Enable RBAC in Ansible Playbooks for Confluent Platform¶
You can enable role-based access control (RBAC) on a Confluent Platform deployment that was originally configured without RBAC enabled.
Set the following and provide the required properties for RBAC in your hosts inventory file:
rbac_enabled: true
For a list of all the RBAC-related properties and their, refer to Role-based access control.
Below is an example snippet:
all: vars: ssl_enabled: true rbac_enabled: true mds_ssl_mutual_auth_enabled: true # super user credentials for bootstrapping RBAC within Confluent Platform mds_super_user: mds mds_super_user_password: password # LDAP users for Confluent Platform components kafka_broker_ldap_user: kafka_broker kafka_broker_ldap_password: password schema_registry_ldap_user: schema_registry schema_registry_ldap_password: password kafka_connect_ldap_user: connect_worker kafka_connect_ldap_password: password ksql_ldap_user: ksql ksql_ldap_password: password kafka_rest_ldap_user: rest_proxy kafka_rest_ldap_password: password control_center_ldap_user: control_center control_center_ldap_password: password kafka_broker: vars: kafka_broker_custom_properties: ldap.java.naming.factory.initial: com.sun.jndi.ldap.LdapCtxFactory ldap.com.sun.jndi.ldap.read.timeout: 3000 ldap.java.naming.provider.url: ldap://ldap1:389 ldap.java.naming.security.principal: uid=mds,OU=rbac,DC=example,DC=com ldap.java.naming.security.credentials: password ldap.java.naming.security.authentication: simple ldap.user.search.base: OU=rbac,DC=example,DC=com ldap.group.search.base: OU=rbac,DC=example,DC=com ldap.user.name.attribute: uid ldap.user.memberof.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com ldap.group.name.attribute: cn ldap.group.member.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com ldap.user.object.class: account
Run the
confluent.platform.all
playbook:ansible-playbook -i <your hosts file> confluent.platform.all \ --skip-tags package \ -e deployment_strategy=parallel
Include the
--skip-tags package
option to skip the package installation tasks and to ensure no upgrade happens. The option also speeds up the reconfiguration process.