Control Center REST API
User login is available using HTTP Basic Authentication that is pluggable using
JAAS. All of the configuration options are documented here.
To configure Control Center authentication:
Specify the following options in control-center.properties
:
confluent.controlcenter.rest.authentication.method=BASIC
confluent.controlcenter.rest.authentication.realm=c3
confluent.controlcenter.rest.authentication.roles=Administrators,Restricted
confluent.controlcenter.auth.restricted.roles=Restricted
confluent.controlcenter.auth.session.expiration.ms=600000
Important
The properties called confluent.controlcenter.rest.authentication.roles
and confluent.controlcenter.auth.restricted.roles
both apply to Groups.
The values for confluent.controlcenter.rest.authentication.roles
are
<your_administrator_group>,<your_restricted_group>
, and the value for
confluent.controlcenter.auth.restricted.roles
is <your_restricted_group>
.
Create a JAAS file (propertyfile.jaas
) similar to the following–note that
the authentication realm is Control Center (c3
):
c3 {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
file="/password.properties";
};
Your password file in password.properties
should look similar to
the following:
bob: <bob_password>,<your_administrator_group>
alice: <alice_password>,<your_restricted_group>
Start Control Center to use the JAAS configuration:
CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/propertyfile.jaas" control-center-start /control-center.properties
After you are granted access to Control Center, you are prompted for sign-in credentials.
Logging in as bob:<bob_password>
provides read and write access. Logging in as
alice:<alice_password>
provides read-only access.
The following main UI elements / options are hidden from restricted users:
- Add, delete, pause, or resume connectors
- Browse connectors
- View connector settings
- Upload connector configs
- Create, delete, or edit alerts (triggers or actions)
- Edit a license
- Edit brokers
- Press submit on cluster forms
- Edit, create, or delete schemas
- Edit data flow queries
- Inspect topics
- Type in the ksqlDB editor
- Run or stop ksqlDB queries
- Add KSQL streams or tables
Note
If a user is in both the admin and restricted groups, they are considered
a read-only user.
Schema Registry
Schema Registry can be configured to require users to authenticate using a username and password via the Basic HTTP authentication mechanism.
Use the following settings to configure Schema Registry to require authentication:
authentication.method=BASIC
authentication.roles=<user-role1>,<user-role2>,...
authentication.realm=<section-in-jaas_config.file>
The authentication.roles
config defines a comma-separated list of user roles. To be authorized
to access Schema Registry, an authenticated user must belong to at least one of these roles.
For example, if you define admin
, developer
, user
, and sr-user
roles,
the following configuration assigns them for authentication:
authentication.roles=admin,developer,user,sr-user
The authentication.realm
config must match a section within jaas_config.file
, which
defines how the server authenticates users and should be passed as a JVM option during server start:
export SCHEMA_REGISTRY_OPTS=-Djava.security.auth.login.config=/path/to/the/jaas_config.file
<path-to-confluent>/bin/schema-registry-start <path-to-confluent>/etc/schema-registry/schema-registry.properties
An example jaas_config.file
is:
SchemaRegistry-Props {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
file="/path/to/password-file"
debug="false";
};
Assign the SchemaRegistry-Props
section to the authentication.realm
config setting:
authentication.realm=SchemaRegistry-Props
The example jaas_config.file
above uses the Jetty PropertyFileLoginModule
, which
authenticates users by checking for their credentials in a password file.
You can also use other implementations of the standard Java LoginModule
interface, such as
the LdapLoginModule
, or the JDBCLoginModule
for reading credentials from a database.
The file parameter is the location of the password file. The format is:
<username>: <password-hash>,<role1>[,<role2>,...]
Here’s an example:
fred: OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x,user,admin
barney: changeme,user,developer
betty: MD5:164c88b302622e17050af52c89945d44,user
wilma: CRYPT:adpexzg3FUZAk,admin,sr-user
Get the password hash for a user by using the org.eclipse.jetty.util.security.Password
utility:
bin/schema-registry-run-class org.eclipse.jetty.util.security.Password fred letmein
Your output should resemble:
letmein
OBF:1w8t1tvf1w261w8v1w1c1tvn1w8x
MD5:0d107d09f5bbe40cade3de5c71e9e9b7
CRYPT:frd5btY/mvXo6
Each line of the output is the password encrypted using different mechanisms, starting with
plain text.
Once Schema Registry is configured to use Basic authentication, clients must be
configured with suitable valid credentials, for example:
basic.auth.credentials.source=USER_INFO
basic.auth.user.info=fred:letmein
Tip
The schema.registry
prefixed versions of these properties were deprecated in Confluent Platform 5.0.
schema.registry.basic.auth.credentials.source
is deprecated.
schema.registry.basic.auth.user.info
is deprecated.
For more information, see Schema Registry Security Overview.