Role-Based Access Control Auditable Event Methods for Confluent Cloud¶
Expand all examples | Collapse all examples
Included here are the actions or operations on role-based access control (RBAC) resources
that generate auditable event messages for the io.confluent.cloud/request
event type. When an auditable event occurs, the auditable event method is
triggered and a message is sent to the audit log and is stored as an audit
log record.
| Method name | Action triggering an auditable event message |
|---|---|
| BindRoleForPrincipal | A request to bind a role for a principal. |
| UnbindRoleForPrincipal | A request to unbind or remove a role binding for a principal. |
| UnBindAllRolesForPrincipal | A request to unbind all role bindings for a principal. |
| GrantRoleResourcesForPrincipal | A request to incrementally grant access to resources for a principal using the specified role. |
| RevokeRoleResourcesForPrincipal | A request to incrementally revoke or remove access to resources for a principal using the specified role. |
BindRoleForPrincipal¶
The BindRoleForPrincipal event is generated by a request to bind a
role for a principal.
Examples¶
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "BindRoleForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
}
]
},
"resource": {
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"79530e62473965a37904ac08d9512944"
],
"clientAddress": [
{
"ip": "134.238.9.157"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "CloudClusterAdmin",
"target_principal": "User:sa-nrww0v"
}
},
"result": {
"status": "SUCCESS"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "d5f26499-7777-4688-b0be-ae76a4809667",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T12:39:59.505Z",
"type": "io.confluent.cloud/request"
}
FAILURE
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "BindRoleForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
}
]
},
"resource": {
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"79530e62473965a37904ac08d9512944"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "CloudClusterAdmin",
"target_principal": "User:sa-nrww0v"
}
},
"result": {
"status": "FAILURE"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "d5f26499-7777-4688-b0be-ae76a4809667",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T12:39:59.505Z",
"type": "io.confluent.cloud/request"
}
—
UnbindRoleForPrincipal¶
The UnbindRoleForPrincipal event is generated by a request to unbind,
or remove, a role from a principal. If the principal does not have a role
binding for the role, there is no operation.
Examples¶
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "UnbindRoleForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
}
]
},
"resource": {
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"b33d77236b7a99a7cd5e88e55e807390"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "CloudClusterAdmin",
"target_principal": "User:sa-nrww0v"
}
},
"result": {
"status": "SUCCESS"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "83b0ca11-9976-4ee9-8e54-ed513a29f444",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T12:52:13.032Z",
"type": "io.confluent.cloud/request"
}
FAILURE
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "UnbindRoleForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
}
]
},
"resource": {
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"b33d77236b7a99a7cd5e88e55e807390"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "CloudClusterAdmin",
"target_principal": "User:sa-nrww0v"
}
},
"result": {
"status": "FAILURE"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "83b0ca11-9976-4ee9-8e54-ed513a29f444",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T12:52:13.032Z",
"type": "io.confluent.cloud/request"
}
UnbindAllRolesForPrincipal¶
The UnbindAllRolesForPrincipal event is generated by a request to unbind
or remove all role bindings for a principal.
Examples¶
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "UnbindAllRolesForPrincipal",
"cloudResources": [
{
"resource": {
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"98817a254a07520f866c281c0b54ea10"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "all",
"target_principal": "User:sa-nrww0v"
}
},
"result": {
"status": "SUCCESS"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa",
"specversion": "1.0",
"id": "6368ed47-462b-4af4-be99-a57d94d03113",
"source": "crn://confluent.cloud/",
"time": "2022-09-14T07:53:05.332Z",
"type": "io.confluent.cloud/request"
}
FAILURE
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "UnbindAllRolesForPrincipal",
"cloudResources": [
{
"resource": {
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"98817a254a07520f866c281c0b54ea10"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "all",
"target_principal": "User:sa-nrww0v"
}
},
"result": {
"status": "FAILURE"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa",
"specversion": "1.0",
"id": "6368ed47-462b-4af4-be99-a57d94d03113",
"source": "crn://confluent.cloud/",
"time": "2022-09-14T07:53:05.332Z",
"type": "io.confluent.cloud/request"
}
GrantRoleResourcesForPrincipal¶
The GrantRoleResourcesForPrincipal event is generated by a request to
incrementally grant access to resources for a principal using the specified role.
Examples¶
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "GrantRoleResourcesForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
]
},
"resource": {
"type": "KAFKA_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"d8e79cba798d5bfc24019c9401047a31"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "ResourceOwner",
"target_principal": "User:u-nxd3q3",
"resource_patterns": [
{
"resource_type": "Topic",
"name": "*",
"pattern_type": "LITERAL"
}
]
}
},
"result": {
"status": "SUCCESS"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm/kafka-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm/kafka-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "f7c652ef-6fd3-435e-8882-18cfd7be9983",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T13:58:19.648Z",
"type": "io.confluent.cloud/request"
}
FAILURE
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "GrantRoleResourcesForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
}
]
},
"resource": {
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"9697546d7e7e51b882cfc162c0a4bbff"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "ResourceOwner",
"target_principal": "User:sa-nrww0v",
"resource_patterns": [
{
"resource_type": "Topic",
"name": "myTopic1",
"pattern_type": "LITERAL"
}
]
}
},
"result": {
"status": "FAILURE"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "ea9be2fc-46e7-4865-b389-b6841a04b5ad",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T13:59:12.787Z",
"type": "io.confluent.cloud/request"
}
RevokeRoleResourcesForPrincipal¶
The RevokeRoleResourcesForPrincipal event is generated by a request to
incrementally revoke or remove access to resources for a principal using
the specified role.
Examples¶
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "RevokeRoleResourcesForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
]
},
"resource": {
"type": "KAFKA_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"8632a6b0c78d5181fdff932861cd7bf9"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "ResourceOwner",
"target_principal": "User:u-nxd3q3",
"resource_patterns": [
{
"resource_type": "Topic",
"name": "*",
"pattern_type": "LITERAL"
}
]
}
},
"result": {
"status": "SUCCESS"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm/kafka-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm/kafka-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "5d41ac2c-208c-43b2-a8af-ec397b95ed12",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T13:53:04.941Z",
"type": "io.confluent.cloud/request"
}
FAILURE
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "RevokeRoleResourcesForPrincipal",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "7d1d8d97-7a7c-47d0-b62f-352feb13e7aa"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-0jwmy2"
}
]
},
"resource": {
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-pj58rm"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "User:u-nxd3q3"
}
},
"result": "SUCCESS"
},
"requestMetadata": {
"requestId": [
"7f0baf2fdc63055143b320aa543ca987"
],
"clientAddress": [
{
"ip": "1.2.3.4"
}
]
},
"request": {
"accessType": "MODIFICATION",
"data": {
"api_version": "1.9",
"display_name": "principals",
"role_name": "ResourceOwner",
"target_principal": "User:sa-nrww0v",
"resource_patterns": [
{
"resource_type": "Topic",
"name": "myTopic1",
"pattern_type": "LITERAL"
}
]
}
},
"result": {
"status": "FAILURE"
},
"resourceName": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm"
},
"subject": "crn://confluent.cloud/organization=7d1d8d97-7a7c-47d0-b62f-352feb13e7aa/environment=env-0jwmy2/cloud-cluster=lkc-pj58rm",
"specversion": "1.0",
"id": "521030da-9430-4196-9592-6100cff35119",
"source": "crn://confluent.cloud/",
"time": "2022-09-15T13:55:58.627Z",
"type": "io.confluent.cloud/request"
}