.. _rbac-config-using-rest-api: Configure RBAC using the REST API --------------------------------- Use the sample curl statements below to configure RBAC for different components using the REST API. .. note:: The guidance here is based on the assumption that you are using default topics and cluster IDs. Replace all variable entries (in ``<>``) with values from your installation. .. _rbac-config-sr-using-rest-api: |sr| ^^^^ To configure RBAC for |sr| using the REST API: #. Get the MDS token: :: curl --cacert --key --cert -u : -s https://:8090/security/1.0/authenticate #. Grant the Security Admin role to a |sr| user: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"","schema-registry-cluster":""}} #. Grant the Resource Owner role to the group that |sr| nodes use to coordinate access across the cluster: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster": ""}}, "resourcePatterns":[{"resourceType":"Group","name": "schema-registry","patternType":"LITERAL"}]}' .. _rbac-config-connect-using-rest-api: |kconnect| ^^^^^^^^^^ To configure :ref:`Connect RBAC ` role bindings using the REST API: #. Get the MDS token: :: curl --cacert --key --cert -u : -s https://:8090/security/1.0/authenticate #. Grant the Security Admin role to a |kconnect| cluster: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"","connect-cluster":""}} #. Grant the |kconnect| user the ResourceOwner role on the group that |kconnect| nodes use to coordinate across the cluster: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":""}},"resourcePatterns":[{"resourceType":"Group","name":"connect-cluster","patternType":"LITERAL"}]}' #. Grant the Resource Owner role on the configuration storage topic: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":""}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-configs","patternType":"LITERAL"}]}' #. Grant the Resource Owner role on the offset storage topic: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":""}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-offsets","patternType":"LITERAL"}]}' #. Grant the Resource Owner role on the status storage topic: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":""}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-status","patternType":"LITERAL"}]}' .. _rbac-config-ksql-using-rest-api: |ksqldb| ^^^^^^^^ To configure RBAC for |ksqldb| using the REST API: #. Get the MDS token: :: curl --cacert --key --cert -u : -s https://:8090/security/1.0/authenticate #. Grant the Security Admin role to a |ksqldb| user: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"","ksql-cluster":"default_"}}' #. Grant the Resource Owner role to the |ksqldb| user on the |ksqldb| cluster: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"","ksql-cluster":"default_"}},"resourcePatterns":[{"resourceType": "KsqlCluster","name": "ksql-cluster"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer " #. Grant the Resource Owner role to the |ksqldb| user with three resourcePatterns: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":""}}, "resourcePatterns": [{"resourceType": "Topic", "name": "confluent-ksql-defaultcommand_topic","patternType":"LITERAL"},{"resourceType":"Topic","name":"default-ksql_processing_log","patternType":"LITERAL"},{"resourceType":"Group","name":"confluent-ksql-default","patternType":"PREFIXED"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer " .. _rbac-config-control-center-using-rest-api: |c3| ^^^^ To configure RBAC for |c3-short| using the REST API: #. Get the MDS token: :: curl --cacert --key --cert -u : -s https://:8090/security/1.0/authenticate #. Grant the System Admin role to the |c3-short| user: :: curl --cacert --key --cert -X POST https://:8090/security/1.0/principals/User:/roles/SystemAdmin -H "accept: application/json" -H "Authorization: Bearer " -H "Content-Type: application/json" -d '{"clusters": {"kafka-cluster": ""}}'