ksqlDB Cluster Authentication and Authorization Auditable Event Methods on Confluent Cloud
Expand all examples | Collapse all examples
Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on ksqlDB clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.
Note
When group mapping is enabled, additional properties are included in authenticationInfo (identity)) and in authorizationInfo (assignedPrincipals and actingPrincipal).
Authentication Auditable Event Methods
Included here are the actions or operations for authentication to a ksqlDB cluster resource that generate auditable event messages for the io.confluent.ksql.server/authentication event type.
Method name | Action triggering an auditable event message |
|---|---|
A request for authentication to a ksqlDB cluster. |
Examples
ksql.Authenticate
The ksql.Authenticate event method is triggered by a request for authentication to a ksqlDB cluster.
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "ksql.Authenticate",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-kk1ndv"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-9g7o8y"
}
]
},
"resource": {
"type": "KSQL",
"resourceId": "ksqlDB_cluster_0"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-8k9y9q"
}
},
"result": "SUCCESS",
"credentials": {
"idTokenCredentials": {
"type": "JWT",
"issuer": "Confluent",
"subject": "2927000"
},
"mechanism": "HTTP_BEARER"
}
},
"requestMetadata": {
"requestId": [
"47f7dcf4-9326-11ed-b79b-8de1d6035cf7"
]
},
"resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
},
"subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
"specversion": "1.0",
"id": "310be38c-17a4-43bb-912c-3b6fd1aa43f2",
"source": "crn://confluent.cloud/",
"time": "2023-01-13T09:40:14.383Z",
"type": "io.confluent.ksql.server/authentication"
}
Authorization Auditable Event Methods
Included here are the actions or operations on authorization of a ksqlDB cluster resource that generate auditable event messages for the io.confluent.ksql.server/authorization event type.
Method name | Action triggering an auditable event message |
|---|---|
A request for authorization on a ksqlDB clustter. |
Examples
ksql.Authorize
The ksql.Authorize event method is triggered by a request for authorization on a ksqlDB cluster.
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "ksql.Authorize",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-kk1ndv"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-9g7o8y"
}
]
},
"resource": {
"type": "KSQL",
"resourceId": "ksqlDB_cluster_0"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-8k9y9q"
}
},
"result": "SUCCESS"
},
"authorizationInfo": {
"result": "ALLOW",
"operation": "Contribute",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"cloudScope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
}
]
},
"resourceType": "KsqlCluster",
"patternType": "LITERAL",
"patternName": "*",
"operation": "All"
},
"resourceName": "ksqlDB_cluster_0",
"resourceType": "KsqlCluster"
},
"requestMetadata": {
"requestId": [
"94554576-9326-11ed-b79b-8de1d6035cf7"
]
},
"request": {
"accessType": "READ_ONLY"
},
"resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
},
"subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
"specversion": "1.0",
"id": "218a08c0-267e-46b4-84ed-344071bcd12e",
"source": "crn://confluent.cloud/",
"time": "2023-01-13T09:42:22.515Z",
"type": "io.confluent.ksql.server/authorization"
}
SUCCESS (group mapping enabled)
{
"datacontenttype":"application/json",
"data":{
"serviceName":"crn://confluent.cloud/",
"methodName":"ksql.Authorize",
"cloudResources":[
{
"scope":{
"resources":[
{
"type":"ORGANIZATION",
"resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type":"ENVIRONMENT",
"resourceId":"env-kk1ndv"
},
{
"type":"CLOUD_CLUSTER",
"resourceId":"lkc-9g7o8y"
}
]
},
"resource":{
"type":"KSQL",
"resourceId":"ksqlDB_cluster_0"
}
}
],
"authenticationInfo":{
"principal":{
"confluentUser":{
"resourceId":"u-8k9y9q"
}
},
"result":"SUCCESS",
"identity":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/sso-connection=aupm-connection/identity=user@confluent.io"
},
"authorizationInfo":{
"result":"ALLOW",
"operation":"Contribute",
"rbacAuthorization":{
"role":"OrganizationAdmin",
"cloudScope":{
"resources":[
{
"type":"ORGANIZATION",
"resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
}
]
},
"resourceType":"KsqlCluster",
"patternType":"LITERAL",
"patternName":"*",
"operation":"All",
"actingPrincipal":"User:u-123"
},
"resourceName":"ksqlDB_cluster_0",
"resourceType":"KsqlCluster",
"assignedPrincipals":[
"u-123",
"group-123"
]
},
"requestMetadata":{
"requestId":[
"94554576-9326-11ed-b79b-8de1d6035cf7"
]
},
"request":{
"accessType":"READ_ONLY"
},
"resourceName":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
},
"subject":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
"specversion":"1.0",
"id":"218a08c0-267e-46b4-84ed-344071bcd12e",
"source":"crn://confluent.cloud/",
"time":"2023-01-13T09:42:22.515Z",
"type":"io.confluent.ksql.server/authorization"
}
FAILURE - Denied access based on authorization permissions
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "ksql.Authorize",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-kk1ndv"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-9g7o8y"
}
]
},
"resource": {
"type": "KSQL",
"resourceId": "ksqlDB_cluster_1"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-znvyny"
}
},
"result": "SUCCESS"
},
"authorizationInfo": {
"result": "DENY",
"operation": "Contribute",
"resourceName": "ksqlDB_cluster_1",
"resourceType": "KsqlCluster"
},
"requestMetadata": {
"requestId": [
"08e66344-9680-11ed-a1d4-e30e47852d27"
]
},
"request": {
"accessType": "READ_ONLY"
},
"resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1"
},
"subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1",
"specversion": "1.0",
"id": "7a3a7d7a-7194-4895-b8be-9951380aac47",
"source": "crn://confluent.cloud/",
"time": "2023-01-17T16:00:16.771Z",
"type": "io.confluent.ksql.server/authorization"
}