Kafka Cluster Authentication and Authorization Auditable Event Methods on Confluent Cloud
Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on Apache Kafka® clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.
Note
When group mapping is enabled, additional properties are included in authenticationInfo (identity) and in authorizationInfo (assignedPrincipals and actingPrincipal).
Role-based access control (RBAC)
The following actions, or operations, on RBAC authorization in Metadata Service (MDS) generate auditable event messages. For more about service accounts, see Service Accounts on Confluent Cloud.
Method name | Action triggering an auditable event message |
|---|---|
An RBAC authorization is being checked. |
mds.Authorize
To view example event messages, expand the following dropdowns:
Success: Authorization to create a Kafka cluster (group mapping enabled)
{
"datacontenttype":"application/json",
"data":{
"serviceName":"crn://confluent.cloud/",
"methodName":"mds.Authorize",
"resourceName":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"authenticationInfo":{
"principal":"User:u-1abc2d",
"identity":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/sso-connection=aupm-connection/identity=user@confluent.io"
},
"authorizationInfo":{
"granted":true,
"operation":"CreateCloudCluster",
"resourceType":"Environment",
"resourceName":"environment",
"patternType":"LITERAL",
"rbacAuthorization":{
"role":"EnvironmentAdmin",
"scope":{
"outerScope":[
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
"environment=env-1ab2c"
]
},
"actingPrincipal":"User:pool-123"
},
"assignedPrincipals":[
"u-1abc2d",
"group-123"
]
},
"request":{
"correlation_id":"-1"
},
"requestMetadata":{
"request_id":"282207f0-8d8e-4e8a-8078-18bb2cc2c1fe"
}
},
"subject":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"specversion":"1.0",
"id":"570ddc5d-0484-4511-b1c0-692e8ecdbd69",
"source":"crn://confluent.cloud/",
"time":"2023-10-03T05:31:38.079450703Z",
"type":"io.confluent.kafka.server/authorization"
}
Success: Authorization to create a Kafka cluster
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-a12b34",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "CreateCloudCluster",
"resourceType": "Environment",
"resourceName": "environment",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-a12b34",
"time": "2021-06-07T18:49:40.331Z"
}
Success: Authorization to create an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "CloudApiKey",
"resourceName": "*",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "87d5f2fe-b642-48e2-95cc-fafe87160288",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
"time": "2021-06-07T18:57:09.348Z"
}
Success: Authorization to delete an API key
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"authenticationInfo": {
"principal": "User:u-4vmx7p"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "CloudApiKey",
"resourceName": "238661",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "20441c90-7d42-428c-a52e-40f6d1d46c59",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
"time": "2021-06-07T18:54:30.928Z"
}
Success: Authorization to update billing information
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"authenticationInfo": {
"principal": "User:u-c1mv02"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Billing",
"resourceName": "payment-info",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "08503aa2-e712-436b-ad8e-5fb7f46e99b5",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
"time": "2021-06-15T02:21:41.251Z"
}
Success: Authorization to create an RBAC role binding
{
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-xyz123/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"authenticationInfo": {
"principal": "User:u-a1bc23"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "SecurityMetadata",
"resourceName": "security-metadata",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "cc4f82c9-4794-4cb6-a2ad-d4d9a38a4ab1",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-xyz123/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
"time": "2021-06-15T02:28:03.769Z"
}
Authorization event methods for Kafka cluster resources
The following authorization actions, or operations, on a Kafka cluster resource generate auditable event messages for the io.confluent.kafka.server/authorization event type. For more about Confluent Cloud Kafka clusters, see Confluent Cloud Clusters.
The following methods, except kafka.Authentication, are Kafka data plane authorization events.
Note
The Kafka cluster authorization auditable event methods have the same method names as the Kafka cluster management event methods.
