Kafka Cluster Authentication and Authorization Auditable Event Methods¶
Expand all examples | Collapse all examples
Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on Kafka clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.
Role-based access control (RBAC)¶
Included here are the actions, or operations, on a role-based access control (RBAC) authorization (in Metadata Service (MDS)) that generate auditable event messages. For more about service accounts, see Service Accounts for Confluent Cloud.
Method name | Action triggering an auditable event message |
---|---|
mds.Authorize | An RBAC authorization is being checked. |
Examples¶
mds.Authorize¶
Authorization to create a Kafka cluster
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "CreateCloudCluster",
"resourceType": "Environment",
"resourceName": "environment",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
}
},
"id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"time": "2021-06-07T18:49:40.331Z"
}
Authorization to create an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "CloudApiKey",
"resourceName": "*",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
}
},
"id": "87d5f2fe-b642-48e2-95cc-fafe87160288",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"time": "2021-06-07T18:57:09.348Z"
}
Authorization to delete an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"authenticationInfo": {
"principal": "User:u-4vmx7p"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "CloudApiKey",
"resourceName": "238661",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
}
},
"id": "20441c90-7d42-428c-a52e-40f6d1d46c59",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"time": "2021-06-07T18:54:30.928Z"
}
Authorization to update billing information
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"authenticationInfo": {
"principal": "User:u-c1mv02"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Billing",
"resourceName": "payment-info",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
}
},
"id": "08503aa2-e712-436b-ad8e-5fb7f46e99b5",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"time": "2021-06-15T02:21:41.251Z"
}
Authorization to create an RBAC role binding
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"authenticationInfo": {
"principal": "User:u-a1bc23"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "SecurityMetadata",
"resourceName": "security-metadata",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
}
},
"id": "cc4f82c9-4794-4cb6-a2ad-d4d9a38a4ab1",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"time": "2021-06-15T02:28:03.769Z"
}
Authorization event methods for Kafka cluster resources¶
Included here are the authorization actions, or operations, on a Kafka cluster resource
that generate auditable event messages for the io.confluent.kafka.server/authorization
event type. For more about Confluent Cloud Kafka clusters, see Confluent Cloud Clusters.
The following methods, except kafka.Authentication
, are Kafka
data plane authorization events.
Note
The Kafka cluster authorization auditable event methods have the same method names as the Kafka cluster management event methods.
Method name | Action triggering an auditable event message |
---|---|
kafka.AlterConfigs | A request to authorize altering or updating a Kafka configuration. |
kafka.AlterMirrors | A request to authorize altering the properties of a mirror topic that exists on a Cluster Link to this cluster. |
kafka.Authentication | A client has connected to the Kafka cluster using an API key or token. |
kafka.CreateAcls | A request to authorize the creation of a Kafka broker AC. |
kafka.CreateClusterLinks | A request to authorize creating a cluster link between this cluster and another cluster. |
kafka.CreatePartitions | A request to authorize adding partitions to a topic. |
kafka.CreateTopics | A request to authorize creating topics. |
kafka.DeleteAcls | A request to authorize deleting Kafka broker ACLs. |
kafka.DeleteClusterLinks | A request to authorize deleting cluster links. |
kafka.DeleteGroups | A request to authorize deletion of Kafka consumer groups. |
kafka.DeleteRecords | A request to authorize deletion of Kafka records. Commonly seen on ksqlDB internal topics for repartitioning. |
kafka.DeleteTopics | A request to authorize deletion of Kafka topics. |
kafka.IncrementalAlterConfigs | A request to authorize incremental alterations of the dynamic configuration of a Kafka broker. |
kafka.OffsetDelete | A request to authorize the deletion of a committed offset for a partition in a consumer group. |
Kafka cluster authentication event methods¶
Examples¶
kafka.Authentication¶
The kakfa.Authentication
event method is triggered by a request for authentication
using an API key or token.
