.. _rbac-get-cluster-ids: Discover Identifiers for Clusters ################################# When you :confluent-cli:`assign user roles|command-reference/iam/rbac/role-binding/confluent_iam_rbac_role-binding_create.html` using the |confluent-cli|, you need the identifiers for the clusters in your |cp| deployment. For example, the following command assigns the ``DeveloperRead`` role on a topic in the |ak| cluster identified by . .. code:: bash # Grant read-only access for a user to a topic. confluent iam rbac role-binding create \ --principal User: \ --role DeveloperRead \ --resource Topic: \ --kafka-cluster-id When creating role bindings for |sr|, |ksqldb|, and |kconnect| you must provide two identifiers: the |ak| cluster identifier and an additional component cluster identifier. For example, the following command assigns the ``DeveloperWrite`` role on a topic in a |sr| cluster: .. code:: bash # Grant write access for a user to a topic in Schema Registry. confluent iam rbac role-binding create \ --principal User: \ --role DeveloperWrite \ --resource Topic: \ --kafka-cluster-id \ --schema-registry-cluster-id .. _view-cluster-ids: Viewing Cluster IDs ******************* Before searching for a component's cluster ID, you must know the URL (for example, http://127.0.0.1:8080/) for all of your |cp| components. Contact your IT admin to get the HTTP address (which depends on your setup) for each component. To view the cluster ID for a |cp| component: :: confluent cluster describe --url |ak| Example ============ For |ak|, your output should resemble: :: confluent cluster describe --url http://localhost:8090 Scope: Type | ID +-----------------+------------------------+ kafka-cluster | LRx92c9yQ+ws786HYosuBn In this example, the |ak| cluster ID is ``LRx92c9yQ+ws786HYosuBn``. Use the |ak| cluster ID with the ``kafka-cluster-id`` option when you assign a role or an ACL to a user. The following |confluent-cli| command shows how to grant the ``DeveloperRead`` role on this cluster. .. code:: bash # Grant read-only access for a user to a topic. confluent iam rbac role-binding create \ --principal User: \ --role DeveloperRead \ --resource Topic: \ --kafka-cluster-id LRx92c9yQ+ws786HYosuBn |ksqldb| Example ================ For |ksqlDB|, your output should resemble: :: confluent cluster describe --url http://localhost:8088 Scope: Type | ID +-----------------+------------------------+ ksql-cluster | ksql-cluster kafka-cluster | JFb61d2pD6fe224FbsjoZl In this example, the |ksqldb| service ID is ``ksql-cluster``. Use the |ksqldb| service ID with the ``ksql-cluster-id`` option when you assign a role to a user. The following |confluent-cli| command shows how to grant the ``ResourceOwner`` role on this cluster. .. code:: bash confluent iam rbac role-binding create \ --principal User: \ --role ResourceOwner \ --kafka-cluster-id JFb61d2pD6fe224FbsjoZl \ --ksql-cluster-id ksql-cluster \ --resource KsqlCluster:ksql-cluster |sr| Example ============ For |sr|, your output should resemble: :: confluent cluster describe --url http://localhost:8081 Scope: Type | ID +------------------------+--------------------------+ schema-registry-cluster | schema-registry kafka-cluster | DCs16f7dN-pu781RtumkJd In this example, the |sr| cluster ID is ``schema-registry``. The following |confluent-cli| command shows how to grant the ``DeveloperRead`` role on a |sr| cluster that has the default cluster ID. .. code:: bash confluent iam rbac role-binding create \ --principal User: \ --role DeveloperRead \ --schema-registry-cluster-id schema-registry \ --kafka-cluster-id DCs16f7dN-pu781RtumkJd The |sr| cluster ID is the ``schema.registry.group.id`` configuration setting in the ``schema-registry.properties`` file. The default value is ``schema-registry``. Assign the ID by using the ``schema-registry-cluster-id`` option in the ``confluent iam rbac role-binding create`` command. Use the cluster ID of the |ak| cluster that stores schemas. This cluster is configured with the ``kafkastore.boostrap.servers`` property. If the ``kafkastore.boostrap.servers`` property is not set, use the cluster that has |zk| configured with the ``kafkastore.connection.url`` property. For more information, see :ref:`schemaregistry_single-dc`. .. note:: :ref:`kafkastore-connection-url` has since been deprecated. See :ref:`schemaregistry_zk_migration` for details. |kconnect| Example ================== For |kconnect|, your output should resemble: :: confluent cluster describe --url http://localhost:8083 Scope: Type | ID +-----------------+------------------------+ connect-cluster | connect-cluster kafka-cluster | DEk20b9rR-at315LMtcuUw In this example, the |kconnect| cluster ID is ``connect-cluster``. The following |confluent-cli| command shows how to grant the ``DeveloperRead`` role on the ``connect-cluster`` Connect cluster. .. code:: bash confluent iam rbac role-binding create \ --principal User: \ --role DeveloperRead \ --connect-cluster-id connect-cluster \ --kafka-cluster-id DEk20b9rR-at315LMtcuUw The |kconnect| cluster ID is the ``group.id`` setting from your worker configuration file. Assign the ID by using the ``connect-cluster-id`` option in the ``confluent iam rbac role-binding create`` command. Use the cluster ID of the Kafka cluster that stores connector configuration, status, and offset information. This cluster is configured in the Connect worker file that has the ``bootstrap.servers`` property. For more information, see :ref:`connect-dist-work-config`. .. note:: If running in standalone mode, the ``connect-cluster-id`` is ``STANDALONE``, in all capital letters.