Kafka Cluster Authentication and Authorization Auditable Event Methods

Expand all examples | Collapse all examples

Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on Kafka clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.

Note

When group mapping is enabled, additional properties are included in authenticationInfo (identity)) and in authorizationInfo (assignedPrincipals and actingPrincipal).

Role-based access control (RBAC)

Included here are the actions, or operations, on a role-based access control (RBAC) authorization (in Metadata Service (MDS)) that generate auditable event messages. For more about service accounts, see Service Accounts for Confluent Cloud.

Method name Action triggering an auditable event message
mds.Authorize An RBAC authorization is being checked.

Examples

mds.Authorize

Authorization to create a Kafka cluster (group mapping enabled)
{
   "datacontenttype":"application/json",
   "data":{
      "serviceName":"crn://confluent.cloud/",
      "methodName":"mds.Authorize",
      "resourceName":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
      "authenticationInfo":{
         "principal":"User:u-1abc2d",
         "identity":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/sso-connection=aupm-connection/identity=user@confluent.io"
      },
      "authorizationInfo":{
         "granted":true,
         "operation":"CreateCloudCluster",
         "resourceType":"Environment",
         "resourceName":"environment",
         "patternType":"LITERAL",
         "rbacAuthorization":{
            "role":"EnvironmentAdmin",
            "scope":{
               "outerScope":[
                  "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d",
                  "environment=env-1ab2c"
               ]
            },
            "actingPrincipal":"User:pool-123"
         },
         "assignedPrincipals":[
            "u-1abc2d",
            "group-123"
         ]
      },
      "request":{
         "correlation_id":"-1"
      },
      "requestMetadata":{
         "request_id":"282207f0-8d8e-4e8a-8078-18bb2cc2c1fe"
      }
   },
   "subject":"crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
   "specversion":"1.0",
   "id":"570ddc5d-0484-4511-b1c0-692e8ecdbd69",
   "source":"crn://confluent.cloud/",
   "time":"2023-10-03T05:31:38.079450703Z",
   "type":"io.confluent.kafka.server/authorization"
}
Authorization to create a Kafka cluster
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-a12b34",
    "authenticationInfo": {
      "principal": "User:u-1abc2d"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "CreateCloudCluster",
      "resourceType": "Environment",
      "resourceName": "environment",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
    },
    "clientAddress": [
      {
        "ip": "1.2.3.4"
      }
    ]
  },
  "id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-a12b34",
  "time": "2021-06-07T18:49:40.331Z"
}
Authorization to create an API key
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
    "authenticationInfo": {
      "principal": "User:u-1abc2d"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Create",
      "resourceType": "CloudApiKey",
      "resourceName": "*",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
    },
    "clientAddress": [
      {
        "ip": "1.2.3.4"
      }
    ]
  },
  "id": "87d5f2fe-b642-48e2-95cc-fafe87160288",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
  "time": "2021-06-07T18:57:09.348Z"
}
Authorization to delete an API key
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
    "authenticationInfo": {
      "principal": "User:u-4vmx7p"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Delete",
      "resourceType": "CloudApiKey",
      "resourceName": "238661",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
    },
    "clientAddress": [
      {
        "ip": "1.2.3.4"
      }
    ]
  },
  "id": "20441c90-7d42-428c-a52e-40f6d1d46c59",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
  "time": "2021-06-07T18:54:30.928Z"
}
Authorization to update billing information
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
    "authenticationInfo": {
      "principal": "User:u-c1mv02"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Alter",
      "resourceType": "Billing",
      "resourceName": "payment-info",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
    },
    "clientAddress": [
      {
        "ip": "1.2.3.4"
      }
    ]
  },
  "id": "08503aa2-e712-436b-ad8e-5fb7f46e99b5",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
  "time": "2021-06-15T02:21:41.251Z"
}
Authorization to create an RBAC role binding
{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-xyz123/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
    "authenticationInfo": {
      "principal": "User:u-a1bc23"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Alter",
      "resourceType": "SecurityMetadata",
      "resourceName": "security-metadata",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
    },
    "clientAddress": [
      {
        "ip": "1.2.3.4"
      }
    ]
  },
  "id": "cc4f82c9-4794-4cb6-a2ad-d4d9a38a4ab1",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-xyz123/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
  "time": "2021-06-15T02:28:03.769Z"
}

Authorization event methods for Kafka cluster resources

Included here are the authorization actions, or operations, on a Kafka cluster resource that generate auditable event messages for the io.confluent.kafka.server/authorization event type. For more about Confluent Cloud Kafka clusters, see Confluent Cloud Clusters.

