Installation
Configuration
User Authentication
Features
PropertyFileLoginModule
Authenticate Users with Jetty JAAS PropertyFileLoginModule
Configure kPow to read authentication and role information from a property file.
Use the exact configuration in this guide to restrict access to the following user/password/roles:
- admin/admin/kafka-admins
- jetty/jetty/kafka-users
- other/other/kafka-admins+kafka-users
- plain/plain/content-administrators
- user/password/kafka-users
Configuration
To enable PropertyFileLoginModule authentication:
- Create a JAAS configuration file that tells the JVM what JAAS Module is in use.
- Create a users property file containing information on users, passwords, and roles.
- Set the
AUTH_PROVIDER_TYPE=jettyenvironment variable. - Start the JAR or Docker container with
-Djava.security.auth.login.config=/path/to/jaas.conf
JAAS Configuration
Create a JAAS PropertyFile configuration file (the kpow realm is very important).
1
kpow {
2
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
3
file="/opt/kpow/user.props";
4
};
Copied!
Create a users property file at the path configured in your JAAS config.
1
# This file defines users passwords and roles for a HashUserRealm
2
#
3
# The format is
4
# <username>: <password>[,<rolename> ...]
5
#
6
# Passwords may be clear text, obfuscated or checksummed. The class
7
# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
8
# passwords or password checksums
9
#
10
# If DIGEST Authentication is used, the password must be in a recoverable
11
# format, either plain text or OBF:.
12
#
13
# Credentials are jetty/jetty, admin/admin, other/other, plain/plain,
14
# user/password, and digest/digest
15
#
16
jetty: MD5:164c88b302622e17050af52c89945d44,kafka-users
17
admin: CRYPT:adpexzg3FUZAk,kafka-admins
18
other: OBF:1xmk1w261u9r1w1c1xmq,kafka-admins,kafka-users
19
plain: plain,content-administrators
20
user: password,kafka-users
21
# This entry is for digest auth. The credential is a MD5 hash of
22
# username:realmname:password
23
digest: MD5:6e120743ad67abfbc385bc2bb754e297,kafka-users
Copied!
Environment Configuration
To activate Jetty JAAS authentication set the environment variable
AUTH_PROVIDER_TYPE=jettyJAR Startup
Specify the JAAS config file by setting the following system property when starting the JAR:
-Djava.security.auth.login.config=/path/to/jaas.conf Note: System properties must come after java but before -jar.
1
AUTH_PROVIDER_TYPE=jetty \
2
<... more env vars ...> \
3
java -Djava.security.auth.login.config=/opt/kpow/jaas.conf -jar /opt/kpow/latest.jar
Copied!
Docker Container Startup
Note: The JVM provides an environment variable called
JAVA_TOOL_OPTIONS that can be used in place of system properties. We use this to thread the JAAS config to Docker.Set the env var
JAVA_TOOL_OPTIONS=-Djava.security.auth.login.config=/path/to/jaas.confNote: When your JAAS config is on the host machine and not within the container you will need to configure a docker volume mount so that kPow can read that configuration:
docker run --volume="/config/path:/config/path/" -p 3000:3000 --env-file ...When starting the docker container you will see logging output similar to:
1
Picked up JAVA_TOOL_OPTIONS: -Djava.security.auth.login.config=/path/to/jaas.conf
Copied!
Form or Basic Authentication?
kPow supports both form-based and basic authentication.
Form authentication is the default. To basic authentication, set the environment variable:
1
JETTY_AUTH_METHOD=basic
Copied!
User Experience
When configured your users will be prompted to authenticate on each new browser session.
Last modified 10mo ago