Flink Authentication and Authorization Auditable Event Methods on Confluent Cloud
Confluent Cloud audit logs contain records of auditable events for authentication and authorization operations. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record. For management and operations events for Flink, see Flink Management and Operations Auditable Event Methods on Confluent Cloud.
Flink region authentication
The following operations authenticate to an Apache Flink® region and generate auditable event messages for the io.confluent.flink.server/authentication event type.
Method name | Action triggering an auditable event message |
|---|---|
A request for authentication to a Flink region. |
flink.Authenticate
The flink.Authenticate event is generated by a request to authenticate to a Flink region.
To view an example event message, expand the following dropdown:
Success
{
"type": "io.confluent.flink.server/authentication",
"id": "f388a04b-0bbe-4e10-9b97-b2f565274196",
"subject": "crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1",
"@timestamp": "2024-01-12T13:33:46.296Z",
"datacontenttype": "application/json",
"@version": "1",
"kafka.partition": "106",
"dataschema": "https://confluent.io/internal/events/AuditLog.v2",
"specversion": "1.0",
"source": "crn://confluent.cloud/",
"kafka.offset": "2495047099",
"time": "2024-01-12T13:33:46.296209728Z",
"data": {
"requestMetadata": {
"clientAddress": [
{
"ip": "134.238.54.136"
}
],
"requestId": [
"d31875a39d6e5eae08e0419176808af3"
]
},
"internalServiceName": "crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7c210ed4-6e1e-4355-abf9-b25e25a8b25a"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-xmzdkk"
}
]
},
"resource": {
"type": "FLINK_REGION",
"resourceId": "AWS.eu-central-1"
}
}
],
"result": {
"status": "SUCCESS"
},
"request": {
"accessType": "READ_ONLY",
"data": "{\"intendedLogicalClusterCrn\":\"crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1\"}"
},
"serviceName": "crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1",
"methodName": "flink.Authenticate",
"authenticationInfo": {
"result": "SUCCESS",
"exposure": "CUSTOMER",
"credentials": {
"mechanism": "HTTP_BEARER",
"idTokenCredentials": {
"type": "JWT",
"issuer": "Confluent",
"subject": "1281943"
}
}
}
}
}
Flink authorization
The following operations authorize principals, such as user and service accounts, to access, modify, delete, or create a Flink resource and generate auditable event messages for the io.confluent.flink.server/authorization event type.
Method name | Action triggering an auditable event message |
|---|---|
A request to authorize a principal to access, modify, delete, or create a Flink resource. |
flink.Authorize
The flink.Authorize event is generated by a request to authorize a principal to access, modify, delete, or create a Flink resource (STATEMENT or WORKSPACE).
To view an example event message, expand the following dropdown:
Success
{
"cloudResources": [
{
"scope": {
"resources": [
{
"resourceId": "49aea135-19f4-4e75-adb3-8ca5dd04e292",
"type": "ORGANIZATION"
},
{
"resourceId": "env-3ny01o",
"type": "ENVIRONMENT"
},
{
"resourceId": "azure.eastus2",
"type": "FLINK_REGION"
}
]
},
"resource": {
"resourceId": "workspace-2024-03-07-030236-92003e1d-1abf-4401-bbfb-57b6b9ead5de",
"type": "STATEMENT"
}
}
],
"authorizationInfo": {
"resourceName": "workspace-2024-03-07-030236-92003e1d-1abf-4401-bbfb-57b6b9ead5de",
"operation": "Describe",
"resourceType": "STATEMENT",
"rbacAuthorization": {
"patternType": "LITERAL",
"resourceType": "Statement",
"actingPrincipal": {
"group": {
"resourceId": "group-Xmgn"
}
},
"role": "FlinkAdmin",
"patternName": "*",
"operation": "Describe",
"cloudScope": {
"resources": [
{
"resourceId": "49aea135-19f4-4e75-adb3-8ca5dd04e292",
"type": "ORGANIZATION"
},
{
"resourceId": "env-3px32m",
"type": "ENVIRONMENT"
}
]
}
},
"result": "ALLOW"
},
"request": {
"accessType": "READ_ONLY"
},
"internalServiceName": "crn://confluent.cloud/organization=49afb126-18f4-4e76-adb3-8ca5dd04e393/environment=env-3px32m/flink-region=azure.eastus2",
"authenticationInfo": {
"exposure": "CUSTOMER",
"identity": "crn://confluent.cloud/organization=49afb126-18f4-4e76-adb3-8ca5dd04e393/identity-provider=Confluent/identity=u-nqxk78",
"principal": {
"confluentUser": {
"resourceId": "u-nqxk78"
}
},
"result": "SUCCESS"
},
"serviceName": "crn://confluent.cloud/organization=49afb126-18f4-4e76-adb3-8ca5dd04e393/environment=env-3px32m/flink-region=azure.eastus2",
"methodName": "flink.Authorize",
"requestMetadata": {
"requestId": [
"52107f4df7fce0356e278c20ce143418"
],
"clientAddress": [
{
"ip": "1.2.3.4.5"
}
]
},
"result": {
"status": "SUCCESS"
}
}
