ksqlDB Cluster Authentication and Authorization Auditable Event Methods on Confluent Cloud

Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on ksqlDB clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.

Note

When group mapping is enabled, additional properties are included in authenticationInfo (identity) and in authorizationInfo (assignedPrincipals and actingPrincipal).

Authentication

The following actions or operations for authentication to a ksqlDB cluster resource generate auditable event messages for the io.confluent.ksql.server/authentication event type.

Method name

Action triggering an auditable event message

ksql.Authenticate

A request for authentication to a ksqlDB cluster.

ksql.Authenticate

The ksql.Authenticate event is generated by a request for authentication to a ksqlDB cluster.

To view an example event message, expand the following dropdown:

Success
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "ksql.Authenticate",
    "cloudResources": [
      {
        "scope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            },
            {
              "type": "ENVIRONMENT",
              "resourceId": "env-kk1ndv"
            },
            {
              "type": "CLOUD_CLUSTER",
              "resourceId": "lkc-9g7o8y"
            }
          ]
        },
        "resource": {
          "type": "KSQL",
          "resourceId": "ksqlDB_cluster_0"
        }
      }
    ],
    "authenticationInfo": {
      "principal": {
        "confluentUser": {
          "resourceId": "u-8k9y9q"
        }
      },
      "result": "SUCCESS",
      "credentials": {
        "idTokenCredentials": {
          "type": "JWT",
          "issuer": "Confluent",
          "subject": "2927000"
        },
        "mechanism": "HTTP_BEARER"
      }
    },
    "requestMetadata": {
      "requestId": [
        "47f7dcf4-9326-11ed-b79b-8de1d6035cf7"
      ]
    },
    "resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
  },
  "subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
  "specversion": "1.0",
  "id": "310be38c-17a4-43bb-912c-3b6fd1aa43f2",
  "source": "crn://confluent.cloud/",
  "time": "2023-01-13T09:40:14.383Z",
  "type": "io.confluent.ksql.server/authentication"
}

Authorization

The following actions or operations on authorization of a ksqlDB cluster resource generate auditable event messages for the io.confluent.ksql.server/authorization event type.

Method name

Action triggering an auditable event message

ksql.Authorize

A request for authorization on a ksqlDB cluster.

ksql.Authorize

The ksql.Authorize event is generated by a request for authorization on a ksqlDB cluster.

To view example event messages, expand the following dropdowns:

Success: Group mapping disabled
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "ksql.Authorize",
    "cloudResources": [
      {
        "scope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            },
            {
              "type": "ENVIRONMENT",
              "resourceId": "env-kk1ndv"
            },
            {
              "type": "CLOUD_CLUSTER",
              "resourceId": "lkc-9g7o8y"
            }
          ]
        },
        "resource": {
          "type": "KSQL",
          "resourceId": "ksqlDB_cluster_0"
        }
      }
    ],
    "authenticationInfo": {
      "principal": {
        "confluentUser": {
          "resourceId": "u-8k9y9q"
        }
      },
      "result": "SUCCESS"
    },
    "authorizationInfo": {
      "result": "ALLOW",
      "operation": "Contribute",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "cloudScope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            }
          ]
        },
        "resourceType": "KsqlCluster",
        "patternType": "LITERAL",
        "patternName": "*",
        "operation": "All"
      },
      "resourceName": "ksqlDB_cluster_0",
      "resourceType": "KsqlCluster"
    },
    "requestMetadata": {
      "requestId": [
        "94554576-9326-11ed-b79b-8de1d6035cf7"
      ]
    },
    "request": {
      "accessType": "READ_ONLY"
    },
    "resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
  },
  "subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
  "specversion": "1.0",
  "id": "218a08c0-267e-46b4-84ed-344071bcd12e",
  "source": "crn://confluent.cloud/",
  "time": "2023-01-13T09:42:22.515Z",
  "type": "io.confluent.ksql.server/authorization"
}
Success: Group mapping enabled
{
   "datacontenttype":"application/json",
   "data":{
      "serviceName":"crn://confluent.cloud/",
      "methodName":"ksql.Authorize",
      "cloudResources":[
         {
            "scope":{
               "resources":[
                  {
                     "type":"ORGANIZATION",
                     "resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
                  },
                  {
                     "type":"ENVIRONMENT",
                     "resourceId":"env-kk1ndv"
                  },
                  {
                     "type":"CLOUD_CLUSTER",
                     "resourceId":"lkc-9g7o8y"
                  }
               ]
            },
            "resource":{
               "type":"KSQL",
               "resourceId":"ksqlDB_cluster_0"
            }
         }
      ],
      "authenticationInfo":{
         "principal":{
            "confluentUser":{
               "resourceId":"u-8k9y9q"
            }
         },
         "result":"SUCCESS",
         "identity":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/sso-connection=aupm-connection/identity=user@confluent.io"
      },
      "authorizationInfo":{
         "result":"ALLOW",
         "operation":"Contribute",
         "rbacAuthorization":{
            "role":"OrganizationAdmin",
            "cloudScope":{
               "resources":[
                  {
                     "type":"ORGANIZATION",
                     "resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
                  }
               ]
            },
            "resourceType":"KsqlCluster",
            "patternType":"LITERAL",
            "patternName":"*",
            "operation":"All",
            "actingPrincipal":"User:u-123"
         },
         "resourceName":"ksqlDB_cluster_0",
         "resourceType":"KsqlCluster",
         "assignedPrincipals":[
            "u-123",
            "group-123"
         ]
      },
      "requestMetadata":{
         "requestId":[
            "94554576-9326-11ed-b79b-8de1d6035cf7"
         ]
      },
      "request":{
         "accessType":"READ_ONLY"
      },
      "resourceName":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
   },
   "subject":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
   "specversion":"1.0",
   "id":"218a08c0-267e-46b4-84ed-344071bcd12e",
   "source":"crn://confluent.cloud/",
   "time":"2023-01-13T09:42:22.515Z",
   "type":"io.confluent.ksql.server/authorization"
}
Failure: Denied access based on authorization permissions
{
  "datacontenttype": "application/json",
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "ksql.Authorize",
    "cloudResources": [
      {
        "scope": {
          "resources": [
            {
              "type": "ORGANIZATION",
              "resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
            },
            {
              "type": "ENVIRONMENT",
              "resourceId": "env-kk1ndv"
            },
            {
              "type": "CLOUD_CLUSTER",
              "resourceId": "lkc-9g7o8y"
            }
          ]
        },
        "resource": {
          "type": "KSQL",
          "resourceId": "ksqlDB_cluster_1"
        }
      }
    ],
    "authenticationInfo": {
      "principal": {
        "confluentUser": {
          "resourceId": "u-znvyny"
        }
      },
      "result": "SUCCESS"
    },
    "authorizationInfo": {
      "result": "DENY",
      "operation": "Contribute",
      "resourceName": "ksqlDB_cluster_1",
      "resourceType": "KsqlCluster"
    },
    "requestMetadata": {
      "requestId": [
        "08e66344-9680-11ed-a1d4-e30e47852d27"
      ]
    },
    "request": {
      "accessType": "READ_ONLY"
    },
    "resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1"
  },
  "subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1",
  "specversion": "1.0",
  "id": "7a3a7d7a-7194-4895-b8be-9951380aac47",
  "source": "crn://confluent.cloud/",
  "time": "2023-01-17T16:00:16.771Z",
  "type": "io.confluent.ksql.server/authorization"
}