Discover Identifiers for Clusters¶
Important
This feature is available as a preview feature. A preview feature is a component of Confluent Platform that is being introduced to gain early feedback from developers. This feature can be used for evaluation and non-production testing purposes or to provide feedback to Confluent.
When you assign user roles by using the Confluent CLI, you need the identifiers for the clusters in your Confluent Platform deployment.
For example, the following command assigns the DeveloperRead role on a
topic in the Kafka cluster identified by <kafka-id>.
# Grant read-only access for a user to a topic.
confluent iam rolebinding create \
--principal User:<user-name> \
--role DeveloperRead \
--resource Topic:<topic-name> \
--kafka-cluster-id <kafka-id>
When creating role bindings for Schema Registry, KSQL, and Connect you must
provide two identifiers: the Kafka cluster identifier and an additional component
cluster identifier. For example, the following command assigns the DeveloperWrite
role on a topic in a Schema Registry cluster:
# Grant write access for a user to a topic in Schema Registry.
confluent iam rolebinding create \
--principal User:<user-name> \
--role DeveloperWrite \
--resource Topic:<topic-name> \
--kafka-cluster-id <kafka-id>
--schema-registry-cluster-id <schema-registry-cluster-id>
There are different endpoints to query for cluster identifiers in your Confluent Platform deployment. The following table summarizes how you get cluster IDs.
| Service | How to get the cluster ID | CLI option for cluster ID | Use to grant access to |
|---|---|---|---|
| Kafka | query ZooKeeper | kafka-cluster-id |
Topics and consumer groups |
| Schema Registry | query /permissions endpoint | schema-registry-cluster-id |
Schemas |
| Connect | query /permissions endpoint | connect-cluster-id |
Connectors |
| KSQL | query /info endpoint | ksql-cluster-id |
KSQL streams and tables |
Get the Kafka cluster ID¶
Use the zookeeper-shell command to get the Kafka cluster ID.
$CONFLUENT_HOME/bin/zookeeper-shell localhost:2181 get /cluster/id
Your output should resemble:
Connecting to localhost:2181
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
{"version":"1","id":"xrx5mUMWTvaWbk157wFDKw"}
cZxid = 0x17
...
In this example, the Kafka cluster ID is xrx5mUMWTvaWbk157wFDKw.
Use the Kafka cluster ID with the kafka-cluster-id option when you assign
a role to a user. The following Confluent CLI command shows how to grant the
DeveloperRead role on this cluster.
# Grant read-only access for a user to a topic.
confluent iam rolebinding create \
--principal User:<user-name> \
--role DeveloperRead \
--resource Topic:<topic-name> \
--kafka-cluster-id xrx5mUMWTvaWbk157wFDKw
Get the KSQL cluster ID¶
Get the KSQL cluster ID from the ksql.service.id setting in the
ksql-server.properties file.
Also, you can query the /info endpoint on the KSQL Server.
curl -u <user>:<password> "http://<ksql-server-hostname>:8088/info" | jq '.'
Your output should resemble:
{
"KsqlServerInfo": {
"version": "5.3.0",
"kafkaClusterId": "xrx5mUMWTvaWbk157wFDKw",
"ksqlServiceId": "default_"
}
}
In this example, the KSQL service ID is default_.
Use the KSQL service ID with the kafka-cluster-id option when you assign
a role to a user. The following Confluent CLI command shows how to grant the
ResourceOwner role on this cluster.
confluent iam rolebinding create \
--principal User:<user-name> \
--role ResourceOwner \
--kafka-cluster-id xrx5mUMWTvaWbk157wFDKw \
--ksql-cluster-id default_ \
--resource KsqlCluster:ksql-cluster
Get the Schema Registry cluster ID¶
When RBAC is enabled, query the /permissions endpoint on the Schema Registry server.
curl -u <sr-user>:<sr-password> http://<sr-hostname>:8081/permissions
Your output should resemble:
{"permissions":{},"scope":{"path":[],"clusters":{"kafka-cluster":"xrx5mUMWTvaWbk157wFDKw","schema-registry-cluster":"schema-registry"}}}
In this example, the Schema Registry cluster ID is schema-registry.
The following Confluent CLI command shows how to grant the
DeveloperRead role on a Schema Registry cluster that has the default cluster ID.
confluent iam rolebinding create \
--principal User:<user-name>
--role DeveloperRead
--schema-registry-cluster-id schema-registry
--kafka-cluster-id xrx5mUMWTvaWbk157wFDKw
The Schema Registry cluster ID is the schema.registry.group.id configuration setting
in the schema-registry.properties file. The default value is schema-registry.
Assign the ID by using the schema-registry-cluster-id option in the
confluent iam rolebinding create command.
Use the cluster ID of the Kafka cluster that stores schemas. This cluster is
configured with the kafkastore.boostrap.servers property. If the
kafkastore.boostrap.servers property isn’t set, use the cluster that has
ZooKeeper configured with the kafkastore.connection.url property. For more
information, see Schema Registry Single Datacenter Setup.
Get the Connect cluster ID¶
When RBAC is enabled, query the /permissions endpoint on the Connect
server.
curl -u <connect-user>:<connect-password> http://<connect-hostname>:8083/permissions
Your output should resemble:
{"permissions":{},"scope":{"path":[],"clusters":{"kafka-cluster":"xrx5mUMWTvaWbk157wFDKw","connect-cluster":"ydfk"}}}
In this example, the Connect cluster ID is ydfk.
The following Confluent CLI command shows how to grant the
DeveloperRead role on the ydfk Connect cluster.
confluent iam rolebinding create \
--principal User:<user-name> \
--role DeveloperRead \
--connect-cluster-id ydfk
--kafka-cluster-id xrx5mUMWTvaWbk157wFDKw
The Connect cluster ID is the group.id setting from your worker
configuration file. Assign the ID by using the connect-cluster-id
option in the confluent iam rolebinding create command.
Use the cluster ID of the Kafka cluster that stores connector configuration,
status, and offset information. This cluster is configured in the Connect
worker file that has the bootstrap.servers property. For more information,
see Distributed Worker Configuration.
Note
If running in standalone mode, the connect-cluster-id is STANDALONE,
in all capital letters.