Example role-binding sequence

The following is an example sequence for configuring RBAC role bindings when working with Kafka Connect and connectors. This assumes configuration parameters are configured as described in previous sections.

Note

For instructions on getting your actual cluster IDs, refer to Discover Identifiers for Clusters.

The following tasks are completed by the RBAC System Administrator. These are the steps used to grant permissions to the Connect cluster service principal. $CONNECT_USER is the example service principal being configured in the following steps.

  1. Grant principal User:$CONNECT_USER the ResourceOwner role for Topic:connect-configs.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role ResourceOwner \
    --resource Topic:connect-configs \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    
  2. Grant principal User:$CONNECT_USER the ResourceOwner role for Topic:connect-offsets.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role ResourceOwner \
    --resource Topic:connect-offsets \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    
  3. Grant principal User:$CONNECT_USER the ResourceOwner role for Topic:connect-statuses.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role ResourceOwner \
    --resource Topic:connect-statuses \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    
  4. Grant principal User:$CONNECT_USER the ResourceOwner role for Group:connect-cluster.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role ResourceOwner \
    --resource Group:connect-cluster \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    
  5. Grant principal User:$CONNECT_USER the SecurityAdmin role. This allows User:$CONNECT_USER permission to make requests to the Metadata Service (MDS) to find out if a user making calls to the MDS REST API is authorized to perform required operations.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role SecurityAdmin \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    --connect-cluster-id $CONNECT_CLUSTER_ID
    
  6. List the role bindings for the principal User:$CONNECT_USER. Verify that all the role bindings are properly configured.

    confluent iam rolebinding list \
    --principal User:$CONNECT_USER \
    --kafka-cluster-id $KAFKA_CLUSTER_ID \
    --connect-cluster-id $CONNECT_CLUSTER_ID
    

The following two steps are required if using a Connect Secret Registry.

  1. Grant principal User:$CONNECT_USER the ResourceOwner role to Topic:_secrets.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role ResourceOwner \
    --resource Topic:_secrets \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    
  2. Grant principal User:$CONNECT_USER the ResourceOwner role to Group:secret-registry.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role ResourceOwner \
    --resource Group:secret-registry \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    

The following steps configure role bindings for a user that is creating a connector. The example user name in the steps is User:$CLIENT. The example uses $CONNECTOR_NAME for the connector name and $DATA_TOPIC for the topic name.

  1. Grant principal User:$CLIENT the ResourceOwner role for Connector:$CONNECTOR_NAME.

    confluent iam rolebinding create \
    --principal User:$CLIENT \
    --role ResourceOwner \
    --resource Connector:$CONNECTOR_NAME \
    --kafka-cluster-id $KAFKA_CLUSTER_ID \
    --connect-cluster-id $CONNECT_CLUSTER_ID
    
  2. Grant principal User:$CONNECT_USER the ResourceOwner role to Topic:$DATA_TOPIC.

    confluent iam rolebinding create \
    --principal User:$CONNECT_USER \
    --role ResourceOwner \
    --resource Topic:$DATA_TOPIC \
    --kafka-cluster-id $KAFKA_CLUSTER_ID
    
  3. List the role bindings for the principal User:$CLIENT to the Connect cluster.

    confluent iam rolebinding list \
    --principal User:$CLIENT \
    --kafka-cluster-id $KAFKA_CLUSTER_ID \
    --connect-cluster-id $CONNECT_CLUSTER_ID
    

After completing these steps:

  • The service principal for the Connect worker should have sufficient permissions and it should be possible to successfully start the worker.
  • The user should have sufficient permissions to create and manage the connector in the example.
  • The service principal for the connector in the example should have sufficient permissions to access the $DATA_TOPIC.