Authentication and Authorization Auditable Events

Expand all examples | Collapse all examples

Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.

Role-based access control (RBAC)

Included here are the actions, or operations, on a role-based access control (RBAC) authorization (in Metadata Service (MDS)) that generate auditable event messages. For more about service accounts, see Service Accounts for Confluent Cloud.

Method name Action triggering an auditable event message
mds.Authorize (examples) An RBAC authorization is being checked.

Examples

mds.Authorize

Authorization to create a Kafka cluster
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
    "authenticationInfo": {
      "principal": "User:u-1abc2d"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "CreateCloudCluster",
      "resourceType": "Environment",
      "resourceName": "environment",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
  "time": "2021-06-07T18:49:40.331Z"
}
Authorization to create an API key
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
    "authenticationInfo": {
      "principal": "User:u-1abc2d"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Create",
      "resourceType": "CloudApiKey",
      "resourceName": "*",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "87d5f2fe-b642-48e2-95cc-fafe87160288",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
  "time": "2021-06-07T18:57:09.348Z"
}
Authorization to delete an API key
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
    "authenticationInfo": {
      "principal": "User:u-4vmx7p"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Delete",
      "resourceType": "CloudApiKey",
      "resourceName": "238661",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "20441c90-7d42-428c-a52e-40f6d1d46c59",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
  "time": "2021-06-07T18:54:30.928Z"
}
Authorization to update billing information
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
    "authenticationInfo": {
      "principal": "User:u-c1mv02"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Alter",
      "resourceType": "Billing",
      "resourceName": "payment-info",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "08503aa2-e712-436b-ad8e-5fb7f46e99b5",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
  "time": "2021-06-15T02:21:41.251Z"
}
Authorization to create an RBAC role binding
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
    "authenticationInfo": {
      "principal": "User:u-a1bc23"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Alter",
      "resourceType": "SecurityMetadata",
      "resourceName": "security-metadata",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "cc4f82c9-4794-4cb6-a2ad-d4d9a38a4ab1",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
  "time": "2021-06-15T02:28:03.769Z"
}

Kafka actions

Included here are the actions, or operations, on a Kafka cluster that generate auditable event messages. For more about clusters, see Confluent Cloud Clusters.

The following methods, except kafka.Authentication, are Kafka data plane authorization events.

Method name Action triggering an auditable event message
kafka.AlterConfigs (examples) A Kafka configuration is being altered or updated.
kafka.AlterMirrors (examples) The properties of a mirror topic that exists on a Cluster Link to this cluster are being altered.
kafka.Authentication (examples) A client has connected to the Kafka cluster using an API key or token.
kafka.CreateAcls (examples) A Kafka broker ACL is being created.
kafka.CreateClusterLinks (examples) A cluster link is being created between this cluster and another cluster.
kafka.CreatePartitions (examples) Partitions are being added to a topic.
kafka.CreateTopics (examples) A topic is being created.
kafka.DeleteAcls (examples) A Kafka broker ACL is being deleted.
kafka.DeleteClusterLinks (examples) A cluster link is being deleted.
kafka.DeleteGroups (examples) A Kafka consumer group is being deleted.
kafka.DeleteRecords (examples) A Kafka record is being deleted. Commonly seen on ksqlDB internal topics for repartitioning.
kafka.DeleteTopics (examples) A Kafka topic is being deleted.
kafka.IncrementalAlterConfigs (examples) A dynamic configuration of a Kafka broker is being altered.
kafka.OffsetDelete (examples) A committed offset for a partition in a consumer group is being deleted.

Authentication events

Examples

kafka.Authentication

Authentication to a Kafka cluster using API key – success
{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            }
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authentication to a Kafka cluster using API key – failure

Error message: “Bad password for user MAIDSRFG53RXYTKR”

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            }
        },
        "result": {
            "status": "UNAUTHENTICATED",
            "message": "Bad password for user MAIDSRFG53RXYTKR"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – success
{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/OAUTHBEARER",
                "identifier": "123456"
            }
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – failure

Error message: “The principal 654321’s logical cluster lkc-a1b2c is not hosted on this broker.”

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "None:UNKNOWN_USER",
            "metadata": {
                "mechanism": "SASL_SSL/OAUTHBEARER",
                "identifier": "654321"
            }
        },
        "result": {
            "status": "UNAUTHENTICATED",
            "message": "The principal 654321's logical cluster lkc-a1b2c is not hosted on this broker."
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization events

Examples

kafka.AlterConfigs

Authorization to alter topic configurations allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.AlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.AlterMirrors

Authorization to alter properties of a cluster link topic allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.AlterMirrors",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.CreateAcls

Authorization to create ACL rules on a Kafka cluster allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateAcls",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.CreatePartitions

Authorization to add partitions to topic not allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreatePartitions",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Alter",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": false
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.CreateTopics

Authorization to create any topic on a Kafka cluster allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Create",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authorization to create a specific topic allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.CreateTopics",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "DescribeConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authorization to create a specific topic not allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Create",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": false
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteAcls

Authorization to delete ACL rules from a Kafka cluster allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.DeleteAcls",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteGroups

Authorization to delete consumer group allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteGroups",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Group",
            "resourceName": "delivery-estimator",
            "patternType": "LITERAL",
            "superUserAuthorization": false,
            "aclAuthorization": {
                "host": "*",
                "permissionType": "ALLOW"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteRecords

Authorization to delete records from topic allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteRecords",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=foo-KSTREAM-REPARTITION-0000000016-repartition",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Topic",
            "resourceName": "foo-KSTREAM-REPARTITION-0000000016-repartition",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteTopics

Authorization to delete topic allowed based on prefix match
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures-2021-01-01",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Topic",
            "resourceName": "departures-",
            "patternType": "PREFIX",
            "superUserAuthorization": false,
            "aclAuthorization": {
                "permissionType": "ALLOW",
                "host": "*"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.IncrementalAlterConfigs

Authorization to alter cluster configurations allowed based on super user
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.IncrementalAlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authorization to alter topic configurations allowed based on ACL
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.IncrementalAlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": false,
            "aclAuthorization": {
                "permissionType": "ALLOW",
                "host": "*"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.OffsetDelete

Authorization to delete consumer group offsets not allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.OffsetDelete",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Delete",
            "resourceType": "Group",
            "resourceName": "delivery-estimator",
            "patternType": "LITERAL",
            "superUserAuthorization": false
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}