confluentinc · semaphore-agent-production · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
@@ -240,3 +240,27 @@ Description: Pre flight check. Validate keys and certs if custom_certs provided.
 Description: Pre flight check. Check if /tmp directory exists or not.
 
 ***
+
+### Tag - zookeeper
+
+Description: For all zookeeper tasks - installing, configuring. Runs the zookeeper role.
+
+***
+
+### Tag - migrate_to_dual_write
+
+Description: To pause Zookeeper to Kraft migration at Dual Write mode. Used to manually validate the metadata/ACLs before moving to Kraft mode.
+
+***
+
+### Tag - migrate_to_kraft
+
+Description: To migrate from Dual Write mode to Kraft mode. Used only when the cluster is currently in Dual Write mode.
+
+***
+
+###Tag - validate_jolokia
+
+Description: To validate Jolokia access control configurations.
+
+****
@@ -0,0 +1,136 @@
+# Jolokia Access Control Configuration Guide
+#
+# This file explains how to configure Jolokia access control variables for secure
+# JMX monitoring in Confluent Platform deployments.
+#
+# Jolokia Access Control Variables Overview:
+# ==========================================
+#
+# These variables control the security of the Jolokia JMX agent endpoint.
+# Jolokia access control restricts JMX operations via an XML policy file,
+# providing fine-grained control over which MBeans and operations are accessible.
+#
+# Key Variables:
+# --------------
+#
+# jolokia_access_control_enabled:
+#   - Enables Jolokia's access control feature
+#   - When enabled, restricts JMX operations via an XML policy file
+#   - By default, this is enabled if Jolokia itself is enabled
+#   - Type: boolean
+#   - Default: false
+#
+# jolokia_access_control_custom_file_enabled:
+#   - Must be set to true or false when access control is enabled
+#   - Controls whether to use a custom XML policy file or the built-in secure default
+#   - Options:
+#     * true: You must provide your own secure XML file via jolokia_access_control_file_src_path
+#     * false: The playbooks will use a secure default XML file provided by the role
+#     * null: Forces you to make an explicit choice for security (recommended for production)
+#   - Type: boolean or null
+#   - Default: false
+#
+# jolokia_access_control_file_src_path:
+#   - Full path on the Ansible controller to your custom Jolokia access control XML file
+#   - Required if jolokia_access_control_custom_file_enabled is true
+#   - The file will be copied to all target nodes
+#   - Type: string (file path)
+#   - Default: ""
+##
+# Component-Specific Variables:
+# =============================
+#
+# Each component has its own set of Jolokia access control variables:
+# - zookeeper_jolokia_access_control_enabled
+# - zookeeper_jolokia_access_control_custom_file_enabled
+# - kafka_controller_jolokia_access_control_enabled
+# - kafka_controller_jolokia_access_control_custom_file_enabled
+# - kafka_broker_jolokia_access_control_enabled
+# - kafka_broker_jolokia_access_control_custom_file_enabled
+# - kafka_connect_jolokia_access_control_enabled
+# - kafka_connect_jolokia_access_control_custom_file_enabled
+# - kafka_rest_jolokia_access_control_enabled
+# - kafka_rest_jolokia_access_control_custom_file_enabled
+# - ksql_jolokia_access_control_enabled
+# - ksql_jolokia_access_control_custom_file_enabled
+# - schema_registry_jolokia_access_control_enabled
+# - schema_registry_jolokia_access_control_custom_file_enabled
+# - kafka_connect_replicator_jolokia_access_control_enabled
+# - kafka_connect_replicator_jolokia_access_control_custom_file_enabled
+#
+# Usage Examples:
+# ===============
+
+# Example 1: Enable access control with default secure configuration
+example1:
+  all:
+    vars:
+      jolokia_enabled: true
+      jolokia_access_control_enabled: true
+      jolokia_access_control_custom_file_enabled: false
+
+# Example 2: Enable access control with custom XML policy file
+example2:
+  all:
+    vars:
+      jolokia_enabled: true
+      jolokia_access_control_enabled: true
+      jolokia_access_control_custom_file_enabled: true
+      jolokia_access_control_file_src_path: "/path/to/your/jolokia-access.xml"
+
+# Example 3: Component-specific configuration
