RBAC Demo

This demo shows how to enable role-based access control (RBAC) functionality across Confluent Platform. It is for users who have downloaded Confluent Platform to their local hosts.

See also

For an RBAC demo that is more representative of a real deployment of a Kafka event streaming application, see Confluent Platform Demo (cp-demo), a Docker-based demo with RBAC and other Confluent Platform security features and LDAP integration.

Run demo on local install of Confluent Platform

Caveats

  • For simplicity, this demo does not use LDAP, instead it uses the Hash Login service with statically defined users/passwords. Additional configurations would be required if you wanted to augment the demo to connect to your LDAP server.
  • The RBAC configurations and role bindings in this demo are not comprehensive, they provide minimum RBAC functionality set up across all the services in Confluent Platform. Please refer to the RBAC documentation for comprehensive configuration and production guidance.

Prerequisites

Confluent Platform is supported in various operating systems and software versions (see Supported Versions and Interoperability for details). This example has been validated with the specific configuration described below. If you are running the example in Windows, which is not officially supported, the example may still work if you update the example code in GitHub, replacing the symlink .env with the contents of config.env.

  • macOS 10.15.3
  • Confluent Platform 5.5.1
  • Java 11.0.6 2020-01-14 LTS
  • bash version 3.2.57
  • jq 1.6
  • (Docker-based examples) Docker version 19.03.8
  • (Docker-based examples) Docker Compose docker-compose version 1.25.4

Run the demo

  1. Clone the confluentinc/examples repository from GitHub and check out the 5.5.1-post branch.

    git clone https://github.com/confluentinc/examples.git
    cd examples
    git checkout 5.5.1-post
    
  2. Navigate to security/rbac/scripts directory.

    cd security/rbac/scripts
    
  3. You have two options to run the demo.

    • Option 1: run the demo end-to-end for all services

      ./run.sh
      
    • Option 2: step through it one service at a time

      ./init.sh
      ./enable-rbac-broker.sh
      ./enable-rbac-schema-registry.sh
      ./enable-rbac-connect.sh
      ./enable-rbac-rest-proxy.sh
      ./enable-rbac-ksqldb-server.sh
      ./enable-rbac-control-center.sh
      
  4. After you run the demo, view the configuration files:

    # The original configuration bundled with Confluent Platform
    ls /tmp/original_configs/
    
    # Configurations added to each service's properties file
    ls ../delta_configs/
    
    # The modified configuration = original + delta
    ls /tmp/rbac_configs/
    
  5. After you run the demo, view the log files for each of the services. Since this demo uses Confluent CLI, all logs are saved in a temporary directory specified by confluent local current.

    ls `confluent local current | tail -1`
    

    In that directory, you can step through the configuration properties for each of the services:

    connect
    control-center
    kafka
    kafka-rest
    ksql-server
    schema-registry
    zookeeper
    
  6. In this demo, the metadata service (MDS) logs are saved in a temporary directory.

    cat `confluent local current | tail -1`/kafka/logs/metadata-service.log
    

Stop the demo

To stop the demo, stop Confluent Platform, and delete files in /tmp/.

cd scripts
./cleanup.sh

Summary of Configurations and Role Bindings

Here is a summary of the delta configurations and required role bindings, by service.

Note

For simplicity, this demo uses the Hash Login service instead of LDAP. If you are using LDAP in your environment, extra configurations are required.

