.. _rbac_demo:
RBAC Example for |cp|
=====================
This example shows how to enable |rbac-long| functionality across |cp|.
It is for users who have `downloaded `__ |cp| to their local hosts.
.. seealso::
For an |rbac| example that is more representative of a real deployment of a |ak| event streaming application, see :ref:`cp-demo`, a Docker-based example with |rbac| and other |cp| security features and LDAP integration.
.. _rbac_demo_local:
====================================
Run example on local install of |cp|
====================================
Caveats
-------
- For simplicity, this example does not use LDAP, instead it uses the Hash
Login service with statically defined users/passwords. Additional
configurations would be required if you wanted to augment the example to
connect to your LDAP server.
- The |rbac| configurations and role bindings in this example are not
comprehensive, they provide minimum |rbac|
functionality set up across all the services in |cp|.
Please refer to the :ref:`RBAC documentation `
for comprehensive configuration and production guidance.
Prerequisites
-------------
.. include:: ../../../docs/includes/demo-validation-env.rst
Run example
-----------
#. Clone the `confluentinc/examples `__ GitHub repository, and check out the :litwithvars:`|release|-post` branch.
.. codewithvars:: bash
git clone https://github.com/confluentinc/examples.git
cd examples
git checkout |release_post_branch|
#. Navigate to ``security/rbac/scripts`` directory.
.. codewithvars:: bash
cd security/rbac/scripts
#. You have two options to run the example.
- Option 1: run the example end-to-end for all services
.. code:: bash
./run.sh
- Option 2: step through it one service at a time
.. code:: bash
./init.sh
./enable-rbac-broker.sh
./enable-rbac-schema-registry.sh
./enable-rbac-connect.sh
./enable-rbac-rest-proxy.sh
./enable-rbac-ksqldb-server.sh
./enable-rbac-control-center.sh
#. After you run the example, view the configuration files:
.. code:: bash
# The original configuration bundled with Confluent Platform
ls /tmp/original_configs/
.. code:: bash
# Configurations added to each service's properties file
ls ../delta_configs/
.. code:: bash
# The modified configuration = original + delta
ls /tmp/rbac_configs/
#. After you run the example, view the log files for each of the services.
All logs are saved in the temporary directory ``/tmp/rbac_logs/``.
In that directory, you can step through the configuration properties for each of the services:
.. code:: bash
connect
control-center
kafka
kafka-rest
ksql-server
schema-registry
zookeeper
#. In this example, the metadata service (MDS) logs are saved under your |cp| installation directory.
.. code:: bash
cat $CONFLUENT_HOME/logs/metadata-service.log
Stop example
------------
To stop the example, stop |cp|, and delete files in ``/tmp/``.
.. code:: bash
cd scripts
./cleanup.sh
Summary of Configurations and Role Bindings
-------------------------------------------
Here is a summary of the delta configurations and required role bindings, by service.
.. note:: For simplicity, this example uses the Hash Login service instead of LDAP. If you are using LDAP in your environment, extra configurations are required.
