Enable RBAC in Running Confluent Platform Environment Using Ansible Playbooks

You can enable role-based access control (RBAC) on a Confluent Platform deployment that was originally configured without RBAC enabled.

1. Set the following and provide the required properties for RBAC in your hosts inventory file:

   rbac_enabled: true
   

   For a list of all the RBAC-related properties and their, refer to Role-based access control.

   Below is an example snippet:

   all:
     vars:
       ssl_enabled: true
       rbac_enabled: true
       mds_ssl_mutual_auth_enabled: true
       # super user credentials for bootstrapping RBAC within Confluent Platform
       mds_super_user: mds
       mds_super_user_password: password
       # LDAP users for Confluent Platform components
       kafka_broker_ldap_user: kafka_broker
       kafka_broker_ldap_password: password
       schema_registry_ldap_user: schema_registry
       schema_registry_ldap_password: password
       kafka_connect_ldap_user: connect_worker
       kafka_connect_ldap_password: password
       ksql_ldap_user: ksql
       ksql_ldap_password: password
       kafka_rest_ldap_user: rest_proxy
       kafka_rest_ldap_password: password
       control_center_ldap_user: control_center
       control_center_ldap_password: password
   
   kafka_broker:
     vars:
       kafka_broker_custom_properties:
         ldap.java.naming.factory.initial: com.sun.jndi.ldap.LdapCtxFactory
         ldap.com.sun.jndi.ldap.read.timeout: 3000
         ldap.java.naming.provider.url: ldap://ldap1:389
         ldap.java.naming.security.principal: uid=mds,OU=rbac,DC=example,DC=com
         ldap.java.naming.security.credentials: password
         ldap.java.naming.security.authentication: simple
         ldap.user.search.base: OU=rbac,DC=example,DC=com
         ldap.group.search.base: OU=rbac,DC=example,DC=com
         ldap.user.name.attribute: uid
         ldap.user.memberof.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com
         ldap.group.name.attribute: cn
         ldap.group.member.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com
         ldap.user.object.class: account
   

2. Run the confluent.platform.all playbook:

   ansible-playbook -i <your hosts file> confluent.platform.all \
     --skip-tags package \
     -e deployment_strategy=parallel
   

   Include the --skip-tags package option to skip the package installation tasks and to ensure no upgrade happens. The option also speeds up the reconfiguration process.