Is it possible to enable Basic auth on the kafka-ui and enable UI access

[abryant710]

I am using this docker-compose.yml file to bring up these services. The UI is working fine, but as you can see I have to disable the lines in the schema-registry service to enable Basic Auth on the API. Is it possible to have both Basic Auth for the API and schema registry management via the API?

// notable env vars

CONFLUENT_CONTAINER_KAFKA_VERSION=7.2.1
CONFLUENT_CONTAINER_SCHEMA_REGISTRY_VERSION=7.2.1
KAFKA_UI_CONTAINER_VERSION=v0.7.1

// docker-compose.yml

version: "2"
services:
  kafka1:
    image: confluentinc/cp-kafka:${CONFLUENT_CONTAINER_KAFKA_VERSION}
    hostname: kafka1
    container_name: kafka1
    ports:
      - "${KAFKA_PORT}:${KAFKA_PORT}"
      - "${KAFKA_JMX_PORT}:${KAFKA_JMX_PORT}"
    dns:
      - ${ENVIRONMENT_DNS}
    environment:
      KAFKA_BROKER_ID: ${KAFKA_BROKER_ID}
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT"
      KAFKA_ADVERTISED_LISTENERS: "PLAINTEXT://kafka1:29092,PLAINTEXT_HOST://${VM_AGENT_NAME:-localhost}:${KAFKA_PORT}"
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: ${KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR}
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: ${KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS}
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: ${KAFKA_TRANSACTION_STATE_LOG_MIN_ISR}
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: ${KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR}
      KAFKA_JMX_PORT: ${KAFKA_JMX_PORT}
      KAFKA_JMX_HOSTNAME: ${VM_AGENT_NAME:-localhost}
      KAFKA_PROCESS_ROLES: "broker,controller"
      KAFKA_NODE_ID: 1
      KAFKA_CONTROLLER_QUORUM_VOTERS: "1@kafka1:29093"
      KAFKA_LISTENERS: "PLAINTEXT://kafka1:29092,CONTROLLER://kafka1:29093,PLAINTEXT_HOST://0.0.0.0:${KAFKA_PORT}"
      KAFKA_INTER_BROKER_LISTENER_NAME: "PLAINTEXT"
      KAFKA_CONTROLLER_LISTENER_NAMES: "CONTROLLER"
      KAFKA_LOG_DIRS: "/tmp/kraft-combined-logs"
      VM_AGENT_NAME: ${VM_AGENT_NAME:-kafka1}
    volumes:
      - ./scripts/update_run.sh:/tmp/update_run.sh
      - ./scripts/start_services.sh:/tmp/start_services.sh
      - ./scripts/setup:/tmp/setup/
      - ./utils/utils.py:/tmp/setup/utils.py
    command: ["/tmp/start_services.sh"]

  schemaregistry1:
    image: confluentinc/cp-schema-registry:${CONFLUENT_CONTAINER_SCHEMA_REGISTRY_VERSION}
    ports:
      - "${SCHEMA_REGISTRY_EXT_PORT}:${SCHEMA_REGISTRY_INT_PORT}"
    depends_on:
      - kafka1
    volumes:
      - ./jaas:/conf
    dns:
      - ${ENVIRONMENT_DNS}
    environment:
      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: PLAINTEXT://kafka1:29092
      SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: PLAINTEXT
      SCHEMA_REGISTRY_HOST_NAME: schemaregistry1
      SCHEMA_REGISTRY_LISTENERS: http://schemaregistry1:${SCHEMA_REGISTRY_INT_PORT}

      # SCHEMA_REGISTRY_AUTHENTICATION_METHOD: BASIC
      # SCHEMA_REGISTRY_AUTHENTICATION_REALM: SchemaRegistryProps
      # SCHEMA_REGISTRY_AUTHENTICATION_ROLES: admin
      SCHEMA_REGISTRY_OPTS: -Djava.security.auth.login.config=/conf/schema_registry.jaas

      SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: "http"
      SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL: INFO
      SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas

  kafka-ui:
    container_name: kafka-ui
    image: provectuslabs/kafka-ui:${KAFKA_UI_CONTAINER_VERSION}
    ports:
      - "${KAFKA_UI_PORT}:${KAFKA_UI_PORT}"
    depends_on:
      - kafka1
      - schemaregistry1
    dns:
      - ${ENVIRONMENT_DNS}
    environment:
      KAFKA_CLUSTERS_0_NAME: local
      KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka1:29092
      KAFKA_CLUSTERS_0_METRICS_PORT: ${KAFKA_JMX_PORT}
      KAFKA_CLUSTERS_0_SCHEMAREGISTRY: http://schemaregistry1:${SCHEMA_REGISTRY_INT_PORT}
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_USERNAME: ${SCHEMA_REGISTRY_BASIC_AUTH_USER:-truadmin-dev}
      KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_PASSWORD: ${SCHEMA_REGISTRY_BASIC_AUTH_PASSWORD}
      SPRING_SECURITY_USER_NAME: ${KAFKA_UI_BASIC_AUTH_USER:-truadmin-dev}
      SPRING_SECURITY_USER_PASSWORD: ${KAFKA_UI_BASIC_AUTH_PASSWORD}
      AUTH_TYPE: LOGIN_FORM

[Haarolean]

Hi, I don't quite understand the problem. We do support basic auth for SR. What do you mean by that you have "to disable the lines"?

[abryant710]

@Haarolean I picked up the template for this docker-compose file from here:

https://github.com/provectus/kafka-ui/blob/master/documentation/compose/kafka-cluster-sr-auth.yaml

You can see the lines I have commented out:

# SCHEMA_REGISTRY_AUTHENTICATION_METHOD: BASIC
# SCHEMA_REGISTRY_AUTHENTICATION_REALM: SchemaRegistryProps
# SCHEMA_REGISTRY_AUTHENTICATION_ROLES: admin

If I uncomment these lines back in, the containers start but the view at "http://localhost:8080/ui/clusters/local/schemas" returns an error and won't load.

[Haarolean]

Just launched the aforementioned compose, and it works perfectly fine:

Please share the error you receive with the application logs.

[abryant710]

Agreed @Haarolean . I was trying to update the credentials for the schema registry API using the config in the jaas directory. I have managed to figure it out and get it up and running as expected. Thanks for your support.

[abryant710]

Resolved based on discussion above