Extend example for rbac tls for testing (#498)

* update rbac-tls test cluster

* update example for oauth tls

* cleanup

docker/rbac-tls/.env

@@ -1 +1 @@
-TAG=5.5.0
+TAG=7.1.0

docker/rbac-tls/.gitignore

@@ -0,0 +1,2 @@
+etc/kafka
+etc/kafka-connect

docker/rbac-tls/certs/credentials.txt

@@ -0,0 +1 @@
+confluent

docker/rbac-tls/certs/snakeoil-ca-1.crt

@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDZDCCAkwCCQCaHu0SFAy7tzANBgkqhkiG9w0BAQsFADB0MSIwIAYDVQQDDBlj
+MIIDZDCCAkwCCQDXquyTlb1r9jANBgkqhkiG9w0BAQsFADB0MSIwIAYDVQQDDBlj
 YTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIwEAYDVQQK
 DAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJDYTELMAkG
-A1UEBhMCVVMwHhcNMjEwNDI2MTU1NjMxWhcNMjIwNDI2MTU1NjMxWjB0MSIwIAYD
+A1UEBhMCVVMwHhcNMjIwNTA0MTUzNzI0WhcNMjcwNTAzMTUzNzI0WjB0MSIwIAYD
 VQQDDBljYTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIw
 EAYDVQQKDAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJD
-YTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt
-DR+RvNt1VpNlygxjAYkRzkiPwKEPpsSNqa7nb1bUblQRN74dAmdMVGSvMH5Ny9L/
-PuocqqAJeXzu+Eqqd3njXx97YCOKhEN5HQ0Dnjakw9BYWpd93jbV3PJ7tnnXm8jQ
-tfPM8VyF+hdbpjowzYNzvZKsaCS20jbahmlOAtGw4v5/kmjsBduPoZ4tAH2OcRqe
-DHyDTz6wiM+o7P80Qi/oOku/3wIfvxs6SmyfdeYAVuRhLqa9pK5IWp0VeM7U/XMW
-KCIO1dvx62mVGL8DJ6oW1TxcVSArVS+mRcS7N8UjymMQ7erlhzHhanSCZmMa0H8E
-1sWimEvBa7yZ+hvSN0afAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJLj/9OaSVy
-ky+g27stB/IxzWjQS/CQ05UA8ysn7Q11KR6bK9PLTouDrPiT0Sb0geeCy+h6IvD/
-olSK45upwhfPHTCPP38dZGQ0wbIfv8TzcNmykTAtHUYBfDNYr+4nVSbSZKp5+zO5
-62qxR1aMNvhtRgVkB4oJxerrs9Nd4kgbLyaIEwabmvpN79wlHH6HZTtJYdN8FT5s
-SjC9PwRm/z5H4ceArXnXgJeRPgU2Z4Qa+60yDhKGCIoYaNjNDhdo63isLPI6OVTe
-2xJhWXsg/OOsw7bVliRvX9zTaqBR2UvbP2oROG5c1+l9m6mXYp4Iysj2kcURU0aV
-/ngcGoq5Qhk=
+YTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw
+PYB4CwRa6p7fhl7Drg7GpapGlwuUqgHXq0KQKcrppT4uCmpxYRoQv+7GQJcRIj3P
+HwYraH1TBN8u4u54SY3b1hlrbGAmGAyGAo0l87rq1ybL4YWV1Zeopj9zyT7vYRBV
+nekAq3RSBv/1qLIcXZjYYUfF/xQypM8ns8XS7buLZ1K8PRJW6TgGaz6Fnt/yNQ1r
+hCxZRL76FYnxcRmdmdGDkVaX5bG9bjG+bEVCH99IbaJnIK0cz50oBuj+xqkFcwOC
+6IPApNzeBMhAE0WIB0GSGJRPteSHzilIGvs9/zXs/Es/G06+ked1Xvf/iDYcmrHr
+JTNXbwulZFKDru6zvgBTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH7HVAZtFsBZ
+Cpc5WxS/frXmUN58IJIqoqjNyii0oW2ccZfDVAyTqYd7fkCOKgIjPJoZPQ8inahN
+EIOAjiUetxdqp7ngSPuCJM9fCrmDb8JNry9ycaoxSrLQbzNiPmmyGV2Z5xYMByC7
+8d60z1m1+zEBRUiUcPLEnvRq2k1mfBMfaLYqFikq33rvcXuml8TChLDt4yrydLyk
+mcAA8yy6ZvVTTUB15qHTBleSJvmcUU2S8cR655aLFdiHvJzIGpLWrd/qycmIpHap
+WyenEntoDCO+LZ6yKpH/h2ifMdJVIyryKLF6o5wOG+LiKzOT1wkoPaIkfJjDIkPX
+qju//PjIEWY=
 -----END CERTIFICATE-----

