GitBook: [#4] No subject

Author: Haarolean

README.md

@@ -0,0 +1,11 @@
+# About
+
+## **About Kafka-UI**
+
+**Versatile, fast and lightweight web UI for managing Apache Kafka® clusters. Built by developers, for developers.**
+
+****
+
+**UI for Apache Kafka is a free, open-source web UI to monitor and manage Apache Kafka clusters.**
+
+UI for Apache Kafka is a simple tool that makes your data flows observable, helps find and troubleshoot issues faster and deliver optimal performance. Its lightweight dashboard makes it easy to track key metrics of your Kafka clusters - Brokers, Topics, Partitions, Production, and Consumption.

SUMMARY.md

@@ -0,0 +1,41 @@
+# Table of contents
+
+## 🎓 Overview
+
+* [About](README.md)
+* [Features](overview/features.md)
+* [Getting started](overview/getting-started.md)
+
+## 🛣 Project
+
+* [Code of Conduct](project/code-of-conduct.md)
+* [Roadmap](project/roadmap.md)
+
+## 🛠 Development
+
+* [Contributing](development/contributing.md)
+* [Building](development/building/README.md)
+  * [Prerequisites](development/building/prerequisites.md)
+  * [WIP: Setting up git](development/building/wip-setting-up-git.md)
+  * [With Docker](development/building/with-docker.md)
+  * [Without Docker](development/building/without-docker.md)
+  * [WIP: Testing](development/building/wip-testing.md)
+
+## 👷♂ Configuration
+
+* [Configuration](configuration/configuration.md)
+* [SSL](configuration/ssl.md)
+* [Authentication](configuration/authentication/README.md)
+  * [OAuth2](configuration/authentication/oauth2.md)
+  * [AWS IAM](configuration/authentication/aws-iam.md)
+  * [SSO Guide](configuration/authentication/sso-guide.md)
+  * [SASL\_SCRAM](configuration/authentication/sasl\_scram.md)
+* [RBAC (Role based access control)](configuration/rbac-role-based-access-control.md)
+* [Data masking](configuration/data-masking.md)
+* [Serialization / SerDe](configuration/serialization-serde.md)
+* [Protobuf setup](configuration/protobuf-setup.md)
+
+## ❓ FAQ
+
+* [Common problems](faq/common-problems.md)
+* [FAQ](faq/faq.md)

configuration/authentication/README.md

@@ -0,0 +1,2 @@
+# Authentication
+

configuration/authentication/aws-iam.md

@@ -0,0 +1,45 @@
+---
+description: How to configure AWS IAM Authentication
+---
+
+# AWS IAM
+
+UI for Apache Kafka comes with built-in [aws-msk-iam-auth](https://github.com/aws/aws-msk-iam-auth) library.
+
+You could pass sasl configs in properties section for each cluster.
+
+More details could be found here: [aws-msk-iam-auth](https://github.com/aws/aws-msk-iam-auth)
+
+### Examples:
+
+Please replace
+
+* \<KAFKA\_URL> with broker list
+* \<PROFILE\_NAME> with your aws profile
+
+#### Running From Docker Image
+
+```
+docker run -p 8080:8080 \
+    -e KAFKA_CLUSTERS_0_NAME=local \
+    -e KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=<KAFKA_URL> \
+    -e KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL \
+    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=AWS_MSK_IAM \
+    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_CLIENT_CALLBACK_HANDLER_CLASS=software.amazon.msk.auth.iam.IAMClientCallbackHandler \
+    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG=software.amazon.msk.auth.iam.IAMLoginModule required awsProfileName="<PROFILE_NAME>"; \
+    -d provectuslabs/kafka-ui:latest 
+```
+
+#### Configuring by application.yaml
+
+```yaml
+kafka:
+  clusters:
+    - name: local
+      bootstrapServers: <KAFKA_URL>
+      properties:
+        security.protocol: SASL_SSL
+        sasl.mechanism: AWS_MSK_IAM
+        sasl.client.callback.handler.class: software.amazon.msk.auth.iam.IAMClientCallbackHandler
+        sasl.jaas.config: software.amazon.msk.auth.iam.IAMLoginModule required awsProfileName="<PROFILE_NAME>";
+```

