Grant Role-Based Access to a ksqlDB cluster

ksqlDB supports role-based access control (RBAC) for managing ksqlDB clusters. Assign the KsqlAdmin role to a user account or a service principal to grant access to a specific ksqlDB cluster in Confluent Cloud. The account that gets the role is referred to as the “principal”.

A principal that has the KsqlAdmin role to a ksqlDB cluster has full access to all resources on the cluster, like streams and persistent queries. Also, the KsqlAdmin role enables listing and terminating the cluster.

The KsqlAdmin role does not grant permission to create ksqlDB clusters.

Only accounts that have the CloudClusterAdmin, EnvironmentAdmin, or OrganizationAdmin role can grant the KsqlAdmin role. A principal with one of these roles can create the ksqlDB cluster and assign the KsqlAdmin role to the principals who will use the ksqlDB cluster.

If the ksqlDB cluster has topics with Avro, Protobuf, or JSON_SR schemas, you need the ID of the Schema Registry cluster and an associated role binding. For more information, see Enable ksqlDB integration with Schema Registry.

Like other data plane roles, the KsqlAdmin role is available only on Standard and Dedicated clusters. This means the KsqlAdmin role is not available on Basic Kafka clusters.

For more information on limitations of the KsqlAdmin role, see Role limitations by resource.

Use the Confluent CLI or Cloud Console to create roles for users.

Assign roles for ksqlDB access by using the Confluent CLI

Use the example command in this section to grant access to a ksqlDB cluster.

To grant KsqlAdmin permissions, you must have the CloudClusterAdmin, EnvironmentAdmin, or OrganizationAdmin role.

You need the cluster ID of the Kafka cluster, the friendly name of the ksqlDB cluster, and the ID of the environment.

Note

Unlike other Confluent CLI RBAC commands, the command for creating a KsqlAdmin role binding requires the friendly name of the ksqlDB cluster, not the cluster ID. To get the cluster name, run the following command:

confluent ksql cluster list

Your output should resemble:

       ID       |       Name       | Topic Prefix |   Kafka    | Storage |
----------------+------------------+--------------+------------+---------+ ...
  lksqlc-123abc | ksqlDB_cluster_0 | pksqlc-ab123 | lkc-456def |      25 |

In the example output, the ksqlDB cluster name is ksqlDB_cluster_0.

Run the following command to grant the KsqlAdmin role to a principal to enable access to the specified ksqlDB cluster. Any user account or service principal that doesn’t have the KsqlAdmin role isn’t able to list the cluster or access resources on the cluster.

confluent iam rbac role-binding create \
  --principal User:<user-id> \
  --role KsqlAdmin \
  --environment <env-id> \
  --cloud-cluster <kafka-cluster-id> \
  --ksql-cluster <ksqldb-cluster-name>

Grant the KsqlAdmin role to a user

The following steps show how to grant the KsqlAdmin role to a user.

  1. Log in as an organization admin user and list your role bindings:

    confluent iam rbac role-binding list --principal User:<org-admin-user-id>
    
  2. Create a KsqlAdmin role binding for the selected principal:

    confluent iam rbac role-binding create --principal User:<user-id> \
                                           --role KsqlAdmin \
                                           --environment <env-id> \
                                           --cloud-cluster <kafka-cluster-id> \
                                           --ksql-cluster <ksqldb-cluster-name>
    
  3. Log in using Confluent CLI with the credentials of the KsqlAdmin principal and list the principal’s role-bindings:

    confluent iam rbac role-binding list --principal User:<user-id>
    
  4. Create a cloud API key:

    confluent api-key create --resource <ksqldb-cluster-id> \
                             --description "ksqlDB demo"
    
  5. Connect to ksqlDB:

    ksql --user <api-key> --password <api-secret> https://<host>:443
    
  6. In the ksqlDB CLI, run a query to verify access:

    show streams;
    

If the ksqlDB cluster requires access to Schema Registry, you must grant the ResourceOwner role to the principal. For more information, see Enable ksqlDB integration with Schema Registry.

Assign roles for ksqlDB access by using the Confluent Cloud Console

To grant KsqlAdmin permissions, you must have the CloudClusterAdmin, EnvironmentAdmin, or OrganizationAdmin role.

  1. In the Confluent Cloud Console, click the Administration menu in the upper-right corner:admin-menu-icon
  2. In the Administration menu, click Accounts & access.
  3. In the Accounts & access page, select User accounts or Service accounts.
  4. Click Access, and in the Access page, navigate to the Organization > Environment > Cluster that has the ksqlDB cluster.
  5. Click ksqlDb Clusters.
  6. In the New ksqlDB cluster permissions section, select the ksqlDB cluster that will get the KsqlAdmin role.
  7. Select the KsqlAdmin role, and click Save.

If the ksqlDB cluster requires access to Schema Registry, you must grant the ResourceOwner role to the principal. For more information, see Enable ksqlDB integration with Schema Registry.