Method name | Action triggering an auditable event message |
|---|---|
A request to authorize altering or updating a Kafka configuration. | |
A request to authorize altering the properties of a mirror topic that exists on a Cluster Link to this cluster. | |
A client has connected to the Kafka cluster using an API key or token. | |
A request to authorize the creation of a Kafka broker ACL. | |
A request to authorize creating a cluster link between this cluster and another cluster. | |
A request to authorize adding partitions to a topic. | |
A request to authorize creating topics. | |
A request to authorize deleting Kafka broker ACLs. | |
A request to authorize deleting cluster links. | |
A request to authorize deletion of Kafka consumer groups. | |
A request to authorize deletion of Kafka records. Commonly seen on ksqlDB internal topics for repartitioning. | |
A request to authorize deletion of Kafka topics. | |
A request to authorize incremental alterations of the dynamic configuration of a Kafka broker. | |
A request to authorize the deletion of a committed offset for a partition in a consumer group. |
kafka.AlterConfigs
The kafka.AlterConfigs event is generated by a request to authorize altering or updating a Kafka cluster configuration.
To view an example event message, expand the following dropdown:
Success: Authorization to alter topic configurations allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.AlterMirrors
The kafka.AlterMirrors event is generated by a request to authorize altering the properties of a mirror topic that exists on a cluster link to the specified Kafka cluster.
To view an example event message, expand the following dropdown:
Success: Authorization to alter properties of a cluster link topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.AlterMirrors",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateAcls
The kafka.CreateAcls event is generated by a request to authorize creating a Kafka broker ACL.
To view an example event message, expand the following dropdown:
Success: Authorization to create ACL rules on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateAcls",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateClusterLinks
The kafka.CreateClusterLinks event is generated by a request to authorize creating a cluster link between this cluster and another cluster.
To view an example event message, expand the following dropdown:
Success: Authorization to create cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreatePartitions
The kafka.CreatePartitions event is generated by a request to authorize adding partitions to a Kafka topic.
To view an example event message, expand the following dropdown:
Failure: Authorization to add partitions to topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreatePartitions",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Alter",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.CreateTopics
The kafka.CreateTopics event is generated by a request to authorize creating topics.
To view example event messages, expand the following dropdowns:
Success: Authorization to create any topic on a Kafka cluster allowed (group mapping enabled)
{
"datacontenttype":"application/json",
"data":{
"serviceName":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123",
"methodName":"kafka.CreateTopics",
"resourceName":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123/topic=ddf56c2f-4919-4449-93c6-3adacefccd72",
"authenticationInfo":{
"principal":"User:4533800",
"principalResourceId":"u-123",
"identity":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/sso-connection=aupm-connection/identity=user@confluent.io"
},
"authorizationInfo":{
"granted":true,
"operation":"DescribeConfigs",
"resourceType":"Topic",
"resourceName":"ddf56c2f-4919-4449-93c6-3adacefccd72",
"patternType":"LITERAL",
"rbacAuthorization":{
"role":"EnvironmentAdmin",
"scope":{
"outerScope":[
"organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g",
"environment=env-123"
]
},
"actingPrincipal":"User:u-123"
},
"assignedPrincipals":[
"u-123",
"pool-123"
]
},
"request":{
"correlation_id":"5",
"client_id":"proxy:4533800"
},
"requestMetadata":{
"request_id":"169631636180600006"
}
},
"subject":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123/topic=ddf56c2f-4919-4449-93c6-3adacefccd72",
"specversion":"1.0",
"id":"d40556a2-c728-4e65-8d55-d93c2ef67863",
"source":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123",
"time":"2023-10-03T06:59:21.807825038Z",
"type":"io.confluent.kafka.server/authorization"
}
Success: Authorization to create any topic on a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Create",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Success: Authorization to create a specific topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.CreateTopics",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "DescribeConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Failure: Authorization to create a specific topic not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.CreateTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Create",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteAcls
The kafka.DeleteAcls event is generated by a request to authorize deleting Kafka broker ACLs.
To view an example event message, expand the following dropdown:
Success: Authorization to delete ACL rules from a Kafka cluster allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.DeleteAcls",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteClusterLinks
The kafka.DeleteClusterLinks event is generated by a request to authorize deleting cluster links.
To view an example event message, expand the following dropdown:
Success: Authorization to delete cluster link allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteClusterLinks",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Alter",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteGroups
The kafka.DeleteGroups event is generated by a request to authorize deleting Kafka consumer groups.