The following methods, except kafka.Authentication, are Kafka data plane authorization events.

Note

The Kafka cluster authorization auditable event methods have the same method names as the Kafka cluster management event methods.

Method name Action triggering an auditable event message
kafka.AlterConfigs A request to authorize altering or updating a Kafka configuration.
kafka.AlterMirrors A request to authorize altering the properties of a mirror topic that exists on a Cluster Link to this cluster.
kafka.Authentication A client has connected to the Kafka cluster using an API key or token.
kafka.CreateAcls A request to authorize the creation of a Kafka broker AC.
kafka.CreateClusterLinks A request to authorize creating a cluster link between this cluster and another cluster.
kafka.CreatePartitions A request to authorize adding partitions to a topic.
kafka.CreateTopics A request to authorize creating topics.
kafka.DeleteAcls A request to authorize deleting Kafka broker ACLs.
kafka.DeleteClusterLinks A request to authorize deleting cluster links.
kafka.DeleteGroups A request to authorize deletion of Kafka consumer groups.
kafka.DeleteRecords A request to authorize deletion of Kafka records. Commonly seen on ksqlDB internal topics for repartitioning.
kafka.DeleteTopics A request to authorize deletion of Kafka topics.
kafka.IncrementalAlterConfigs A request to authorize incremental alterations of the dynamic configuration of a Kafka broker.
kafka.OffsetDelete A request to authorize the deletion of a committed offset for a partition in a consumer group.

Kafka cluster authentication event methods

Examples

kafka.Authentication

The kafka.Authentication event method is triggered by a request for authentication using an API key or token.

Authentication to a Kafka cluster using API key – success
{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            },
            "principalResourceId": "u-yw9507",
            "identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authentication to a Kafka cluster using API key – failure

Error message: “Bad password for user MAIDSRFG53RXYTKR”

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            },
            "principalResourceId": "u-yw9507",
            "identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
        },
        "result": {
            "status": "UNAUTHENTICATED",
            "message": "Bad password for user MAIDSRFG53RXYTKR"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – success
{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/OAUTHBEARER",
                "identifier": "123456"
            },
            "principalResourceId": "u-yw9507",
            "identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authentication to a Kafka cluster using interactive token – failure

Error message: “The principal 654321’s logical cluster lkc-a1b2c is not hosted on this broker.”

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "None:UNKNOWN_USER",
            "metadata": {
                "mechanism": "SASL_SSL/OAUTHBEARER",
                "identifier": "654321"
            },
            "principalResourceId": "u-yw9507",
            "identity": "crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507"
        },
        "result": {
            "status": "UNAUTHENTICATED",
            "message": "The principal 654321's logical cluster lkc-a1b2c is not hosted on this broker."
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Cluster linking authentication between two PrivateLink |ak| clusters -- success
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "methodName": "kafka.Authentication",
    "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "authenticationInfo": {
      "principal": "User:123456",
      "metadata": {
        "mechanism": "SASL_SSL/PLAIN",
        "identifier": "MAIDSRFG53RXYTKR"
      },
      "principalResourceId": "u-3r1ywo"
    },
    "requestMetadata": {
      "connection_id": "111222686238900021",
      "network_id": "n-ab1324"
    },
    "result": {
      "status": "SUCCESS"
    },
    "clientAddress": [
      {
        "ip": "1.2.3.4"
      }
    ]
  },
  "subject": "crn://confluent.cloud/kafka=lkc-a1b2c",
  "specversion": "1.0",
  "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
  "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
  "time": "2022-11-15T23:44:22.789Z",
  "type": "io.confluent.kafka.server/authentication"
}

Kafka cluster authorization event methods

Examples

kafka.AlterConfigs

The kafka.AlterConfigs event method is triggered by a request to authorize altering or updating a Kafka cluster configuration.

Authorization to alter topic configurations allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.AlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.AlterMirrors

The kafka.AlterMirrors event method is triggered by a request to authorize altering the properties of a mirror topic that exists on a cluster link to the specified Kafka cluster.

Authorization to alter properties of a cluster link topic allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.AlterMirrors",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.CreateAcls

The kafka.CreateAcls event method is triggered by a request to authorize creating a Kafka broker ACL.

