Kafka Cluster Authentication and Authorization Auditable Event Methods¶
Expand all examples | Collapse all examples
Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on Kafka clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.
Note
When group mapping is enabled, additional properties
are included in authenticationInfo (identity))
and in authorizationInfo (assignedPrincipals and actingPrincipal).
Role-based access control (RBAC)¶
Included here are the actions, or operations, on a role-based access control (RBAC) authorization (in Metadata Service (MDS)) that generate auditable event messages. For more about service accounts, see Service Accounts for Confluent Cloud.
| Method name | Action triggering an auditable event message |
|---|---|
| mds.Authorize | An RBAC authorization is being checked. |
Examples¶
mds.Authorize¶
Authorization to create a Kafka cluster (group mapping enabled)
{
"datacontenttype":"application/json",
"data":{
"serviceName":"crn://confluent.cloud/",
"methodName":"mds.Authorize",
"resourceName":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"authenticationInfo":{
"principal":"User:u-1abc2d",
"identity":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/sso-connection=aupm-connection/identity=user@confluent.io"
},
"authorizationInfo":{
"granted":true,
"operation":"CreateCloudCluster",
"resourceType":"Environment",
"resourceName":"environment",
"patternType":"LITERAL",
"rbacAuthorization":{
"role":"EnvironmentAdmin",
"scope":{
"outerScope":[
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
"environment=env-1ab2c"
]
},
"actingPrincipal":"User:pool-123"
},
"assignedPrincipals":[
"u-1abc2d",
"group-123"
]
},
"request":{
"correlation_id":"-1"
},
"requestMetadata":{
"request_id":"282207f0-8d8e-4e8a-8078-18bb2cc2c1fe"
}
},
"subject":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"specversion":"1.0",
"id":"570ddc5d-0484-4511-b1c0-692e8ecdbd69",
"source":"crn://confluent.cloud/",
"time":"2023-10-03T05:31:38.079450703Z",
"type":"io.confluent.kafka.server/authorization"
}
Authorization to create a Kafka cluster
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-a12b34",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "CreateCloudCluster",
"resourceType": "Environment",
"resourceName": "environment",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-a12b34",
"time": "2021-06-07T18:49:40.331Z"
}
Authorization to create an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "CloudApiKey",
"resourceName": "*",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "87d5f2fe-b642-48e2-95cc-fafe87160288",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"time": "2021-06-07T18:57:09.348Z"
}
Authorization to delete an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"authenticationInfo": {
"principal": "User:u-4vmx7p"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "CloudApiKey",
"resourceName": "238661",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "20441c90-7d42-428c-a52e-40f6d1d46c59",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"time": "2021-06-07T18:54:30.928Z"
}
Authorization to update billing information
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"authenticationInfo": {
"principal": "User:u-c1mv02"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Billing",
"resourceName": "payment-info",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "08503aa2-e712-436b-ad8e-5fb7f46e99b5",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"time": "2021-06-15T02:21:41.251Z"
}
Authorization to create an RBAC role binding
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-xyz123/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"authenticationInfo": {
"principal": "User:u-a1bc23"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "SecurityMetadata",
"resourceName": "security-metadata",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "cc4f82c9-4794-4cb6-a2ad-d4d9a38a4ab1",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-xyz123/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"time": "2021-06-15T02:28:03.769Z"
}
Authorization event methods for Kafka cluster resources¶
Included here are the authorization actions, or operations, on a Kafka cluster resource
that generate auditable event messages for the io.confluent.kafka.server/authorization
event type. For more about Confluent Cloud Kafka clusters, see Confluent Cloud Clusters.
The following methods, except kafka.Authentication, are Kafka
data plane authorization events.
Note
The Kafka cluster authorization auditable event methods have the same method names as the Kafka cluster management event methods.
| Method name | Action triggering an auditable event message |
|---|---|
| kafka.AlterConfigs | A request to authorize altering or updating a Kafka configuration. |
| kafka.AlterMirrors | A request to authorize altering the properties of a mirror topic that exists on a Cluster Link to this cluster. |
| kafka.Authentication | A client has connected to the Kafka cluster using an API key or token. |
| kafka.CreateAcls | A request to authorize the creation of a Kafka broker AC. |
| kafka.CreateClusterLinks | A request to authorize creating a cluster link between this cluster and another cluster. |
| kafka.CreatePartitions | A request to authorize adding partitions to a topic. |
| kafka.CreateTopics | A request to authorize creating topics. |
| kafka.DeleteAcls | A request to authorize deleting Kafka broker ACLs. |
| kafka.DeleteClusterLinks | A request to authorize deleting cluster links. |
| kafka.DeleteGroups | A request to authorize deletion of Kafka consumer groups. |
| kafka.DeleteRecords | A request to authorize deletion of Kafka records. Commonly seen on ksqlDB internal topics for repartitioning. |
| kafka.DeleteTopics | A request to authorize deletion of Kafka topics. |
| kafka.IncrementalAlterConfigs | A request to authorize incremental alterations of the dynamic configuration of a Kafka broker. |
| kafka.OffsetDelete | A request to authorize the deletion of a committed offset for a partition in a consumer group. |
Kafka cluster authentication event methods¶
Examples¶
kafka.Authentication¶
The kakfa.Authentication event method is triggered by a request for authentication
using an API key or token.