To view an example event message, expand the following dropdown:
Success: Authorization to delete consumer group allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteGroups",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL",
"aclAuthorization": {
"host": "*",
"permissionType": "ALLOW"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteRecords
The kafka.DeleteRecords event is generated by a request to authorize deleting records.
To view an example event message, expand the following dropdown:
Success: Authorization to delete records from topic allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteRecords",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=foo-KSTREAM-REPARTITION-0000000016-repartition",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "foo-KSTREAM-REPARTITION-0000000016-repartition",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.DeleteTopics
The kafka.DeleteTopics event is generated by a request to authorize deleting Kafka topics.
To view an example event message, expand the following dropdown:
Success: Authorization to delete topic allowed based on prefix match
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.DeleteTopics",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures-2021-01-01",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "Delete",
"resourceType": "Topic",
"resourceName": "departures-",
"patternType": "PREFIX",
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.IncrementalAlterConfigs
The kafka.IncrementalAlterConfigs event is generated by a request to authorize incremental alterations of the dynamic configuration of a Kafka broker.
To view example event messages, expand the following dropdowns:
Success: Authorization to alter cluster configurations allowed based on super user
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Cluster",
"resourceName": "kafka-cluster",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Success: Authorization to alter topic configurations allowed based on ACL
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.IncrementalAlterConfigs",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
kafka.OffsetDelete
The kafka.OffsetDelete event is generated by a request to authorize deleting a committed offset for a partition in a consumer group.
To view an example event message, expand the following dropdown:
Failure: Authorization to delete consumer group offsets not allowed
{
"type": "io.confluent.kafka.server/authorization",
"data": {
"methodName": "kafka.OffsetDelete",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": false,
"operation": "Delete",
"resourceType": "Group",
"resourceName": "delivery-estimator",
"patternType": "LITERAL"
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Kafka cluster authentication event methods
kafka.Authentication
The kafka.Authentication event is generated by a request for authentication using an API key or token.
Note
The authenticationInfo.metadata section includes a tlsVersion field that indicates the TLS version used by the client. This field is optional and defaults to 1.2 if not present. This can be helpful for identifying which clients are using specific TLS versions, such as when migrating from TLS 1.2 to 1.3.
To view example event messages, expand the following dropdowns:
Success: Authentication to a Kafka cluster using API key
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR",
"tlsVersion": "1.3"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Failure: Authentication to a Kafka cluster using API key
Error message: “Bad password for user MAIDSRFG53RXYTKR”
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR",
"tlsVersion": "1.3"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "UNAUTHENTICATED",
"message": "Bad password for user MAIDSRFG53RXYTKR"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Success: Authentication to a Kafka cluster using interactive token
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "123456",
"tlsVersion": "1.3"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "SUCCESS",
"message": ""
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Failure: Authentication to a Kafka cluster using interactive token
{
"type": "io.confluent.kafka.server/authentication",
"data": {
"methodName": "kafka.Authentication",
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "None:UNKNOWN_USER",
"metadata": {
"mechanism": "SASL_SSL/OAUTHBEARER",
"identifier": "654321",
"tlsVersion": "1.3"
},
"principalResourceId": "u-yw9507",
"identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
},
"result": {
"status": "UNAUTHENTICATED",
"message": "The principal 654321's logical cluster lkc-a1b2c is not hosted on this broker."
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"time": "2021-01-01T12:34:56.789Z",
"datacontenttype": "application/json",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"specversion": "1.0"
}
Success: Cluster linking authentication between two PrivateLink Kafka clusters
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.Authentication",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"authenticationInfo": {
"principal": "User:123456",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR",
"tlsVersion": "1.3"
},
"principalResourceId": "u-3r1ywo"
},
"requestMetadata": {
"connection_id": "111222686238900021",
"network_id": "n-ab1324"
},
"result": {
"status": "SUCCESS"
},
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"subject": "crn://confluent.cloud/kafka=lkc-a1b2c",
"specversion": "1.0",
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"time": "2022-11-15T23:44:22.789Z",
"type": "io.confluent.kafka.server/authentication"
}