Broker
~~~~~~
- Additional RBAC configurations required for :devx-examples:`server.properties|security/rbac/delta_configs/server.properties.delta`
.. literalinclude:: ../delta_configs/server.properties.delta
- Role bindings:
.. code:: bash
# Broker Admin
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SYSTEM --role SystemAdmin --kafka-cluster $KAFKA_CLUSTER_ID
# Producer/Consumer
confluent iam rbac role-binding create --principal User:$USER_CLIENT_A --role ResourceOwner --resource Topic:$TOPIC1 --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_CLIENT_A --role DeveloperRead --resource Group:console-consumer- --prefix --kafka-cluster $KAFKA_CLUSTER_ID
Schema Registry
~~~~~~~~~~~~~~~
- Additional RBAC configurations required for :devx-examples:`schema-registry.properties|security/rbac/delta_configs/schema-registry.properties.delta`
.. literalinclude:: ../delta_configs/schema-registry.properties.delta
- Role bindings:
.. code:: bash
# Schema Registry Admin
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_schemas --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_schema_encoders --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_dek_registry_keys --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role SecurityAdmin --kafka-cluster $KAFKA_CLUSTER_ID --schema-registry-cluster $SCHEMA_REGISTRY_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Group:$SCHEMA_REGISTRY_CLUSTER_ID --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role DeveloperRead --resource Topic:$LICENSE_TOPIC --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role DeveloperWrite --resource Topic:$LICENSE_TOPIC --kafka-cluster $KAFKA_CLUSTER_ID
# Client connecting to Schema Registry
confluent iam rbac role-binding create --principal User:$USER_CLIENT_A --role ResourceOwner --resource Subject:$SUBJECT --kafka-cluster $KAFKA_CLUSTER_ID --schema-registry-cluster $SCHEMA_REGISTRY_CLUSTER_ID
Connect
~~~~~~~
- Additional RBAC configurations required for :devx-examples:`connect-avro-distributed.properties|security/rbac/delta_configs/connect-avro-distributed.properties.delta`
.. literalinclude:: ../delta_configs/connect-avro-distributed.properties.delta
- Additional RBAC configurations required for a :devx-examples:`source connector|security/rbac/delta_configs/connector-source.properties.delta`
.. literalinclude:: ../delta_configs/connector-source.properties.delta
- Additional RBAC configurations required for a :devx-examples:`sink connector|security/rbac/delta_configs/connector-sink.properties.delta`
.. literalinclude:: ../delta_configs/connector-sink.properties.delta
- Role bindings:
.. code:: bash
# Connect Admin
confluent iam rbac role-binding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:connect-configs --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:connect-offsets --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:connect-statuses --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Group:connect-cluster --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:_confluent-secrets --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Group:secret-registry --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_CONNECT --role SecurityAdmin --kafka-cluster $KAFKA_CLUSTER_ID --connect-cluster $CONNECT_CLUSTER_ID
# Connector Submitter
confluent iam rbac role-binding create --principal User:$USER_CONNECTOR_SUBMITTER --role ResourceOwner --resource Connector:$CONNECTOR_NAME --kafka-cluster $KAFKA_CLUSTER_ID --connect-cluster $CONNECT_CLUSTER_ID
# Connector
confluent iam rbac role-binding create --principal User:$USER_CONNECTOR --role ResourceOwner --resource Topic:$TOPIC2_AVRO --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_CONNECTOR --role ResourceOwner --resource Subject:${TOPIC2_AVRO}-value --kafka-cluster $KAFKA_CLUSTER_ID --schema-registry-cluster $SCHEMA_REGISTRY_CLUSTER_ID
# Sink Connector
confluent iam rbac role-binding create --principal User:$USER_CONNECTOR --role DeveloperRead --resource Group:$CONNECTOR_CONSUMER_GROUP_ID --prefix --kafka-cluster $KAFKA_CLUSTER_ID
REST Proxy
~~~~~~~~~~
- Additional RBAC configurations required for :devx-examples:`kafka-rest.properties|security/rbac/delta_configs/kafka-rest.properties.delta`
.. literalinclude:: ../delta_configs/kafka-rest.properties.delta
- Role bindings:
.. code:: bash
# REST Proxy Admin: role bindings for license management, no additional administrative rolebindings required because REST Proxy just does impersonation
confluent iam rbac role-binding create --principal User:$USER_CLIENT_RP --role DeveloperRead --resource Topic:$LICENSE_TOPIC --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_CLIENT_RP --role DeveloperWrite --resource Topic:$LICENSE_TOPIC --kafka-cluster $KAFKA_CLUSTER_ID
# Producer/Consumer
confluent iam rbac role-binding create --principal User:$USER_CLIENT_RP --role ResourceOwner --resource Topic:$TOPIC3 --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_CLIENT_RP --role DeveloperRead --resource Group:$CONSUMER_GROUP --kafka-cluster $KAFKA_CLUSTER_ID