Authentication to a Kafka cluster using API key – success
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using API key – failure
Error message: “Bad password for user MAIDSRFG53RXYTKR”
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "UNAUTHENTICATED",
"message": "Bad password for user MAIDSRFG53RXYTKR"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – success
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "123456"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – failure
Error message: “The principal 654321’s logical cluster lkc-a1b2c is not hosted on this broker.”
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "None:UNKNOWN_USER",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "654321"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "UNAUTHENTICATED",
"message": "The principal 654321's logical cluster lkc-a1b2c is not hosted on this broker."
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Cluster linking authentication between two PrivateLink |ak| clusters -- success
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.Authentication",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
},
"principalResourceId": "u-3r1ywo"
},
"requestMetadata": {
"connection_id": "111222686238900021",
"network_id": "n-ab1324"
},
"result": {
"status": "SUCCESS"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"subject": "crn://confluent.cloud/kafka=lkc-a1b2c",
"specversion": "1.0",
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"time": "2022-11-15T23:44:22.789Z",
"type": "io.confluent.kafka.server/authentication"
}
Kafka cluster authorization event methods¶
Examples¶
kafka.AlterConfigs¶
The kakfa.AlterConfigs event method is triggered by a request to authorize
altering or updating a Kafka cluster configuration.
Authorization to alter topic configurations allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.AlterMirrors¶
The kakfa.AlterMirrors event method is triggered by a request to authorize
altering the properties of a mirror topic that exists on a cluster link to the
specified Kafka cluster.
Authorization to alter properties of a cluster link topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterMirrors",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateAcls¶
The kakfa.CreateAcls event method is triggered by a request to authorize
creating a Kafka broker ACL.
Authorization to create ACL rules on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateAcls",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateClusterLinks¶
The kakfa.CreateClusterLinks event method is triggered by a request to authorize
creating a cluster link between this cluster and another cluster.
Authorization to create cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreatePartitions¶
The kakfa.CreatePartitions event method is triggered by a request to authorize
adding partitions to a Kafka topic.
Authorization to add partitions to topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreatePartitions",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateTopics¶
The kakfa.CreateTopics event method is triggered by a request to authorize
creating topics.
Authorization to create any topic on a Kafka cluster allowed (group mapping enabled)
{
"datacontenttype":"application/json",
"data":{
"serviceName":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123",
"methodName":"kafka.CreateTopics",
"resourceName":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123/topic=ddf56c2f-4919-4449-93c6-3adacefccd72",
"authenticationInfo":{
"principal":"User:4533800",
"principalResourceId":"u-123",
"identity":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/sso-connection=aupm-connection/identity=user@confluent.io"
},
"authorizationInfo":{
"granted":true,
"operation":"DescribeConfigs",
"resourceType":"Topic",
"resourceName":"ddf56c2f-4919-4449-93c6-3adacefccd72",
"patternType":"LITERAL",
"rbacAuthorization":{
"role":"EnvironmentAdmin",
"scope":{
"outerScope":[
"organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g",
"environment=env-123"
]
},
"actingPrincipal":"User:u-123"
},
"assignedPrincipals":[
"u-123",
"pool-123"
]
},
"request":{
"correlation_id":"5",
"client_id":"proxy:4533800"
},
"requestMetadata":{
"request_id":"169631636180600006"
}
},
"subject":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123/topic=ddf56c2f-4919-4449-93c6-3adacefccd72",
"specversion":"1.0",
"id":"d40556a2-c728-4e65-8d55-d93c2ef67863",
"source":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123",
"time":"2023-10-03T06:59:21.807825038Z",
"type":"io.confluent.kafka.server/authorization"
}
Authorization to create any topic on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to create a specific topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.CreateTopics",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "DescribeConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to create a specific topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Create",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteAcls¶
The kakfa.DeleteAcls event method is triggered by a request to authorize
deleting Kafka broker ACLs.
Authorization tACL rules from a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.DeleteAcls",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteClusterLinks¶
The kakfa.DeleteClusterLinks event method is triggered by a request to authorize
deleting cluster links.
Authorization to delete cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteGroups¶
The kakfa.DeleteGroups event method is triggered by a request to authorize
deleting Kafka consumer groups.
Authorization to delete consumer group allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteGroups",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL",
"superUserAuthorization": false,
"aclAuthorization": {
"host": "*",
"permissionType": "ALLOW"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteRecords¶
The kakfa.DeleteRecords event method is triggered by a request to authorize
deleting records.
Authorization to delete records from topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteRecords",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=foo-KSTREAM-REPARTITION-0000000016-repartition",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "foo-KSTREAM-REPARTITION-0000000016-repartition",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteTopics¶
The kakfa.DeleteTopics event method is triggered by a request to authorize
deleting Kafka topics.
Authorization to delete topic allowed based on prefix match
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures-2021-01-01",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "departures-",
"patternType": "PREFIX",
"superUserAuthorization": false,
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.IncrementalAlterConfigs¶
The kakfa.IncrementalAlterConfigs event method is triggered by a request to authorize
incremental alterations of the dynamic configuration of a Kafka broker.
Authorization to alter cluster configurations allowed based on super user
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Authorization to alter topic configurations allowed based on ACL
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false,
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.OffsetDelete¶
The kakfa.OffsetDelete event method is triggered by a request to authorize
deleting a committed offset for a partition in a consumer group.
Authorization to delete consumer group offsets not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.OffsetDelete",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL",
"superUserAuthorization": false
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}