Authentication to a Kafka cluster using API key – success
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using API key – failure
Error message: “Bad password for user MAIDSRFG53RXYTKR”
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "UNAUTHENTICATED",
"message": "Bad password for user MAIDSRFG53RXYTKR"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – success
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "123456"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – failure
Error message: “The principal 654321’s logical cluster lkc-a1b2c is not hosted on this broker.”
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "None:UNKNOWN_USER",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "654321"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "UNAUTHENTICATED",
"message": "The principal 654321's logical cluster lkc-a1b2c is not hosted on this broker."
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Cluster linking authentication between two PrivateLink |ak| clusters -- success
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.Authentication",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-3r1ywo"
},
"requestMetadata": {
"connection_id": "111222686238900021",
"network_id": "n-ab1324"
},
"result": {
"status": "SUCCESS"
}
},
"subject": "crn://confluent.cloud/kafka=lkc-a1b2c",
"specversion": "1.0",
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"time": "2022-11-15T23:44:22.789Z",
"type": "io.confluent.kafka.server/authentication"
}
Kafka cluster authorization event methods¶
Examples¶
kafka.AlterConfigs¶
The kakfa.AlterConfigs
event method is triggered by a request to authorize
altering or updating a Kafka cluster configuration.
Authorization to alter topic configurations allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.AlterMirrors¶
The kakfa.AlterMirrors
event method is triggered by a request to authorize
altering the properties of a mirror topic that exists on a cluster link to the
specified Kafka cluster.
Authorization to alter properties of a cluster link topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterMirrors",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateAcls¶
The kakfa.CreateAcls
event method is triggered by a request to authorize
creating a Kafka broker ACL.
Authorization to create ACL rules on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateAcls",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateClusterLinks¶
The kakfa.CreateClusterLinks
event method is triggered by a request to authorize
creating a cluster link between this cluster and another cluster.
Authorization to create cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreatePartitions¶
The kakfa.CreatePartitions
event method is triggered by a request to authorize
adding partitions to a Kafka topic.
Authorization to add partitions to topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreatePartitions",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateTopics¶
The kakfa.CreateTopics
event method is triggered by a request to authorize
creating topics.
Authorization to create any topic on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to create a specific topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.CreateTopics",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "DescribeConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to create a specific topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Create",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteAcls¶
The kakfa.DeleteAcls
event method is triggered by a request to authorize
deleting Kafka broker ACLs.
Authorization tACL rules from a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.DeleteAcls",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteClusterLinks¶
The kakfa.DeleteClusterLinks
event method is triggered by a request to authorize
deleting cluster links.
Authorization to delete cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteGroups¶
The kakfa.DeleteGroups
event method is triggered by a request to authorize
deleting Kafka consumer groups.
Authorization to delete consumer group allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteGroups",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL",
"superUserAuthorization": false,
"aclAuthorization": {
"host": "*",
"permissionType": "ALLOW"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteRecords¶
The kakfa.DeleteRecords
event method is triggered by a request to authorize
deleting records.
Authorization to delete records from topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteRecords",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=foo-KSTREAM-REPARTITION-0000000016-repartition",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "foo-KSTREAM-REPARTITION-0000000016-repartition",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteTopics¶
The kakfa.DeleteTopics
event method is triggered by a request to authorize
deleting Kafka topics.
Authorization to delete topic allowed based on prefix match
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures-2021-01-01",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "departures-",
"patternType": "PREFIX",
"superUserAuthorization": false,
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.IncrementalAlterConfigs¶
The kakfa.IncrementalAlterConfigs
event method is triggered by a request to authorize
incremental alterations of the dynamic configuration of a Kafka broker.
Authorization to alter cluster configurations allowed based on super user
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to alter topic configurations allowed based on ACL
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false,
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.OffsetDelete¶
The kakfa.OffsetDelete
event method is triggered by a request to authorize
deleting a committed offset for a partition in a consumer group.
Authorization to delete consumer group offsets not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.OffsetDelete",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}