Configure Confluent Control Center for OAuth Authentication in Confluent Platform¶
Use the following configurations to secure and authenticate Confluent Control Center within your Confluent Platform deployments.
Configure Confluent Control Center as MDS OAuth client¶
To configure Confluent Control Center to get OAuth authentication tokens, add the following configuration
settings, replacing <url>
, <client-id>
, and <client-secret>
with your actual
values:
confluent.metadata.oauthbearer.token.endpoint.url=<url>
confluent.metadata.oauthbearer.login.client.id=<client-id>
confluent.metadata.oauthbearer.login.client.secret=<client-secret>
These are the minimal configurations that are required.
For interactions between Confluent Control Center and your identity provider, you can add the following optional configuration settings:
confluent.metadata.oauthbearer.login.connect.timeout.ms
confluent.metadata.oauthbearer.login.read.timeout.ms
confluent.metadata.oauthbearer.login.retry.backoff.max.ms
confluent.metadata.oauthbearer.login.retry.backoff.ms
Confluent Control Center as a Kafka client¶
When using Confluent Control Center as a Kafka client, you need to configure it with the appropriate settings to ensure secure and authenticated communication with your Confluent Platform clusters.
To enable OAuth authentication for the Confluent Control Center client, follow these steps:
Specify the SASL mechanism as
OAUTHBEARER
.confluent.controlcenter.kafka.sasl.mechanism=OAUTHBEARER
Add the JAAS configuration with your specific client credentials and scope, replacing
<client-id>
,<client-secret>
, and<scope>
with your actual values.confluent.controlcenter.kafka.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ clientId="<client-id>" \ clientSecret="<client-secret>" \ scope="<scope>";