Enable RBAC in Running Confluent Platform Environment Using Ansible Playbooks

You can enable role-based access control (RBAC) on a Confluent Platform deployment that was originally configured without RBAC enabled.

  1. Set the following and provide the required properties for RBAC in your hosts inventory file:

    rbac_enabled: true
    

    For a list of all the RBAC-related properties and their, refer to Role-based access control.

    Below is an example snippet:

    all:
      vars:
        ssl_enabled: true
        rbac_enabled: true
        mds_ssl_mutual_auth_enabled: true
        # super user credentials for bootstrapping RBAC within Confluent Platform
        mds_super_user: mds
        mds_super_user_password: password
        # LDAP users for Confluent Platform components
        kafka_broker_ldap_user: kafka_broker
        kafka_broker_ldap_password: password
        schema_registry_ldap_user: schema_registry
        schema_registry_ldap_password: password
        kafka_connect_ldap_user: connect_worker
        kafka_connect_ldap_password: password
        ksql_ldap_user: ksql
        ksql_ldap_password: password
        kafka_rest_ldap_user: rest_proxy
        kafka_rest_ldap_password: password
        control_center_ldap_user: control_center
        control_center_ldap_password: password
    
    kafka_broker:
      vars:
        kafka_broker_custom_properties:
          ldap.java.naming.factory.initial: com.sun.jndi.ldap.LdapCtxFactory
          ldap.com.sun.jndi.ldap.read.timeout: 3000
          ldap.java.naming.provider.url: ldap://ldap1:389
          ldap.java.naming.security.principal: uid=mds,OU=rbac,DC=example,DC=com
          ldap.java.naming.security.credentials: password
          ldap.java.naming.security.authentication: simple
          ldap.user.search.base: OU=rbac,DC=example,DC=com
          ldap.group.search.base: OU=rbac,DC=example,DC=com
          ldap.user.name.attribute: uid
          ldap.user.memberof.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com
          ldap.group.name.attribute: cn
          ldap.group.member.attribute.pattern: CN=(.*),OU=rbac,DC=example,DC=com
          ldap.user.object.class: account
    
  2. Run the confluent.platform.all playbook:

    ansible-playbook -i <your hosts file> confluent.platform.all \
      --skip-tags package \
      -e deployment_strategy=parallel
    

    Include the --skip-tags package option to skip the package installation tasks and to ensure no upgrade happens. The option also speeds up the reconfiguration process.