docker/rbac-tls/client-configs/client.properties

@@ -0,0 +1,5 @@
+security.protocol=SSL
+ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks
+ssl.truststore.password=confluent
+ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks
+ssl.keystore.password=confluent

docker/rbac-tls/client-configs/professor.properties

@@ -1,7 +1,11 @@
 sasl.mechanism=OAUTHBEARER
-security.protocol=SASL_PLAINTEXT
+security.protocol=SASL_SSL
 sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
 username="professor" \
 password="professor" \
-metadataServerUrls="http://localhost:8090";
+metadataServerUrls="https://localhost:8090";
+ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks
+ssl.truststore.password=confluent
+#ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks
+#ssl.keystore.password=confluent

docker/rbac-tls/client-configs/thusnelda.properties

@@ -0,0 +1,9 @@
+sasl.mechanism=OAUTHBEARER
+security.protocol=SASL_SSL
+sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
+sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="professor" password="professor" metadataServerUrls="https://localhost:8090";
+
+ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks
+ssl.truststore.password=confluent
+ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks
+ssl.keystore.password=confluent

docker/rbac-tls/create-basic-roles.sh

@@ -12,7 +12,7 @@ fi
 
 ## Login into MDS
 CA_CERT=./certs/snakeoil-ca-1.crt
-XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090
+CONFLUENT_PLATFORM_USERNAME=professor CONFLUENT_PLATFORM_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090
 
 SUPER_USER=professor
 SUPER_USER_PASSWORD=professor

docker/rbac-tls/create-roles.sh

@@ -11,7 +11,7 @@ if [ -z "$KAFKA_CLUSTER_ID" ]; then
 fi
 
 ## Login into MDS
-CA_CERT=certs/snakeoil-ca-1.crt
+CA_CERT=../../security/certs/snakeoil-ca-1.crt
 XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090
 
 SUPER_USER=professor
@@ -59,7 +59,7 @@ confluent iam rolebinding create \
     --schema-registry-cluster-id $SR
 
 # ResourceOwner for groups and topics on broker
-for resource in Topic:_schemas Group:schema-registry
+for resource in Topic:_schemas Group:schema-registry Topic:_confluent-license
 do
     confluent iam rolebinding create \
         --principal $SR_PRINCIPAL \
@@ -96,6 +96,11 @@ do
         --kafka-cluster-id $KAFKA_CLUSTER_ID
 done
 
+confluent iam rolebinding create \
+    --principal $CONNECT_PRINCIPAL  \
+    --role SystemAdmin \
+    --kafka-cluster-id $KAFKA_CLUSTER_ID
+
 ################################### C3 ###################################
 echo "Creating C3 role bindings"
 

docker/rbac-tls/docker-compose.yml

@@ -1,10 +1,11 @@
 ---
-version: '2.3'
+version: '3.5'
 services:
 
   phpldapadmin-service:
     image: osixia/phpldapadmin:0.7.2
     container_name: ldapadmin-service
+    domainname: test.local
     environment:
       - PHPLDAPADMIN_LDAP_HOSTS=openldap
     ports:
@@ -15,15 +16,18 @@ services:
   openldap:
     image: rroemhild/test-openldap
     hostname: openldap
+    domainname: test.local
     container_name: openldap
     ports:
-      - "10389:10389"
+      - "389:10389"
+      - "443:443"
     privileged: true
 
   zookeeper:
     image: confluentinc/cp-zookeeper:${TAG}
     hostname: zookeeper
     container_name: zookeeper
+    domainname: test.local
     ports:
       - "2181:2181"
     environment:
@@ -32,8 +36,9 @@ services:
 
