The file ~/.brooklyn/ is read when Brooklyn starts to load server configuration values.

A template file is available, with abundant comments.

Quick Setup

The most common properties set in this file are for access control. Without this, Brooklyn’s web-console and REST api will require no authentication.

The simplest way to specify users and passwords is shown below (but see the Authentication section for how to avoid storing passwords in plain text):,bob

The properties file must have permissions 600 (i.e. readable and writable only by the file’s owner), for some security.

In many cases, it is preferable instead to use an external credentials store such as LDAP. Information on configuring these is below.

If coming over a network it is highly recommended additionally to use https. This can be configured with:

More information, including setting up a certificate, is described further below.

Camp YAML Expressions

Values in can use the Camp YAML syntax. Any value starting $brooklyn: is parsed as a Camp YAML expression.

This allows externalized configuration to be used from For example:$brooklyn:external("vault", "aws-identity")$brooklyn:external("vault", "aws-credential")

If for some reason one requires a literal value that really does start with $brooklyn: (i.e. for the value to not be parsed), then this can be achieved by using the syntax below. This example returns the property value $brooklyn:myexample:$brooklyn:literal("$brooklyn:myexample")


Information on defining locations in the file is available here.


Arbitrary data can be set in the This can be accessed in java using ManagementContext.getConfig(KEY).


Security Providers are the mechanism by which different authentication authorities are plugged in to Brooklyn. These can be configured by specifying equal to the name of a class implementing SecurityProvider. An implementation of this could point to Spring, LDAP, OpenID or another identity management system.

The default implementation, ExplicitUsersSecurityProvider, reads from a list of users and passwords which should be specified as configuration parameters e.g. in This configuration could look like:

The users line should contain a comma-separated list. The special value * is accepted to permit all users.

To generate this, the brooklyn CLI can be used:

brooklyn generate-password --user admin

Enter password: 
Re-enter password: 

Please add the following to your brooklyn.properies:

Alternatively, in dev/test environments where a lower level of security is required, the syntax<username>=<password> can be used for each <username> specified in the list.

Other security providers available include:

No one will block all logins (e.g. if not using the web console)

No security will allow logins with no credentials (e.g. in secure dev/test environments)

LDAP will cause Brooklyn to call to an LDAP server to authenticate users; The other things you need to set in are:

  • - ldap connection url
  • - ldap dc parameter (domain)
  • optional, by default it set to Users - ldap ou parameter example configuration:,X-BIND-PASSWORD=secret,X-COUNT-LIMIT=1000

After you setup the brooklyn connection to your LDAP server, you can authenticate in brooklyn using your cn (e.g. John Smith) and your password. searches in the LDAP tree in LDAP://cn=John Smith,ou=Users,dc=example,dc=com

If you want to customize the ldap path or something else which is particular to your LDAP setup you can extend LdapSecurityProvider class or implement from scratch the SecurityProvider interface.


In addition to login access, fine-grained permissions – including seeing entities, creating applications, seeing sensors, and invoking effectors – can be defined on a per-user and per-target (e.g. which entity/effector) basis using a plug-in Entitlement Manager.

This can be set globally with the property:<class>

The default entitlement manager is one which responds to per-user entitlement rules, and understands:

  • root: full access, including to the Groovy console
  • user: access to everything but actions that affect the server itself. Such actions include the Groovy console, stopping the server and retrieving management context configuration.
  • readonly: read-only access to almost all information
  • minimal: access only to server stats, for use by monitoring systems

These keywords are also understood at the global level, so to grant full access to admin, read-only access to support, limited access to metrics and regular access to user you can write:

Under the covers this invokes the PerUserEntitlementManager, with a default set (and if not specified default defaults to minimal); so the above can equivalently be written:

For more information, see Java: Entitlements. or EntitlementManager (src) .

HTTPS Configuration

See HTTPS Configuration for general information on configuring HTTPS.

To enable HTTPS in Brooklyn, add the following to your<path-to-keystore-directory>/server.key