+example3:
+  all:
+    vars:
+      jolokia_enabled: true
+      # Global default
+      jolokia_access_control_enabled: true
+      jolokia_access_control_custom_file_enabled: false
+
+  kafka_broker:
+    vars:
+      # Override for brokers only - use custom policy
+      kafka_broker_jolokia_access_control_custom_file_enabled: true
+      kafka_broker_jolokia_access_control_file_src_path: "/path/to/broker-jolokia-access.xml"
+
+# Example 4: Production-ready configuration with explicit choices
+example4:
+  all:
+    vars:
+      jolokia_enabled: true
+      jolokia_access_control_enabled: true
+      # Force explicit choice in production
+      jolokia_access_control_custom_file_enabled: false
+
+# This will require each component to explicitly set their custom_file_enabled value
+
+# Security Considerations:
+# ========================
+#
+# 1. Always enable access control in production environments
+# 2. Use custom XML policy files for fine-grained control
+# 3. Regularly review and update access control policies
+# 4. Test access control policies in development before production deployment
+# 5. Monitor Jolokia logs for unauthorized access attempts
+#
+# Sample Custom Access Control XML:
+# ==================================
+#
+# Create a file like /path/to/jolokia-access.xml with content similar to:
+#
+# <?xml version="1.0" encoding="utf-8"?>
+# <restrict>
+#   <!-- Allow access to specific MBeans only -->
+#   <allow>
+#     <mbean>kafka.controller:type=KafkaController,name=*</mbean>
+#     <operation>read</operation>
+#   </allow>
+#
+#   <!-- Deny all other access -->
+#   <deny>
+#     <mbean>*:*</mbean>
+#   </deny>
+# </restrict>
+#
+# For more information on Jolokia access control XML format, see:
+# https://jolokia.org/reference/html/security.html
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Kafka Broker - Defense in Depth Security for Testing
+  Strategy: Deny All Commands + Allow Specific MBeans
+  1. Allow ONLY read command globally (blocks list, write, exec, search, notification, version)
+  2. Allow only specific MBeans for broker monitoring
+  3. Fine-grained attribute and operation control
+-->
+<restrict>
+  <!-- ALLOW ONLY read command globally (blocks list, write, exec, search, notification, version) -->
+  <commands>
+    <command>read</command>
+  </commands>
+
+  <!-- ALLOW ONLY - Specific MBeans for Kafka Broker Monitoring -->
+  <allow>
+    <mbean>
+      <name>kafka.server:name=MessagesInPerSec,type=BrokerTopicMetrics</name>
+      <attribute mode="read">*</attribute>
+    </mbean>
+  </allow>
+
+  <allow>
+    <mbean>
+      <name>java.lang:type=Memory</name>
+      <attribute mode="read">*</attribute>
+    </mbean>
+  </allow>
+
+  <allow>
+    <mbean>
+      <name>kafka.server:name=BrokerState,type=KafkaServer</name>
+      <attribute mode="read">*</attribute>
+    </mbean>
+  </allow>
+
+</restrict>
@@ -121,6 +121,7 @@ provisioner:
   inventory:
     group_vars:
       all:
+        jolokia_enabled: true
         control_center_next_gen_port: 9022
         control_center_next_gen_dependency_prometheus_ssl_enabled: true
         control_center_next_gen_dependency_prometheus_mtls_enabled: false
@@ -132,3 +133,17 @@ provisioner:
         ssl_enabled: true
         ssl_mutual_auth_enabled: true
         secrets_protection_enabled: true # To test secrets protection on cli v3 without rbac
+        kafka_controller_jolokia_enabled: true
+        kafka_controller_jolokia_ssl_enabled: true
+        kafka_broker_jolokia_enabled: true
+        kafka_broker_jolokia_ssl_enabled: true
+        jolokia_access_control_enabled: true
+        kafka_controller_jolokia_access_control_custom_file_enabled: false
+        kafka_broker_jolokia_access_control_custom_file_enabled: true
+        kafka_broker_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/mtls-ubuntu/jolokia_access_test.xml"
+        schema_registry_jolokia_auth_mode: "basic"
+        schema_registry_jolokia_user: "user1"
+        schema_registry_jolokia_password: "pass"
+        kafka_connect_jolokia_enabled: true
+        kafka_connect_jolokia_ssl_enabled: true
+        kafka_connect_jolokia_access_control_enabled: false