Authorization to create ACL rules on a Kafka cluster allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateAcls",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.CreatePartitions

The kafka.CreatePartitions event method is triggered by a request to authorize adding partitions to a Kafka topic.

Authorization to add partitions to topic not allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreatePartitions",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Alter",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.CreateTopics

The kafka.CreateTopics event method is triggered by a request to authorize creating topics.

Authorization to create any topic on a Kafka cluster allowed (group mapping enabled)
{
   "datacontenttype":"application/json",
   "data":{
      "serviceName":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123",
      "methodName":"kafka.CreateTopics",
      "resourceName":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123/topic=ddf56c2f-4919-4449-93c6-3adacefccd72",
      "authenticationInfo":{
         "principal":"User:4533800",
         "principalResourceId":"u-123",
         "identity":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/sso-connection=aupm-connection/identity=user@confluent.io"
      },
      "authorizationInfo":{
         "granted":true,
         "operation":"DescribeConfigs",
         "resourceType":"Topic",
         "resourceName":"ddf56c2f-4919-4449-93c6-3adacefccd72",
         "patternType":"LITERAL",
         "rbacAuthorization":{
            "role":"EnvironmentAdmin",
            "scope":{
               "outerScope":[
                  "organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g",
                  "environment=env-123"
               ]
            },
            "actingPrincipal":"User:u-123"
         },
          "assignedPrincipals":[
             "u-123",
             "pool-123"
          ]
      },
      "request":{
         "correlation_id":"5",
         "client_id":"proxy:4533800"
      },
      "requestMetadata":{
         "request_id":"169631636180600006"
      }
   },
   "subject":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123/topic=ddf56c2f-4919-4449-93c6-3adacefccd72",
   "specversion":"1.0",
   "id":"d40556a2-c728-4e65-8d55-d93c2ef67863",
   "source":"crn://confluent.cloud/organization=3ab32d97-38ac-4ee6-8cef-cf71996d772g/environment=env-123/cloud-cluster=lkc-123/kafka=lkc-123",
   "time":"2023-10-03T06:59:21.807825038Z",
   "type":"io.confluent.kafka.server/authorization"
}
Authorization to create any topic on a Kafka cluster allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Create",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authorization to create a specific topic allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.CreateTopics",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "DescribeConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authorization to create a specific topic not allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Create",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteAcls

The kafka.DeleteAcls event method is triggered by a request to authorize deleting Kafka broker ACLs.

Authorization tACL rules from a Kafka cluster allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.DeleteAcls",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteGroups

The kafka.DeleteGroups event method is triggered by a request to authorize deleting Kafka consumer groups.

Authorization to delete consumer group allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteGroups",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Group",
            "resourceName": "delivery-estimator",
            "patternType": "LITERAL",
            "aclAuthorization": {
                "host": "*",
                "permissionType": "ALLOW"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteRecords

The kafka.DeleteRecords event method is triggered by a request to authorize deleting records.

Authorization to delete records from topic allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteRecords",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=foo-KSTREAM-REPARTITION-0000000016-repartition",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Topic",
            "resourceName": "foo-KSTREAM-REPARTITION-0000000016-repartition",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.DeleteTopics

The kafka.DeleteTopics event method is triggered by a request to authorize deleting Kafka topics.

Authorization to delete topic allowed based on prefix match
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures-2021-01-01",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Topic",
            "resourceName": "departures-",
            "patternType": "PREFIX"
            "aclAuthorization": {
                "permissionType": "ALLOW",
                "host": "*"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.IncrementalAlterConfigs

The kafka.IncrementalAlterConfigs event method is triggered by a request to authorize incremental alterations of the dynamic configuration of a Kafka broker.

Authorization to alter cluster configurations allowed based on super user
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.IncrementalAlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}
Authorization to alter topic configurations allowed based on ACL
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.IncrementalAlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "aclAuthorization": {
                "permissionType": "ALLOW",
                "host": "*"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

kafka.OffsetDelete

The kafka.OffsetDelete event method is triggered by a request to authorize deleting a committed offset for a partition in a consumer group.

Authorization to delete consumer group offsets not allowed
{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.OffsetDelete",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Delete",
            "resourceType": "Group",
            "resourceName": "delivery-estimator",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        },
        "clientAddress": [
            {
                "ip": "1.2.3.4"
            }
        ]
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}