Broker

  • Additional RBAC configurations required for server.properties

    # Confluent Authorizer Settings
    # Semi-colon separated list of super users in the format <principalType>:<principalName>
    # For example super.users=User:admin;User:mds
    super.users=User:ANONYMOUS;User:mds
    
    # MDS Server Settings
    # Enable all authenticated users to connect to the HTTP service.
    confluent.metadata.server.authentication.roles=**
    confluent.metadata.topic.replication.factor=1
    
    # MDS Token Service Settings
    confluent.metadata.server.token.key.path=/tmp/tokenKeypair.pem
    confluent.metadata.server.public.key.path=/tmp/tokenPublicKey.pem
    
    # Configure the RBAC Metadata Service authorizer
    authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    confluent.authorizer.access.rule.providers=CONFLUENT,ZK_ACL
    
    # Bind Metadata Service HTTP service to port 8090
    confluent.metadata.server.listeners=http://0.0.0.0:8090
    # Configure HTTP service advertised hostname. Set this to http://127.0.0.1:8090 if running locally.
    confluent.metadata.server.advertised.listeners=http://127.0.0.1:8090
    
    # HashLoginService Initializer
    confluent.metadata.server.authentication.method=BEARER
    confluent.metadata.server.user.store=FILE
    confluent.metadata.server.user.store.file.path=/tmp/login.properties
    
    # Add named listener TOKEN to existing listeners and advertised.listeners
    listeners=TOKEN://:9092,PLAINTEXT://:9093
    advertised.listeners=TOKEN://localhost:9092,PLAINTEXT://localhost:9093
     
    # Add protocol mapping for newly added named listener TOKEN
    listener.security.protocol.map=PLAINTEXT:PLAINTEXT,TOKEN:SASL_PLAINTEXT
    
    listener.name.token.sasl.enabled.mechanisms=OAUTHBEARER
     
    # Configure the public key used to verify tokens
    # Note: username, password and metadataServerUrls must be set if used for inter-broker communication
    listener.name.token.oauthbearer.sasl.jaas.config= \
        org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
            publicKeyPath="/tmp/tokenPublicKey.pem";
    # Set SASL callback handler for verifying authentication token signatures
    listener.name.token.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
    # Set SASL callback handler for handling tokens on login. This is essentially a noop if not used for inter-broker communication.
    listener.name.token.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
    
  • Role bindings:

    # Broker Admin
    confluent iam rolebinding create --principal User:$USER_ADMIN_SYSTEM --role SystemAdmin --kafka-cluster-id $KAFKA_CLUSTER_ID
    
    # Producer/Consumer
    confluent iam rolebinding create --principal User:$USER_CLIENT_A --role ResourceOwner --resource Topic:$TOPIC1 --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_CLIENT_A --role DeveloperRead --resource Group:console-consumer- --prefix --kafka-cluster-id $KAFKA_CLUSTER_ID
    

Schema Registry

  • Additional RBAC configurations required for schema-registry.properties

    kafkastore.bootstrap.servers=localhost:9092
    kafkastore.security.protocol=SASL_PLAINTEXT
    kafkastore.sasl.mechanism=OAUTHBEARER
    kafkastore.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    kafkastore.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="sr" password="sr1" metadataServerUrls="http://localhost:8090";
    
    # Schema Registry group id, which is the cluster id
    schema.registry.group.id=schema-registry-demo
    
    # These properties install the Schema Registry security plugin, and configure it to use RBAC for authorization and OAuth for authentication
    schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension
    confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer
    rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
    
    # The location of a running metadata service; used to verify that requests are authorized by the users that make them
    confluent.metadata.bootstrap.server.urls=http://localhost:8090
    
    # Credentials to use when communicating with the MDS; these should usually match the ones used for communicating with Kafka
    confluent.metadata.basic.auth.user.info=sr:sr1
    confluent.metadata.http.auth.credentials.provider=BASIC
    
    # The path to public keys that should be used to verify json web tokens during authentication
    public.key.path=/tmp/tokenPublicKey.pem
    
    # This enables anonymous access with a principal of User:ANONYMOUS
    confluent.schema.registry.anonymous.principal=true
    authentication.skip.paths=/*
    
  • Role bindings:

    # Schema Registry Admin
    confluent iam rolebinding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Topic:_schemas --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role SecurityAdmin --kafka-cluster-id $KAFKA_CLUSTER_ID --schema-registry-cluster-id $SCHEMA_REGISTRY_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_SCHEMA_REGISTRY --role ResourceOwner --resource Group:$SCHEMA_REGISTRY_CLUSTER_ID --kafka-cluster-id $KAFKA_CLUSTER_ID
    
