Authentication and Authorization Auditable Events¶
Expand all examples | Collapse all examples
Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.
Role-based access control (RBAC)¶
Included here are the actions, or operations, on a role-based access control (RBAC) authorization (in Metadata Service (MDS)) that generate auditable event messages. For more about service accounts, see Service Accounts.
Method name | Action triggering an auditable event message |
---|---|
mds.Authorize (examples) |
An RBAC authorization is being checked. |
Examples¶
mds.Authorize
¶
Authorization to create a Kafka cluster
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "CreateCloudCluster",
"resourceType": "Environment",
"resourceName": "environment",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"time": "2021-06-07T18:49:40.331Z"
}
Authorization to create an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "CloudApiKey",
"resourceName": "*",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"id": "87d5f2fe-b642-48e2-95cc-fafe87160288",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"time": "2021-06-07T18:57:09.348Z"
}
Authorization to delete an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"authenticationInfo": {
"principal": "User:u-4vmx7p"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "CloudApiKey",
"resourceName": "238661",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"id": "20441c90-7d42-428c-a52e-40f6d1d46c59",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"time": "2021-06-07T18:54:30.928Z"
}
Authorization to update billing information
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"authenticationInfo": {
"principal": "User:u-c1mv02"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Billing",
"resourceName": "payment-info",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"id": "08503aa2-e712-436b-ad8e-5fb7f46e99b5",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"time": "2021-06-15T02:21:41.251Z"
}
Authorization to create an RBAC role binding
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"authenticationInfo": {
"principal": "User:u-a1bc23"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "SecurityMetadata",
"resourceName": "security-metadata",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"id": "cc4f82c9-4794-4cb6-a2ad-d4d9a38a4ab1",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"time": "2021-06-15T02:28:03.769Z"
}
Kafka actions¶
Included here are the actions, or operations, on a Kafka cluster that generate auditable event messages. For more about clusters, see Confluent Cloud Clusters.
The following methods, except kafka.Authentication
, are Kafka
data plane authorization events.
Method name | Action triggering an auditable event message |
---|---|
kafka.AlterConfigs (examples) |
A Kafka configuration is being altered or updated. |
kafka.AlterMirrors (examples) |
The properties of a mirror topic that exists on a Cluster Link to this cluster are being altered. |
kafka.Authentication (examples) |
A client has connected to the Kafka cluster using an API key or token. |
kafka.CreateAcls (examples) |
A Kafka broker ACL is being created. |
kafka.CreateClusterLinks (examples) |
A cluster link is being created between this cluster and another cluster. |
kafka.CreatePartitions (examples) |
Partitions are being added to a topic. |
kafka.CreateTopics (examples) |
A topic is being created. |
kafka.DeleteAcls (examples) |
A Kafka broker ACL is being deleted. |
kafka.DeleteClusterLinks (examples) |
A cluster link is being deleted. |
kafka.DeleteGroups (examples) |
A Kafka consumer group is being deleted. |
kafka.DeleteRecords (examples) |
A Kafka record is being deleted. Commonly seen on ksqlDB internal topics for repartitioning. |
kafka.DeleteTopics (examples) |
A Kafka topic is being deleted. |
kafka.IncrementalAlterConfigs (examples) |
A dynamic configuration of a Kafka broker is being altered. |
kafka.OffsetDelete (examples) |
A committed offset for a partition in a consumer group is being deleted. |
Authentication events¶
Examples¶
kafka.Authentication
¶
Authentication to a Kafka cluster using API key – success
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
}
},
"result": {
"status": "SUCCESS",
"message": ""
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using API key – failure
Error message: “Bad password for user MAIDSRFG53RXYTKR”
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
}
},
"result": {
"status": "UNAUTHENTICATED",
"message": "Bad password for user MAIDSRFG53RXYTKR"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – success
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "123456"
}
},
"result": {
"status": "SUCCESS",
"message": ""
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – failure
Error message: “The principal 654321’s logical cluster lkc-a1b2c is not hosted on this broker.”
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "None:UNKNOWN_USER",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "654321"
}
},
"result": {
"status": "UNAUTHENTICATED",
"message": "The principal 654321's logical cluster lkc-a1b2c is not hosted on this broker."
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization events¶
Examples¶
kafka.AlterConfigs
¶
Authorization to alter topic configurations allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.AlterMirrors
¶
Authorization to alter properties of a cluster link topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterMirrors",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateAcls
¶
Authorization to create ACL rules on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateAcls",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateClusterLinks
¶
Authorization to create cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreatePartitions
¶
Authorization to add partitions to topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreatePartitions",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateTopics
¶
Authorization to create any topic on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to create a specific topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.CreateTopics",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "DescribeConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to create a specific topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Create",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteAcls
¶
Authorization to delete ACL rules from a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.DeleteAcls",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteClusterLinks
¶
Authorization to delete cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteGroups
¶
Authorization to delete consumer group allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteGroups",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL",
"superUserAuthorization": false,
"aclAuthorization": {
"host": "*",
"permissionType": "ALLOW"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteRecords
¶
Authorization to delete records from topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteRecords",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=foo-KSTREAM-REPARTITION-0000000016-repartition",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "foo-KSTREAM-REPARTITION-0000000016-repartition",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteTopics
¶
Authorization to delete topic allowed based on prefix match
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures-2021-01-01",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "departures-",
"patternType": "PREFIX",
"superUserAuthorization": false,
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.IncrementalAlterConfigs
¶
Authorization to alter cluster configurations allowed based on super user
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to alter topic configurations allowed based on ACL
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false,
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.OffsetDelete
¶
Authorization to delete consumer group offsets not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.OffsetDelete",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}