configuration/authentication/oauth2.md

@@ -0,0 +1,80 @@
+# OAuth2
+
+## Examples to set up different oauth providers
+
+### Cognito
+
+```
+kafka:
+  clusters:
+    - name: local
+      bootstrapServers: localhost:9092
+    # ...
+
+auth:
+  type: OAUTH2
+  oauth2:
+    client:
+      cognito:
+        clientId: xxx
+        clientSecret: yyy
+        scope: openid
+        client-name: cognito
+        provider: cognito
+        redirect-uri: http://localhost:8080/login/oauth2/code/cognito
+        authorization-grant-type: authorization_code
+        issuer-uri: https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_xxx
+        jwk-set-uri: https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_xxx/.well-known/jwks.json
+        user-name-attribute: username
+        custom-params:
+          type: cognito
+          logoutUrl: https://<XXX>>.eu-central-1.amazoncognito.com/logout
+```
+
+### Google
+
+```
+kafka:
+  clusters:
+    - name: local
+      bootstrapServers: localhost:9092
+    # ...
+
+auth:
+  type: OAUTH2
+  oauth2:
+    client:
+      google:
+        provider: google
+        clientId: xxx.apps.googleusercontent.com
+        clientSecret: GOCSPX-xxx
+        user-name-attribute: email
+        custom-params:
+          type: google
+          allowedDomain: provectus.com
+
+```
+
+### Github:
+
+```
+kafka:
+  clusters:
+    - name: local
+      bootstrapServers: localhost:9092
+    # ...
+
+auth:
+  type: OAUTH2
+  oauth2:
+    client:
+      github:
+        provider: github
+        clientId: xxx
+        clientSecret: yyy
+        scope:
+          - read:org
+        user-name-attribute: login
+        custom-params:
+          type: github
+```

configuration/authentication/sasl_scram.md

@@ -0,0 +1,63 @@
+---
+description: How to configure SASL SCRAM Authentication
+---
+
+# SASL\_SCRAM
+
+You could pass sasl configs in properties section for each cluster.
+
+### Examples:
+
+Please replace
+
+* \<KAFKA\_NAME> with cluster name
+* \<KAFKA\_URL> with broker list
+* \<KAFKA\_USERNAME> with username
+* \<KAFKA\_PASSWORD> with password
+
+#### Running From Docker Image
+
+```
+docker run -p 8080:8080 \
+    -e KAFKA_CLUSTERS_0_NAME=<KAFKA_NAME> \
+    -e KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=<KAFKA_URL> \
+    -e KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL \
+    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=SCRAM-SHA-512 \     
+    -e KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG=org.apache.kafka.common.security.scram.ScramLoginModule required username="<KAFKA_USERNAME>" password="<KAFKA_PASSWORD>"; \
+    -d provectuslabs/kafka-ui:latest 
+```
+
+#### Running From Docker-compose file
+
+```yaml
+
+version: '3.4'
+services:
+  
+  kafka-ui:
+    image: provectuslabs/kafka-ui
+    container_name: kafka-ui
+    ports:
+      - "888:8080"
+    restart: always
+    environment:
+      - KAFKA_CLUSTERS_0_NAME=<KAFKA_NAME>
+      - KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=<KAFKA_URL>
+      - KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL
+      - KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=SCRAM-SHA-512
+      - KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG=org.apache.kafka.common.security.scram.ScramLoginModule required username="<KAFKA_USERNAME>" password="<KAFKA_PASSWORD>";
+      - KAFKA_CLUSTERS_0_PROPERTIES_PROTOCOL=SASL
+```
+
+#### Configuring by application.yaml
+
+```yaml
+kafka:
+  clusters:
+    - name: local
+      bootstrapServers: <KAFKA_URL>
+      properties:
+        security.protocol: SASL_SSL
+        sasl.mechanism: SCRAM-SHA-512        
+        sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="<KAFKA_USERNAME>" password="<KAFKA_PASSWORD>";
+```