    # Client connecting to Schema Registry
    confluent iam rolebinding create --principal User:$USER_CLIENT_A --role ResourceOwner --resource Subject:$SUBJECT --kafka-cluster-id $KAFKA_CLUSTER_ID --schema-registry-cluster-id $SCHEMA_REGISTRY_CLUSTER_ID
    

Connect

  • Additional RBAC configurations required for connect-avro-distributed.properties

    bootstrap.servers=localhost:9092
    security.protocol=SASL_PLAINTEXT
    sasl.mechanism=OAUTHBEARER
    sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="connect" password="connect1" metadataServerUrls="http://localhost:8090";
    
    ## Connector client (producer, consumer, admin client) properties ##
    
    # Allow producer/consumer/admin client overrides (this enables per-connector principals)
    connector.client.config.override.policy=All
    
    producer.security.protocol=SASL_PLAINTEXT
    producer.sasl.mechanism=OAUTHBEARER
    producer.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    # Intentionally omitting `producer.sasl.jaas.config` to force connectors to use their own
    
    consumer.security.protocol=SASL_PLAINTEXT
    consumer.sasl.mechanism=OAUTHBEARER
    consumer.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    # Intentionally omitting `consumer.sasl.jaas.config` to force connectors to use their own
    
    admin.security.protocol=SASL_PLAINTEXT
    admin.sasl.mechanism=OAUTHBEARER
    admin.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    # Intentionally omitting `admin.sasl.jaas.config` to force connectors to use their own
    
    ## REST extensions: RBAC and Secret Registry ##
    
    # Installs the RBAC and Secret Registry REST extensions
    rest.extension.classes=io.confluent.connect.security.ConnectSecurityExtension,io.confluent.connect.secretregistry.ConnectSecretRegistryExtension
    
    ## RBAC Authentication ##
    
    # Enables basic and bearer authentication for requests made to the worker
    rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
    
    # The path to a directory containing public keys that should be used to verify json web tokens during authentication
    public.key.path=/tmp/tokenPublicKey.pem
    
    ## RBAC Authorization ##
    
    # The location of a running metadata service; used to verify that requests are authorized by the users that make them
    confluent.metadata.bootstrap.server.urls=http://localhost:8090
    
    # Credentials to use when communicating with the MDS; these should usually match the ones used for communicating with Kafka
    confluent.metadata.basic.auth.user.info=connect:connect1
    confluent.metadata.http.auth.credentials.provider=BASIC
    
    ## Secret Registry Secret Provider ##
    
    config.providers=secret
    config.providers.secret.class=io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider
    config.providers.secret.param.master.encryption.key=password1234
    
    config.providers.secret.param.kafkastore.bootstrap.servers=localhost:9092
    config.providers.secret.param.kafkastore.security.protocol=SASL_PLAINTEXT
    config.providers.secret.param.kafkastore.sasl.mechanism=OAUTHBEARER
    config.providers.secret.param.kafkastore.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    config.providers.secret.param.kafkastore.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="connect" password="connect1" metadataServerUrls="http://localhost:8090";
    
  • Additional RBAC configurations required for a source connector

    producer.override.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="connector" password="connector1" metadataServerUrls="http://localhost:8090";
    
  • Additional RBAC configurations required for a sink connector

    consumer.override.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="connector" password="connector1" metadataServerUrls="http://localhost:8090";
    
  • Role bindings:

    # Connect Admin
    confluent iam rolebinding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:connect-configs --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:connect-offsets --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:connect-statuses --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Group:connect-cluster --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Topic:_confluent-secrets --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_CONNECT --role ResourceOwner --resource Group:secret-registry --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_CONNECT --role SecurityAdmin --kafka-cluster-id $KAFKA_CLUSTER_ID --connect-cluster-id $CONNECT_CLUSTER_ID
    