   broker:
     image: confluentinc/cp-server:${TAG}
-    hostname: broker
+    hostname: kafka
     container_name: broker
+    domainname: test.local
     networks:
       default:
         aliases:
@@ -49,22 +54,23 @@ services:
       - "9093:9093"
       - "9094:9094"
       - "9095:9095"
+      - "9096:9096"
     volumes:
       - ./certs/:/etc/kafka/secrets/
       - ./conf:/tmp/conf
       - ./client-configs:/etc/client-configs
-      - ./kafka/:/etc/kafka/
+      - ./etc/kafka/:/etc/kafka/
       - ./jvm/:/etc/kafka/jvm/
     environment:
-      KAFKA_LOG4J_LOGGERS: kafka.controller=INFO,kafka.authorizer.logger=DEBUG
-      KAFKA_LOG4J_ROOT_LOGLEVEL: DEBUG
+      #KAFKA_LOG4J_LOGGERS: kafka.controller=INFO,kafka.authorizer.logger=DEBUG
+      #KAFKA_LOG4J_ROOT_LOGLEVEL: DEBUG
       KAFKA_SUPER_USERS: User:admin;User:kafka;User:professor;User:ANONYMOUS
       KAFKA_BROKER_ID: 1
       KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
       KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 1
       KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: https://schema-registry:8081
-      KAFKA_ADVERTISED_LISTENERS: INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://localhost:9094,TOKENE://thusnelda:9095
-      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL
+      KAFKA_ADVERTISED_LISTENERS: INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://broker:9094,TOKENE://thusnelda:9095,EXTERNALS://localhost:9096
+      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL,EXTERNALS:SASL_SSL
       KAFKA_SASL_ENABLED_MECHANISMS: OAUTHBEARER
 
        # Configure interbroker listener
@@ -85,6 +91,13 @@ services:
       KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEYSTORE_PASSWORD: confluent
       KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEY_PASSWORD: confluent
 
+      KAFKA_LISTENER_NAME_EXTERNALS_SECURITY_PROTOCOL: SSL
+      KAFKA_LISTENER_NAME_EXTERNALS_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks
+      KAFKA_LISTENER_NAME_EXTERNALS_SSL_TRUSTSTORE_PASSWORD: confluent
+      KAFKA_LISTENER_NAME_EXTERNALS_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks
+      KAFKA_LISTENER_NAME_EXTERNALS_SSL_KEYSTORE_PASSWORD: confluent
+      KAFKA_LISTENER_NAME_EXTERNALS_SSL_KEY_PASSWORD: confluent
+
       KAFKA_LISTENER_NAME_TOKEN_SECURITY_PROTOCOL: SSL
       KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks
       KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_PASSWORD: confluent
@@ -103,7 +116,7 @@ services:
       #KAFKA_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=(.*?),.*$$/$$1/,DEFAULT
 
       KAFKA_LISTENER_NAME_INTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT
-      KAFKA_LISTENER_NAME_EXTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/kafka/ , DEFAULT
+      KAFKA_LISTENER_NAME_EXTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT
 
       # Configure token listener
       KAFKA_LISTENER_NAME_TOKEN_SASL_ENABLED_MECHANISMS: OAUTHBEARER
@@ -122,6 +135,14 @@ services:
                                                                  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
                                                                  publicKeyPath="/tmp/conf/public.pem";
 
+      KAFKA_LISTENER_NAME_EXTERNALS_SASL_ENABLED_MECHANISMS: OAUTHBEARER
+      KAFKA_LISTENER_NAME_EXTERNALS_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
+      KAFKA_LISTENER_NAME_EXTERNALS_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
+      KAFKA_LISTENER_NAME_EXTERNALS_OAUTHBEARER_SASL_JAAS_CONFIG: |
+        \
+        org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
+        publicKeyPath="/tmp/conf/public.pem";
+
       # CONFIGURE AUTHORIZER
       KAFKA_AUTHORIZER_CLASS_NAME: io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
       KAFKA_CONFLUENT_AUTHORIZER_ACCESS_RULE_PROVIDERS: CONFLUENT,ZK_ACL
@@ -181,9 +202,10 @@ services:
 
