RBAC for Managed and Custom Connectors in Confluent Cloud¶
Role-based access control (RBAC) uses roles and role mappings to provide different levels of access for a principal to authenticate with Apache Kafka® and fully-managed connectors.
Note
- RBAC for fully-managed and custom connectors is available for Standard, Enterprise, and Dedicated Kafka clusters only.
- For self-managed connectors running in Confluent Platform, see RBAC for Self-Managed Connectors.
RBAC role mappings¶
The table below shows the RBAC role mappings for fully-managed and custom connectors.
| Role | Interact with Managed Connectors | Interact with Custom Connectors and Plugins | Create a Data Preview Instance | View Data Preview Output | Read Configuration | Read Custom Connector Metadata | Read Status | View Logs | Read Throughput Metrics | Pause and Resume | Configure | Configure Kafka Credentials | Manage Access | Delete |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| OrganizationAdmin | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| EnvironmentAdmin | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
| CloudClusterAdmin | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Operator | No | No | No | [1] | No | Yes | Yes | No | Yes | Yes | No | No | No | No |
| DeveloperRead | No | No | No | [1] | Yes | Yes | Yes | No | Yes | No | No | No | No | No |
| DeveloperWrite | No | No | No | [1] | Yes | Yes | Yes | No | Yes | No | Yes | No | No | No |
- Note:
- [1] The role can view the data preview output only if the role has
READaccess to the data preview topic.
Certain Confluent Cloud RBAC roles are currently unavailable for fully-managed custom connectors. For the full list of RBAC roles and role mappings used for Confluent Cloud, see Predefined RBAC Roles on Confluent Cloud. For additional information, see Role-based Access Control (RBAC) on Confluent Cloud.
Manage role assignments using the Cloud Console¶
Complete the following steps to configure a role assignment for a user or service principal. You must have administrative permissions to work with role assignments.
Open the Administration menu.
Select Accounts & access.
Select Access.
Select the cluster where you want to configure connector permissions, then click Connectors. You may see one or more assigned roles.
Connector permissions¶
The following message may be displayed if you have no connector role assignments in the cluster.
No role assignments¶
Add a new role assignment¶
Complete the following steps to add a role assignment.
- Click the Add role assignment button.
- Select an existing connector name. You can enter a new connector name here. This allows you to create the role assignment prior to creating the connector.
- Select the account where you want to apply the role assignment.
- Select DeveloperRead or DeveloperWrite. For specific permissions and other details, see RBAC role mappings.
- Click Save.
Manage role assignments using the Confluent CLI¶
The following are typical commands to use when managing role assignments for fully-managed connectors.
To see the available command options:
confluent iam rbac role-binding help
To list the role assignments:
confluent iam rbac role-binding list --current-user
confluent iam rbac role-binding list --principal User:u-12ab34
To create a role assignment:
confluent iam rbac role-binding create --principal User:u-12ab34 \
--role DeveloperWrite --resource DatagenSourceConnector_0 \
--environment env-a12b34 --kafka-cluster-id lkc-123456
To delete a role assignment:
confluent iam rbac role-binding delete --principal User:u-12ab34
For additional Confluent CLI command examples, see List the role bindings for a principal.