ksqlDB Cluster Authentication and Authorization Auditable Event Methods on Confluent Cloud

Expand all examples | Collapse all examples

Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on ksqlDB clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.

Note

When group mapping is enabled, additional properties are included in authenticationInfo (identity)) and in authorizationInfo (assignedPrincipals and actingPrincipal).

Authentication Auditable Event Methods

Included here are the actions or operations for authentication to a ksqlDB cluster resource that generate auditable event messages for the io.confluent.ksql.server/authentication event type.

Method name Action triggering an auditable event message
ksql.Authenticate A request for authentication to a ksqlDB cluster.

Examples

ksql.Authenticate

The ksql.Authenticate event method is triggered by a request for authentication to a ksqlDB cluster.

SUCCESS
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "ksql.Authenticate",
    "cloudResources": [
      {
        "scope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            },
            {
              "type": "ENVIRONMENT",
              "resourceId": "env-kk1ndv"
            },
            {
              "type": "CLOUD_CLUSTER",
              "resourceId": "lkc-9g7o8y"
            }
          ]
        },
        "resource": {
          "type": "KSQL",
          "resourceId": "ksqlDB_cluster_0"
        }
      }
    ],
    "authenticationInfo": {
      "principal": {
        "confluentUser": {
          "resourceId": "u-8k9y9q"
        }
      },
      "result": "SUCCESS",
      "credentials": {
        "idTokenCredentials": {
          "type": "JWT",
          "issuer": "Confluent",
          "subject": "2927000"
        },
        "mechanism": "HTTP_BEARER"
      }
    },
    "requestMetadata": {
      "requestId": [
        "47f7dcf4-9326-11ed-b79b-8de1d6035cf7"
      ]
    },
    "resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
  },
  "subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
  "specversion": "1.0",
  "id": "310be38c-17a4-43bb-912c-3b6fd1aa43f2",
  "source": "crn://confluent.cloud/",
  "time": "2023-01-13T09:40:14.383Z",
  "type": "io.confluent.ksql.server/authentication"
}

Authorization Auditable Event Methods

Included here are the actions or operations on authorization of a ksqlDB cluster resource that generate auditable event messages for the io.confluent.ksql.server/authorization event type.

Method name Action triggering an auditable event message
ksql.Authorize A request for authorization on a ksqlDB clustter.

Examples

ksql.Authorize

The ksql.Authorize event method is triggered by a request for authorization on a ksqlDB cluster.

SUCCESS
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "ksql.Authorize",
    "cloudResources": [
      {
        "scope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            },
            {
              "type": "ENVIRONMENT",
              "resourceId": "env-kk1ndv"
            },
            {
              "type": "CLOUD_CLUSTER",
              "resourceId": "lkc-9g7o8y"
            }
          ]
        },
        "resource": {
          "type": "KSQL",
          "resourceId": "ksqlDB_cluster_0"
        }
      }
    ],
    "authenticationInfo": {
      "principal": {
        "confluentUser": {
          "resourceId": "u-8k9y9q"
        }
      },
      "result": "SUCCESS"
    },
    "authorizationInfo": {
      "result": "ALLOW",
      "operation": "Contribute",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "cloudScope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            }
          ]
        },
        "resourceType": "KsqlCluster",
        "patternType": "LITERAL",
        "patternName": "*",
        "operation": "All"
      },
      "resourceName": "ksqlDB_cluster_0",
      "resourceType": "KsqlCluster"
    },
    "requestMetadata": {
      "requestId": [
        "94554576-9326-11ed-b79b-8de1d6035cf7"
      ]
    },
    "request": {
      "accessType": "READ_ONLY"
    },
    "resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
  },
  "subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
  "specversion": "1.0",
  "id": "218a08c0-267e-46b4-84ed-344071bcd12e",
  "source": "crn://confluent.cloud/",
  "time": "2023-01-13T09:42:22.515Z",
  "type": "io.confluent.ksql.server/authorization"
}
SUCCESS (group mapping enabled)
{
   "datacontenttype":"application/json",
   "data":{
      "serviceName":"crn://confluent.cloud/",
      "methodName":"ksql.Authorize",
      "cloudResources":[
         {
            "scope":{
               "resources":[
                  {
                     "type":"ORGANIZATION",
                     "resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
                  },
                  {
                     "type":"ENVIRONMENT",
                     "resourceId":"env-kk1ndv"
                  },
                  {
                     "type":"CLOUD_CLUSTER",
                     "resourceId":"lkc-9g7o8y"
                  }
               ]
            },
            "resource":{
               "type":"KSQL",
               "resourceId":"ksqlDB_cluster_0"
            }
         }
      ],
      "authenticationInfo":{
         "principal":{
            "confluentUser":{
               "resourceId":"u-8k9y9q"
            }
         },
         "result":"SUCCESS",
         "identity":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/sso-connection=aupm-connection/identity=user@confluent.io"
      },
      "authorizationInfo":{
         "result":"ALLOW",
         "operation":"Contribute",
         "rbacAuthorization":{
            "role":"OrganizationAdmin",
            "cloudScope":{
               "resources":[
                  {
                     "type":"ORGANIZATION",
                     "resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
                  }
               ]
            },
            "resourceType":"KsqlCluster",
            "patternType":"LITERAL",
            "patternName":"*",
            "operation":"All",
            "actingPrincipal":"User:u-123"
         },
         "resourceName":"ksqlDB_cluster_0",
         "resourceType":"KsqlCluster",
         "assignedPrincipals":[
            "u-123",
            "group-123"
         ]
      },
      "requestMetadata":{
         "requestId":[
            "94554576-9326-11ed-b79b-8de1d6035cf7"
         ]
      },
      "request":{
         "accessType":"READ_ONLY"
      },
      "resourceName":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
   },
   "subject":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
   "specversion":"1.0",
   "id":"218a08c0-267e-46b4-84ed-344071bcd12e",
   "source":"crn://confluent.cloud/",
   "time":"2023-01-13T09:42:22.515Z",
   "type":"io.confluent.ksql.server/authorization"
}
FAILURE - Denied access based on authorization permissions
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "ksql.Authorize",
    "cloudResources": [
      {
        "scope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            },
            {
              "type": "ENVIRONMENT",
              "resourceId": "env-kk1ndv"
            },
            {
              "type": "CLOUD_CLUSTER",
              "resourceId": "lkc-9g7o8y"
            }
          ]
        },
        "resource": {
          "type": "KSQL",
          "resourceId": "ksqlDB_cluster_1"
        }
      }
    ],
    "authenticationInfo": {
      "principal": {
        "confluentUser": {
          "resourceId": "u-znvyny"
        }
      },
      "result": "SUCCESS"
    },
    "authorizationInfo": {
      "result": "DENY",
      "operation": "Contribute",
      "resourceName": "ksqlDB_cluster_1",
      "resourceType": "KsqlCluster"
    },
    "requestMetadata": {
      "requestId": [
        "08e66344-9680-11ed-a1d4-e30e47852d27"
      ]
    },
    "request": {
      "accessType": "READ_ONLY"
    },
    "resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1"
  },
  "subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1",
  "specversion": "1.0",
  "id": "7a3a7d7a-7194-4895-b8be-9951380aac47",
  "source": "crn://confluent.cloud/",
  "time": "2023-01-17T16:00:16.771Z",
  "type": "io.confluent.ksql.server/authorization"
}