    # Connector Submitter
    confluent iam rolebinding create --principal User:$USER_CONNECTOR_SUBMITTER --role ResourceOwner --resource Connector:$CONNECTOR_NAME --kafka-cluster-id $KAFKA_CLUSTER_ID --connect-cluster-id $CONNECT_CLUSTER_ID
    
    # Connector
    confluent iam rolebinding create --principal User:$USER_CONNECTOR --role ResourceOwner --resource Topic:$TOPIC2_AVRO --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_CONNECTOR --role ResourceOwner --resource Subject:${TOPIC2_AVRO}-value --kafka-cluster-id $KAFKA_CLUSTER_ID --schema-registry-cluster-id $SCHEMA_REGISTRY_CLUSTER_ID
    

REST Proxy

  • Additional RBAC configurations required for kafka-rest.properties

    # Configure connection to ZooKeeper, required for license validation of the Confluent security extension
    zookeeper.connect=localhost:2181
    bootstrap.servers=localhost:9092
    schema.registry.url=http://localhost:8081
    
    client.security.protocol=SASL_PLAINTEXT
    
    kafka.rest.resource.extension.class=io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension
    rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
    
    public.key.path=/tmp/tokenPublicKey.pem
    
    # Credentials to use with the MDS
    confluent.metadata.bootstrap.server.urls=http://localhost:8090
    confluent.metadata.basic.auth.user.info=rp:rp1
    confluent.metadata.http.auth.credentials.provider=BASIC
    
  • Role bindings:

    # REST Proxy Admin: no additional administrative rolebindings required because REST Proxy just does impersonation
    
    # Producer/Consumer
    confluent iam rolebinding create --principal User:$USER_CLIENT_RP --role ResourceOwner --resource Topic:$TOPIC3 --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_CLIENT_RP --role DeveloperRead --resource Group:$CONSUMER_GROUP --kafka-cluster-id $KAFKA_CLUSTER_ID
    

ksqlDB

  • Additional RBAC configurations required for ksql-server.properties

    bootstrap.servers=localhost:9092
    security.protocol=SASL_PLAINTEXT
    sasl.mechanism=OAUTHBEARER
    sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="ksqlDBserver" password="ksqlDBserver1" metadataServerUrls="http://localhost:8090";
    
    # Specify KSQL service id used to bind user/roles to this cluster
    ksql.service.id=rbac-ksql
    
    # Enable KSQL authorization and impersonation
    ksql.security.extension.class=io.confluent.ksql.security.KsqlConfluentSecurityExtension
    
    # Enable KSQL Basic+Bearer authentication
    rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
    websocket.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
    public.key.path=/tmp/tokenPublicKey.pem
    
    # Metadata URL and access credentials
    confluent.metadata.bootstrap.server.urls=http://localhost:8090
    confluent.metadata.http.auth.credentials.provider=BASIC
    confluent.metadata.basic.auth.user.info=ksqlDBserver:ksqlDBserver1
    
    # Credentials for Schema Registry access
    ksql.schema.registry.url=http://localhost:8081
    ksql.schema.registry.basic.auth.user.info=ksqlDBserver:ksqlDBserver1
    
  • Role bindings:

    # ksqlDB Server Admin
    confluent iam rolebinding create --principal User:$USER_ADMIN_KSQLDB --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID}_command_topic --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_KSQLDB --role ResourceOwner --resource Topic:${KSQL_SERVICE_ID}ksql_processing_log --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_KSQLDB --role SecurityAdmin --kafka-cluster-id $KAFKA_CLUSTER_ID --ksql-cluster-id $KSQL_SERVICE_ID
    confluent iam rolebinding create --principal User:$USER_ADMIN_KSQLDB --role ResourceOwner --resource KsqlCluster:ksql-cluster --kafka-cluster-id $KAFKA_CLUSTER_ID --ksql-cluster-id $KSQL_SERVICE_ID
    
