent.controlcenter.connect.<connect1-name>.basic.auth.user.info=<connect-username>:<connect-password>

See Connect REST API for steps to configure HTTP Basic authentication for Connect.

HTTP Basic authentication enabled for ksqlDB

Whenever you have HTTP Basic authentication configured for ksqlDB, you must provide a username and password for Control Center to communicate correctly with ksqlDB. Set the confluent.controlcenter.ksql.<ksql-cluster-name>.basic.auth.user.info property to a value that contains <username>:<password> that you have configured for ksqlDB.

confluent.controlcenter.ksql.ksql-cluster-name.basic.auth.user.info=<ksqal-username>:<ksql-password>

See ksqlDB for steps to configure HTTP Basic authentication for ksqlDB.