Discover Identifiers for Clusters

Important

This feature is available as a preview feature. A preview feature is a component of Confluent Platform that is being introduced to gain early feedback from developers. This feature can be used for evaluation and non-production testing purposes or to provide feedback to Confluent.

When you assign user roles by using the Confluent CLI, you need the identifiers for the clusters in your Confluent Platform deployment.

For example, the following command assigns the DeveloperRead role on a topic in the Kafka cluster identified by <kafka-id>.

# Grant read-only access for a user to a topic.
confluent iam rolebinding create \
  --principal User:<user-name> \
  --role DeveloperRead \
  --resource Topic:<topic-name> \
  --kafka-cluster-id <kafka-id>

When creating role bindings for Schema Registry, KSQL, and Connect you must provide two identifiers: the Kafka cluster identifier and an additional component cluster identifier. For example, the following command assigns the DeveloperWrite role on a topic in a Schema Registry cluster:

# Grant write access for a user to a topic in Schema Registry.
confluent iam rolebinding create \
  --principal User:<user-name> \
  --role DeveloperWrite \
  --resource Topic:<topic-name> \
  --kafka-cluster-id <kafka-id>
  --schema-registry-cluster-id <schema-registry-cluster-id>

There are different endpoints to query for cluster identifiers in your Confluent Platform deployment. The following table summarizes how you get cluster IDs.

Service How to get the cluster ID CLI option for cluster ID Use to grant access to
Kafka query ZooKeeper kafka-cluster-id Topics and consumer groups
Schema Registry query /permissions endpoint schema-registry-cluster-id Schemas
Connect query /permissions endpoint connect-cluster-id Connectors
KSQL query /info endpoint ksql-cluster-id KSQL streams and tables

Get the Kafka cluster ID

Use the zookeeper-shell command to get the Kafka cluster ID.

$CONFLUENT_HOME/bin/zookeeper-shell localhost:2181 get /cluster/id

Your output should resemble:

Connecting to localhost:2181

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
{"version":"1","id":"xrx5mUMWTvaWbk157wFDKw"}
cZxid = 0x17
...

In this example, the Kafka cluster ID is xrx5mUMWTvaWbk157wFDKw.

Use the Kafka cluster ID with the kafka-cluster-id option when you assign a role to a user. The following Confluent CLI command shows how to grant the DeveloperRead role on this cluster.

# Grant read-only access for a user to a topic.
confluent iam rolebinding create \
  --principal User:<user-name> \
  --role DeveloperRead \
  --resource Topic:<topic-name> \
  --kafka-cluster-id xrx5mUMWTvaWbk157wFDKw

Get the KSQL cluster ID

Get the KSQL cluster ID from the ksql.service.id setting in the ksql-server.properties file.

Also, you can query the /info endpoint on the KSQL Server.

curl -u <user>:<password> "http://<ksql-server-hostname>:8088/info" | jq '.'

Your output should resemble:

{
  "KsqlServerInfo": {
    "version": "5.3.1",
    "kafkaClusterId": "xrx5mUMWTvaWbk157wFDKw",
    "ksqlServiceId": "default_"
  }
}

In this example, the KSQL service ID is default_.

Use the KSQL service ID with the kafka-cluster-id option when you assign a role to a user. The following Confluent CLI command shows how to grant the ResourceOwner role on this cluster.

confluent iam rolebinding create \
    --principal User:<user-name> \
    --role ResourceOwner \
    --kafka-cluster-id xrx5mUMWTvaWbk157wFDKw \
    --ksql-cluster-id default_ \
    --resource KsqlCluster:ksql-cluster

Get the Schema Registry cluster ID

When RBAC is enabled, query the /permissions endpoint on the Schema Registry server.

curl -u <sr-user>:<sr-password> http://<sr-hostname>:8081/permissions

Your output should resemble:

{"permissions":{},"scope":{"path":[],"clusters":{"kafka-cluster":"xrx5mUMWTvaWbk157wFDKw","schema-registry-cluster":"schema-registry"}}}

In this example, the Schema Registry cluster ID is schema-registry.

The following Confluent CLI command shows how to grant the DeveloperRead role on a Schema Registry cluster that has the default cluster ID.

confluent iam rolebinding create \
  --principal User:<user-name>
  --role DeveloperRead
  --schema-registry-cluster-id schema-registry
  --kafka-cluster-id xrx5mUMWTvaWbk157wFDKw

The Schema Registry cluster ID is the schema.registry.group.id configuration setting in the schema-registry.properties file. The default value is schema-registry. Assign the ID by using the schema-registry-cluster-id option in the confluent iam rolebinding create command.

Use the cluster ID of the Kafka cluster that stores schemas. This cluster is configured with the kafkastore.boostrap.servers property. If the kafkastore.boostrap.servers property isn’t set, use the cluster that has ZooKeeper configured with the kafkastore.connection.url property. For more information, see Schema Registry Single Datacenter Setup.

Get the Connect cluster ID

When RBAC is enabled, query the /permissions endpoint on the Connect server.

curl -u <connect-user>:<connect-password> http://<connect-hostname>:8083/permissions

Your output should resemble:

{"permissions":{},"scope":{"path":[],"clusters":{"kafka-cluster":"xrx5mUMWTvaWbk157wFDKw","connect-cluster":"ydfk"}}}

In this example, the Connect cluster ID is ydfk.

The following Confluent CLI command shows how to grant the DeveloperRead role on the ydfk Connect cluster.

confluent iam rolebinding create \
  --principal User:<user-name> \
  --role DeveloperRead \
  --connect-cluster-id ydfk
  --kafka-cluster-id xrx5mUMWTvaWbk157wFDKw

The Connect cluster ID is the group.id setting from your worker configuration file. Assign the ID by using the connect-cluster-id option in the confluent iam rolebinding create command.

Use the cluster ID of the Kafka cluster that stores connector configuration, status, and offset information. This cluster is configured in the Connect worker file that has the bootstrap.servers property. For more information, see Distributed Worker Configuration.

Note

If running in standalone mode, the connect-cluster-id is STANDALONE, in all capital letters.