    # ksqlDB CLI queries
    confluent iam rolebinding create --principal User:${USER_KSQLDB} --role DeveloperWrite --resource KsqlCluster:ksql-cluster --kafka-cluster-id $KAFKA_CLUSTER_ID --ksql-cluster-id $KSQL_SERVICE_ID
    confluent iam rolebinding create --principal User:${USER_KSQLDB} --role DeveloperRead --resource Topic:$TOPIC1 --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_KSQLDB} --role DeveloperRead --resource Group:_confluent-ksql-${KSQL_SERVICE_ID} --prefix --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_KSQLDB} --role DeveloperRead --resource Topic:${KSQL_SERVICE_ID}ksql_processing_log --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_ADMIN_KSQLDB} --role DeveloperRead --resource Group:_confluent-ksql-${KSQL_SERVICE_ID} --prefix --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_ADMIN_KSQLDB} --role DeveloperRead --resource Topic:$TOPIC1 --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource TransactionalId:${KSQL_SERVICE_ID} --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_KSQLDB} --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID}transient --prefix --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID}transient --prefix --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_KSQLDB} --role ResourceOwner --resource Topic:${CSAS_STREAM1} --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:${CSAS_STREAM1} --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_KSQLDB} --role ResourceOwner --resource Topic:${CTAS_TABLE1} --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:${CTAS_TABLE1} --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:${USER_ADMIN_KSQLDB} --role ResourceOwner --resource Topic:_confluent-ksql-${KSQL_SERVICE_ID} --prefix --kafka-cluster-id $KAFKA_CLUSTER_ID
    

Control Center

  • Additional RBAC configurations required for control-center-dev.properties

    confluent.controlcenter.rest.authentication.method=BEARER
    confluent.controlcenter.streams.security.protocol=SASL_PLAINTEXT
    public.key.path=/tmp/tokenPublicKey.pem
    
    confluent.metadata.basic.auth.user.info=c3:c31
    confluent.metadata.bootstrap.server.urls=http://localhost:8090
    
  • Role bindings:

    # Control Center Admin
    confluent iam rolebinding create --principal User:$USER_ADMIN_C3 --role SystemAdmin --kafka-cluster-id $KAFKA_CLUSTER_ID
    
    # Control Center user
    confluent iam rolebinding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Topic:$TOPIC1 --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Topic:$TOPIC2_AVRO --kafka-cluster-id $KAFKA_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Subject:${TOPIC2_AVRO}-value --kafka-cluster-id $KAFKA_CLUSTER_ID --schema-registry-cluster-id $SCHEMA_REGISTRY_CLUSTER_ID
    confluent iam rolebinding create --principal User:$USER_CLIENT_C --role DeveloperRead --resource Connector:$CONNECTOR_NAME --kafka-cluster-id $KAFKA_CLUSTER_ID --connect-cluster-id $CONNECT_CLUSTER_ID
    

General Rolebinding Syntax

  1. The general rolebinding syntax is:

    confluent iam rolebinding create --role [role name] --principal User:[username] --resource [resource type]:[resource name] --[cluster type]-cluster-id [insert cluster id]
    
  2. Available role types and permissions can be found here.

  3. Resource types include: Cluster, Group, Subject, Connector, TransactionalId, Topic.

Listing Roles for a User

General listing syntax:

confluent iam rolebinding list User:[username] [clusters and resources you want to view their roles on]

For example, list the roles of User:bender on Kafka cluster KAFKA_CLUSTER_ID

confluent iam rolebinding list --principal User:bender --kafka-cluster-id $KAFKA_CLUSTER_ID

Run demo in Docker

A Docker-based RBAC demo is Confluent Platform Demo (cp-demo). It is representative of a real deployment of a Kafka event streaming application, with RBAC and other Confluent Platform security features and LDAP integration.