configuration/authentication/sso-guide.md

@@ -0,0 +1,85 @@
+# SSO Guide
+
+## How to configure SSO
+
+SSO require additionaly to configure TLS for application, in that example we will use self-signed certificate, in case of use legal certificates please skip step 1.
+
+### Step 1
+
+At this step we will generate self-signed PKCS12 keypair.
+
+```bash
+mkdir cert
+keytool -genkeypair -alias ui-for-apache-kafka -keyalg RSA -keysize 2048 \
+  -storetype PKCS12 -keystore cert/ui-for-apache-kafka.p12 -validity 3650
+```
+
+### Step 2
+
+Create new application in any SSO provider, we will continue with [Auth0](https://auth0.com).
+
+![](https://user-images.githubusercontent.com/1494347/172255269-94cb9e3a-042b-49bb-925e-a06344840662.png)
+
+After that need to provide callback URLs, in our case we will use `https://127.0.0.1:8080/login/oauth2/code/auth0`
+
+![](https://user-images.githubusercontent.com/1494347/172255294-86af29b9-642b-4fb5-9ba8-212185e3fdfc.png)
+
+This is a main parameters required for enabling SSO
+
+![](https://user-images.githubusercontent.com/1494347/172255315-4f12ac92-ca13-4206-ab68-48092e562092.png)
+
+### Step 3
+
+To launch UI for Apache Kafka with enabled TLS and SSO run following:
+
+```bash
+docker run -p 8080:8080 -v `pwd`/cert:/opt/cert -e AUTH_TYPE=LOGIN_FORM \
+  -e SECURITY_BASIC_ENABLED=true \
+  -e SERVER_SSL_KEY_STORE_TYPE=PKCS12 \
+  -e SERVER_SSL_KEY_STORE=/opt/cert/ui-for-apache-kafka.p12 \
+  -e SERVER_SSL_KEY_STORE_PASSWORD=123456 \
+  -e SERVER_SSL_KEY_ALIAS=ui-for-apache-kafka \
+  -e SERVER_SSL_ENABLED=true \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTID=uhvaPKIHU4ZF8Ne4B6PGvF0hWW6OcUSB \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTSECRET=YXfRjmodifiedTujnkVr7zuW9ECCAK4TcnCio-i \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_ISSUER_URI=https://dev-a63ggcut.auth0.com/ \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_SCOPE=openid \
+  -e TRUST_STORE=/opt/cert/ui-for-apache-kafka.p12 \
+  -e TRUST_STORE_PASSWORD=123456 \
+provectuslabs/kafka-ui:latest
+```
+
+In the case with trusted CA-signed SSL certificate and SSL termination somewhere outside of application we can pass only SSO related environment variables:
+
+```bash
+docker run -p 8080:8080 -v `pwd`/cert:/opt/cert -e AUTH_TYPE=OAUTH2 \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTID=uhvaPKIHU4ZF8Ne4B6PGvF0hWW6OcUSB \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTSECRET=YXfRjmodifiedTujnkVr7zuW9ECCAK4TcnCio-i \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_ISSUER_URI=https://dev-a63ggcut.auth0.com/ \
+  -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_SCOPE=openid \
+provectuslabs/kafka-ui:latest
+```
+
+### Step 4 (Load Balancer HTTP) (optional)
+
+If you're using load balancer/proxy and use HTTP between the proxy and the app, you might want to set `server_forward-headers-strategy` to `native` as well (`SERVER_FORWARDHEADERSSTRATEGY=native`), for more info refer to [this issue](https://github.com/provectus/kafka-ui/issues/1017).
+
+### Step 5 (Azure) (optional)
+
+For Azure AD (Office365) OAUTH2 you'll want to add additional environment variables:
+
+```bash
+docker run -p 8080:8080 \
+        -e KAFKA_CLUSTERS_0_NAME="${cluster_name}"\
+        -e KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS="${kafka_listeners}" \
+        -e KAFKA_CLUSTERS_0_ZOOKEEPER="${zookeeper_servers}" \
+        -e KAFKA_CLUSTERS_0_KAFKACONNECT_0_ADDRESS="${kafka_connect_servers}"
+        -e AUTH_TYPE=OAUTH2 \
+        -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTID=uhvaPKIHU4ZF8Ne4B6PGvF0hWW6OcUSB \
+        -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTSECRET=YXfRjmodifiedTujnkVr7zuW9ECCAK4TcnCio-i \
+        -e SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_SCOPE="https://graph.microsoft.com/User.Read" \
+        -e SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_ISSUER_URI="https://login.microsoftonline.com/{tenant-id}/v2.0" \
+        -d provectuslabs/kafka-ui:latest"
+```
+
+Note that scope is created by default when Application registration is done in Azure portal. You'll need to update application registration manifest to include `"accessTokenAcceptedVersion": 2`

configuration/configuration.md

@@ -0,0 +1,2 @@
+# Configuration
+