Security¶
UI Authentication¶
User login is available via HTTP Basic Authentication that is pluggable via JAAS. All options are documented here.
$ cat <<EOF > /tmp/confluent/login.properties
admin: admin_pw,Administrators
disallowed: no_access
EOF
$ cat <<EOF > /tmp/confluent/propertyfile.jaas
c3 {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/tmp/confluent/login.properties";
};
EOF
$ cat <<EOF >> /path/to/control-center.properties
confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators
EOF
Now when you start Control Center and access the UI you should be prompted for a username/password. Using admin:admin_pw to login will allow you in, and disallowd:no_access will be blocked. Any JAAS LoginModule should work.
UI HTTPS¶
HTTPS is supported for web access to Confluent Control Center. For more details, check the configuration options.
Kafka¶
Standard Kafka authentication, authorization, and encryption options are available for control center and interceptors.
Authorization with Kafka ACLS¶
We have provided a script for creating the ACLs necessary for Confluent Control Center to operate on an authorized cluster. This script needs to be run before you start Confluent Control Center:
$ export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/kafka_jaas.conf"
$ bin/controlcenter-set-acls config/controlcenter.properties
You will also need to export a Confluent Control Center JAAS config before starting Confluent Control Center.
$ export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=/path/to/c3_jaas.conf'