ksqlDB
~~~~~~
- Additional RBAC configurations required for :devx-examples:`ksql-server.properties|security/rbac/delta_configs/ksql-server.properties.delta`
.. literalinclude:: ../delta_configs/ksql-server.properties.delta
- Role bindings:
.. code:: bash
# ksqlDB Server Admin
confluent iam rbac role-binding create --principal User:$USER_ADMIN_KSQLDB --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID}_command_topic --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_KSQLDB --role ResourceOwner --resource Topic:${KSQL_SERVICE_ID}ksql_processing_log --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_KSQLDB --role SecurityAdmin --kafka-cluster $KAFKA_CLUSTER_ID --ksql-cluster $KSQL_SERVICE_ID
confluent iam rbac role-binding create --principal User:$USER_ADMIN_KSQLDB --role ResourceOwner --resource KsqlCluster:ksql-cluster --kafka-cluster $KAFKA_CLUSTER_ID --ksql-cluster $KSQL_SERVICE_ID
# ksqlDB CLI queries
confluent iam rbac role-binding create --principal User:${USER_KSQLDB} --role DeveloperWrite --resource KsqlCluster:ksql-cluster --kafka-cluster $KAFKA_CLUSTER_ID --ksql-cluster $KSQL_SERVICE_ID
confluent iam rbac role-binding create --principal User:${USER_KSQLDB} --role DeveloperRead --resource Topic:$TOPIC1 --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_KSQLDB} --role DeveloperRead --resource Group:_confluent-ksql-${KSQL_SERVICE_ID} --prefix --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_KSQLDB} --role DeveloperRead --resource Topic:${KSQL_SERVICE_ID}ksql_processing_log --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_ADMIN_KSQLDB} --role DeveloperRead --resource Group:_confluent-ksql-${KSQL_SERVICE_ID} --prefix --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_ADMIN_KSQLDB} --role DeveloperRead --resource Topic:$TOPIC1 --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource TransactionalId:${KSQL_SERVICE_ID} --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_KSQLDB} --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID}transient --prefix --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID}transient --prefix --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_KSQLDB} --role ResourceOwner --resource Topic:${CSAS_STREAM1} --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:${CSAS_STREAM1} --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_KSQLDB} --role ResourceOwner --resource Topic:${CTAS_TABLE1} --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:${CTAS_TABLE1} --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID} --prefix --kafka-cluster $KAFKA_CLUSTER_ID
Control Center
~~~~~~~~~~~~~~
- Additional RBAC configurations required for :devx-examples:`control-center-dev.properties|security/rbac/delta_configs/control-center-dev.properties.delta`
.. literalinclude:: ../delta_configs/control-center-dev.properties.delta
- Role bindings:
.. code:: bash
# Control Center Admin
confluent iam rbac role-binding create --principal User:$USER_ADMIN_C3 --role SystemAdmin --kafka-cluster $KAFKA_CLUSTER_ID
# Control Center user
confluent iam rbac role-binding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Topic:$TOPIC1 --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Topic:$TOPIC2_AVRO --kafka-cluster $KAFKA_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Subject:${TOPIC2_AVRO}-value --kafka-cluster $KAFKA_CLUSTER_ID --schema-registry-cluster $SCHEMA_REGISTRY_CLUSTER_ID
confluent iam rbac role-binding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Connector:$CONNECTOR_NAME --kafka-cluster $KAFKA_CLUSTER_ID --connect-cluster $CONNECT_CLUSTER_ID
General Rolebinding Syntax
~~~~~~~~~~~~~~~~~~~~~~~~~~
#. The general rolebinding syntax is:
.. code:: bash
confluent iam rbac role-binding create --role [role name] --principal User:[username] --resource [resource type]:[resource name] --[cluster type]-cluster-id [insert cluster id]
#. Available role types and permissions can be found :ref:`here `.
#. Resource types include: Cluster, Group, Subject, Connector, TransactionalId, Topic.
Listing Roles for a User
~~~~~~~~~~~~~~~~~~~~~~~~
General listing syntax:
.. code:: bash
confluent iam rbac role-binding list User:[username] [clusters and resources you want to view their roles on]
For example, list the roles of ``User:bender`` on Kafka cluster ``KAFKA_CLUSTER_ID``
.. code:: bash
confluent iam rbac role-binding list --principal User:bender --kafka-cluster $KAFKA_CLUSTER_ID
.. _rbac_demo_docker:
=====================
Run example in Docker
=====================
A Docker-based |rbac| example is :ref:`cp-demo`.
It is representative of a real deployment of a |ak| event streaming application, with |rbac| and other |cp| security features and LDAP integration.
==================
Additional Reading
==================
- :ref:`rbac-overview`
- `RBAC for Kafka Connect whitepaper `__