CONFLUENT PLATFORM
Control Center provides HTTP Basic Authentication through JAAS.
The following tutorial describes the steps necessary to enable HTTP Basic Authentication backed by LDAP. This includes but is not limited to the Active Directory (AD) LDAP implementation.
Important
Escape any restricted LDAP characters. For best results, avoid characters that require escaping. Follow Best Practices for LDAP Naming Attributes.
,
\
#
+
=
<
>
;
''
\5c
Create a JAAS configuration file with the following content and save as control-center-jaas.conf.
control-center-jaas.conf
Note
Do not enter any commented lines within the JAAS configuration file. The # character is not allowed. Comments in the JAAS file interfere with parsing the configuration parameters when running Control Center.
c3 { org.eclipse.jetty.jaas.spi.LdapLoginModule required useLdaps="false" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname="ad.confluent.io" port="389" bindDn="cn=admin,dc=confluent,dc=io" bindPassword="password" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="ou=People,dc=confluent,dc=io" userRdnAttribute="sAMAccountName" userIdAttribute="sAMAccountName" userPasswordAttribute="userPassword" userObjectClass="user" roleBaseDn="ou=Groups,DC=confluent,DC=org" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="group"; };
If the bindDn, userBaseDn, or roleBaseDn contains special characters, escape them with a backslash. The comma character is designated by the LDAP filter specification as a reserved separator character for CN and OU. Any CN or OU that contains a comma , character needs to be escaped with a double backslash in the LDAP JAAS configuration file. For example, "CN=adminstrator, firstclass, is escaped as follows: "CN=administrator\\, firstclass,OU=users,DC=confluent,DC=io". For further discussion about LDAP filtering and escaping, refer to this Stack Overflow article.
bindDn
userBaseDn
roleBaseDn
CN
OU
"CN=adminstrator, firstclass,
"CN=administrator\\, firstclass,OU=users,DC=confluent,DC=io"
Add these configuration options to the Control Center configuration file (control-center.properties).
control-center.properties
1 2 3 4 5 6 7 8
# The name of the configuration block in the JAAS configuration confluent.controlcenter.rest.authentication.realm=c3 # HTTP authentication type confluent.controlcenter.rest.authentication.method=BASIC # To enabled restricted access, add this line confluent.controlcenter.auth.restricted.roles=RestrictedGroupName # Add roles defined in the JAAS config file here confluent.controlcenter.rest.authentication.roles=c3users,RestrictedGroupName
Be aware that Control Center allows restricted access as shown above in lines 5 and 6; no editing or creating is allowed using the UI. For more information about Control Center configuration, see Control Center Configuration Reference.
Enabling restricted roles also prevents users from inspecting topics and running ksqlDB queries. For more fine-grained access control, consider configuring RBAC.
You must pass a few system flags to the JVM at Control Center start up. To do so, export the CONTROL_CENTER_OPTS flag as shown below.
CONTROL_CENTER_OPTS
Replace /path/to with the actual filepath.
/path/to
CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/propertyfile.jaas" \ control-center-start /path/to/control-center.properties``
For more information about Control Center properties files, see Control Center properties files.
Configure the LdapLoginModule.
com.sun.jndi.ldap.LdapCtxFactory
Optional. If not using binding authentication, set this to the root DN that should bind; for example, cn=administrator,dc=confluent,dc=io.
cn=administrator,dc=confluent,dc=io
See Escaping special characters.
Specify the password for bindDn.
authenticationMethod=simple
Specify the base DN to search for users; for example: ou=People,dc=cops,dc=confluent,dc=io.
ou=People,dc=cops,dc=confluent,dc=io
uid
acn
userPassword
inetOrgPerson
Specify the base DN for role membership search; for example, ou=Groups,dc=cops,dc=confluent,dc=io.
ou=Groups,dc=cops,dc=confluent,dc=io
roleName
uniqueMember
groupOfUniqueNames
confluent\_