Flink Authentication and Authorization Auditable Event Methods on Confluent Cloud¶
Expand all examples | Collapse all examples
Confluent Cloud audit logs contain records of auditable events for authentication and authorization operations. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.
Flink region authentication auditable event methods¶
Included here are operations authenticating to a Flink region that generate
auditable event messages for the io.confluent.flink.server/authentication
event type.
| Method name | Action triggering an auditable event message |
|---|---|
| flink.Authenticate | A request for authentication to a Flink region. |
Examples¶
flink.Authenticate¶
The flink.Authenticate event method is triggered by a request to authenticate
to a Flink region.
SUCCESS
{
"type": "io.confluent.flink.server/authentication",
"id": "f388a04b-0bbe-4e10-9b97-b2f565274196",
"subject": "crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1",
"@timestamp": "2024-01-12T13:33:46.296Z",
"datacontenttype": "application/json",
"@version": "1",
"kafka.partition": "106",
"dataschema": "https://confluent.io/internal/events/AuditLog.v2",
"specversion": "1.0",
"source": "crn://confluent.cloud/",
"kafka.offset": "2495047099",
"time": "2024-01-12T13:33:46.296209728Z",
"data": {
"requestMetadata": {
"clientAddress": [
{
"ip": "134.238.54.136"
}
],
"requestId": [
"d31875a39d6e5eae08e0419176808af3"
]
},
"internalServiceName": "crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7c210ed4-6e1e-4355-abf9-b25e25a8b25a"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-xmzdkk"
}
]
},
"resource": {
"type": "FLINK_REGION",
"resourceId": "AWS.eu-central-1"
}
}
],
"result": {
"status": "SUCCESS"
},
"request": {
"accessType": "READ_ONLY",
"data": "{\"intendedLogicalClusterCrn\":\"crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1\"}"
},
"serviceName": "crn://confluent.cloud/organization=7c210ed4-6e1e-4355-abf9-b25e25a8b25a/environment=env-xmzdkk/flink-region=AWS.eu-central-1",
"methodName": "flink.Authenticate",
"authenticationInfo": {
"result": "SUCCESS",
"exposure": "CUSTOMER",
"credentials": {
"mechanism": "HTTP_BEARER",
"idTokenCredentials": {
"type": "JWT",
"issuer": "Confluent",
"subject": "1281943"
}
}
}
}
}
Flink Authorization auditable event methods¶
Included here are operations authorizing principals to access, modify, delete,
or create a Flink resource that generate auditable event messages for the
io.confluent.flink.server/authorization event type.
| Method name | Action triggering an auditable event message |
|---|---|
| flink.Authorize | A request to authorize a principal to access, modify, delete, or create a Flink resource. |
Examples¶
flink.Authorize¶
The flink.Authorize event method is triggered by a request to authorize a
principal to access, modify, delete, or create a Flink resource (STATEMENT
OR WORKSPACE).
SUCCESS
{
"cloudResources": [
{
"scope": {
"resources": [
{
"resourceId": "49aea135-19f4-4e75-adb3-8ca5dd04e292",
"type": "ORGANIZATION"
},
{
"resourceId": "env-3ny01o",
"type": "ENVIRONMENT"
},
{
"resourceId": "azure.eastus2",
"type": "FLINK_REGION"
}
]
},
"resource": {
"resourceId": "workspace-2024-03-07-030236-92003e1d-1abf-4401-bbfb-57b6b9ead5de",
"type": "STATEMENT"
}
}
],
"authorizationInfo": {
"resourceName": "workspace-2024-03-07-030236-92003e1d-1abf-4401-bbfb-57b6b9ead5de",
"operation": "Describe",
"resourceType": "STATEMENT",
"rbacAuthorization": {
"patternType": "LITERAL",
"resourceType": "Statement",
"actingPrincipal": {
"group": {
"resourceId": "group-Xmgn"
}
},
"role": "FlinkAdmin",
"patternName": "*",
"operation": "Describe",
"cloudScope": {
"resources": [
{
"resourceId": "49aea135-19f4-4e75-adb3-8ca5dd04e292",
"type": "ORGANIZATION"
},
{
"resourceId": "env-3px32m",
"type": "ENVIRONMENT"
}
]
}
},
"result": "ALLOW"
},
"request": {
"accessType": "READ_ONLY"
},
"internalServiceName": "crn://confluent.cloud/organization=49afb126-18f4-4e76-adb3-8ca5dd04e393/environment=env-3px32m/flink-region=azure.eastus2",
"authenticationInfo": {
"exposure": "CUSTOMER",
"identity": "crn://confluent.cloud/organization=49afb126-18f4-4e76-adb3-8ca5dd04e393/identity-provider=Confluent/identity=u-nqxk78",
"principal": {
"confluentUser": {
"resourceId": "u-nqxk78"
}
},
"result": "SUCCESS"
},
"serviceName": "crn://confluent.cloud/organization=49afb126-18f4-4e76-adb3-8ca5dd04e393/environment=env-3px32m/flink-region=azure.eastus2",
"methodName": "flink.Authorize",
"requestMetadata": {
"requestId": [
"52107f4df7fce0356e278c20ce143418"
],
"clientAddress": [
{
"ip": "1.2.3.4.5"
}
]
},
"result": {
"status": "SUCCESS"
}
}