       # ======================= OTHER BROKER STUFF =================================
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
-      SSL_ENABLED_PROTOCOLS: TLSv1.2
-      KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties"
-      KAFKA_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      KAFKA_CONFLUENT_BALANCER_ENABLE: 'false'
+      #SSL_ENABLED_PROTOCOLS: TLSv1.2
+      #KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties"
+      #KAFKA_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
       # KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
       # CONFLUENT_METRICS_ENABLE: 'true'
       # CONFLUENT_SUPPORT_CUSTOMER_ID: 'anonymous'
@@ -252,15 +274,19 @@ services:
       SCHEMA_REGISTRY_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 
   connect:
-    image: confluentinc/cp-server-connect:${TAG}
+    build:
+      context: kafka-connect/
+      dockerfile: Dockerfile
     hostname: connect
+    domainname: test.local
     container_name: connect
     depends_on:
       - 'broker'
     ports:
       - "8083:8083"
     volumes:
       - ./certs/:/etc/kafka/secrets/
+      - ./etc/kafka-connect/:/etc/kafka-connect/
       - ./conf:/tmp/conf
       - ./jvm/:/etc/kafka/jvm/
     environment:
@@ -390,7 +416,7 @@ services:
                   -Djavax.net.ssl.trustStorePassword=confluent
                   -Djavax.net.ssl.keyStore=/etc/kafka/secrets/connect.keystore.jks
                   -Djavax.net.ssl.keyStorePassword=confluent
-                  -Djava.security.properties=/etc/kafka/jvm/security-policy.properties
+                #  -Djava.security.properties=/etc/kafka/jvm/security-policy.properties
       # ========================= SECRET REGISTRY ==================================
       CONNECT_CONFIG_PROVIDERS: 'secret'
       CONNECT_CONFIG_PROVIDERS_SECRET_CLASS: 'io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider'
@@ -409,8 +435,27 @@ services:
               username="fry" \
               password="fry" \
               metadataServerUrls="https://broker:8090";
-      CONNECT_SSL_ENABLED_PROTOCOLS: TLSv1.2
-      CONNECT_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      #CONNECT_SSL_ENABLED_PROTOCOLS: TLSv1.2
+      #CONNECT_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      # ==== CONFLUENT LICENSE MANAGER ====
+      CONNECT_CONFLUENT_TOPIC: '_confluent-command'
+      CONNECT_CONFLUENT_TOPIC_BOOTSTRAP_SERVERS: broker:9094
+      CONNECT_CONFLUENT_TOPIC_REPLICATION_FACTOR: 1
+      CONNECT_CONFLUENT_TOPIC_SECURITY_PROTOCOL: SASL_SSL
+      CONNECT_CONFLUENT_TOPIC_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks
+      CONNECT_CONFLUENT_TOPIC_SSL_TRUSTSTORE_PASSWORD: confluent
+      CONNECT_CONFLUENT_TOPIC_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks
+      CONNECT_CONFLUENT_TOPIC_SSL_KEYSTORE_PASSWORD: confluent
+      CONNECT_CONFLUENT_TOPIC_SSL_KEY_PASSWORD: confluent
+      #CONNECT_CONFLUENT_TOPIC_SSL_ENDPOINT_IDENTIFICATION_ALGORITH: ""
+
+      CONNECT_CONFLUENT_TOPIC_SASL_MECHANISM: 'OAUTHBEARER'
+      CONNECT_CONFLUENT_TOPIC_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
+      CONNECT_CONFLUENT_TOPIC_SASL_JAAS_CONFIG: |
+              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
+               username="professor" \
+              password="professor" \
+              metadataServerUrls="https://broker:8090";
 
   control-center:
     image: confluentinc/cp-enterprise-control-center:${TAG}
@@ -428,7 +473,8 @@ services:
       - ./jvm/:/etc/kafka/jvm/
     environment:
       # CUB CLASSPATH
-      CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*'
+      #CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*'
+      CUB_CLASSPATH: '/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*:/usr/share/java/confluent-security/kafka-rest/*:/usr/share/java/kafka-rest/:/usr/share/java/cp-base-new/*'
       # general settings
       #CONTROL_CENTER_LOG4J_ROOT_LOGLEVEL: DEBUG
       CONTROL_CENTER_BOOTSTRAP_SERVERS: 'SASL_SSL://broker:9094'
@@ -490,3 +536,6 @@ services:
       CONTROL_CENTER_SSL_ENABLED_PROTOCOLS: TLSv1.2
       KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties"
       CONTROL_CENTER_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+
+networks:
+  default:

docker/rbac-tls/kafka-connect/Dockerfile

@@ -0,0 +1,8 @@
+FROM confluentinc/cp-server-connect:6.2.0
+
+ENV CONNECT_PLUGIN_PATH="/usr/share/java,/usr/share/confluent-hub-components"
+
+RUN confluent-hub install --no-prompt confluentinc/kafka-connect-datagen:0.5.0 \
+    && confluent-hub install --no-prompt confluentinc/kafka-connect-jdbc:10.2.1 \
+    && confluent-hub install --no-prompt debezium/debezium-connector-sqlserver:1.6.0 \
+    && confluent-hub install --no-prompt confluentinc/kafka-connect-ibmmq:11.0.8