Control Center UI Authentication
User login is available using HTTP Basic Authentication that is pluggable using
JAAS. All of the configuration options are documented here.
To configure Control Center authentication:
Specify the following options in control-center.properties
:
confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
confluent.controlcenter.auth.restricted.roles=Restricted
confluent.controlcenter.auth.session.expiration.ms=600000
Important
The properties called confluent.controlcenter.rest.authentication.roles
and confluent.controlcenter.auth.restricted.roles
both apply to Groups.
The values for confluent.controlcenter.rest.authentication.roles
are
<your_administrator_group>,<your_restricted_group>
, and the value for
confluent.controlcenter.auth.restricted.roles
is <your_restricted_group>
.
Create a JAAS file (propertyfile.jaas
) similar to the following–note that
the authentication realm is Control Center (c3
):
c3 {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
file="/password.properties";
};
Your password file in password.properties
should look similar to
the following:
bob: <bob_password>,<your_administrator_group>
alice: <alice_password>,<your_restricted_group>
Start Control Center to use the JAAS configuration:
CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/propertyfile.jaas" control-center-start /control-center.properties
After you are granted access to Control Center, you are prompted for sign-in credentials.
Logging in as bob:<bob_password>
provides read and write access. Logging in as
alice:<alice_password>
provides read-only access.
The following main UI elements / options are hidden from restricted users:
- Add, delete, pause, or resume connectors
- Browse connectors
- View connector settings
- Upload connector configs
- Create, delete, or edit alerts (triggers or actions)
- Edit a license
- Edit brokers
- Press submit on cluster forms
- Edit, create, or delete schemas
- Edit data flow queries
- Inspect topics
- Type in the ksqlDB editor
- Run or stop ksqlDB queries
- Add KSQL streams or tables
Note
If a user is in both the admin and restricted groups, they are considered
a read-only user.
UI HTTPS
HTTPS is supported for web access to Confluent Control Center. To enable HTTPS, you must first add
an HTTPS listener in the Control Center properties file using
the confluent.controlcenter.rest.listeners
parameter. You must also set the
appropriate SSL configuration options. If you haven’t already,
this would be a good time to create SSL keys and certificates.
An example of the necessary additions to control-center.properties
are shown below:
confluent.controlcenter.rest.listeners=https://0.0.0.0:9022
confluent.controlcenter.rest.ssl.keystore.location=/var/private/ssl/kafka.control-center.keystore.jks
confluent.controlcenter.rest.ssl.keystore.password=test1234
confluent.controlcenter.rest.ssl.key.password=test1234
confluent.controlcenter.rest.ssl.truststore.location=/var/private/ssl/kafka.control-center.truststore.jks
confluent.controlcenter.rest.ssl.truststore.password=test1234
curl -vvv -X GET --tlsv1.2 https://localhost:9022
#for cases when using a self-signed certificate
curl -vvv -X GET --tlsv1.2 --cacert scripts/security/snakeoil-ca-1.crt https://localhost:9022