Provide Stream Shares from Confluent Cloud¶
As a data provider, you can send invites and revoke access to shared data using the Confluent Cloud Console, the Confluent CLI or REST APIs.
Additionally you can describe the data you share with format and organization information, so that its origin is clear to consumers.
To share data, you must be an administrator in your Confluent Cloud organization or environment.
If you are using role-based access control (RBAC), you must have one of the following roles to initiate data sharing:
Enable Stream Sharing¶
There are some prerequisites before an organization can share data.
- An administrator must select a Stream Governance package for the Confluent Cloud account, if they haven’t already. For about Stream Governance, see Manage Stream Governance Packages in Confluent Cloud.
- An administrator must enable the Stream Sharing feature.
- To share schema enabled topics, your organization must use Confluent Cloud Schema Registry. If you are using the self-managed Schema Registry, you cannot share schema enabled topics with Stream Sharing.
- To share data without a schema, you do not need Confluent Cloud Schema Registry.
To enable Stream Sharing:
Sign into the Confluent Cloud console.
From the administration menu in the upper right, select an organization to display the Organizations page.
On the Organizations page, choose the organization you want to enable. On the organization page, toggle Stream Sharing on.
Stream shares¶
Once Stream Sharing has been enabled for your Confluent Cloud organization, you can easily share data by inviting users through email. To enable Stream Sharing, you must be an administrator for the organization, environment, or cluster. You can send one invitation to an email address. If a consumer cannot access their email invitation, resend the invitation. You can send invitations as often as you like until the invitation has been accepted. Once an invitation has been accepted, generating additional invitations results in an error.
Invitations contain a token for authentication. The token is automatically generated and added to the invitation. A token is redeemable only once.
The consumer uses the token to obtain an API key and secret. The API key and secret provide the user with read-only access to your shared topics and schemas. We restrict access to your resources with an internal service account and role-based access control (RBAC). To restrict access to your data, we bind the internal service account to these internal RBAC roles:
- StreamShareRead - provides read access to shared topics.
- Allows consumers to read topics and groups
- StreamShareSchemaRegistryRead - provides read access to the Schema Registry subject.
- Allows consumers to read Schema Registry subjects
Note
You can’t directly use the internal Stream Sharing RBAC service account or the associated RBAC roles.
The following examples show you how to share a stream with an email invitation.
In Cloud Console, you can share data from either Topics or the Confluent Cloud main page.
Sign in to Confluent Cloud with an administrator account.
Select the environment and cluster that contains the topic you want to share.
Click Topics in the navigation menu.
On the Topics page, take one of the following actions:
- Hover over the topic you want to share and select to the right of topic information.
- Select a topic and then select in the upper right.
- Select a topic, select Explore Stream Lineage, select the topic node and select in the upper right.
If you are not an administrator for the cluster, environment, or organization that contains the topic you want to share, you will not see the Share icon or button.
- Select Stream shares.
- Select Share a topic.
- Specify Environment, Cluster, Topic, and select Next.
Enter the email of the person to which you would like to give read access of the topic. (Optional) You can also specify one or more Schema subjects to share with this account. Enter one email address at a time. If the email address is incorrectly formatted, you get an error.
Note
To view the status of all invitations to this topic, click Shared with. To resend or revoke invitations, click Manage invites.
Click Invite to send the invitation. A consumer will have seven days to access the data via the link provided, before the link expires. Once redeemed, the data share becomes active and remains so indefinitely until you revoke access or it is deleted (deactivated) by the consumer.
Note
To use the CLI for Stream Sharing, you must have CLI v3. For more information, see: Migrate to Confluent CLI v3
To share topics with the Confluent CLI.
Sign in to Confluent Cloud with an administrator account.
confluent login
Use the
invite
command to create an invite, specifying the environment and cluster that contains the topic to share, and the topic name. You will also specify the email address for the user you want to share the data with.confluent stream-share provider invite create --email some-person@confluent.io --environment env-xyz123 --kafka-cluster lkc-10000 --topic users --schema-registry-subjects strings
Your response should resemble:
+----------------------------+----------------------------+ | ID | ss-3vpvd | | Consumer Name | some-person@confluent.io | | Consumer Organization Name | | | Cloud | Another Person | | Status | INVITED | | Delivery method | Email | | ServiceAccountId | | | SharedResourceId | | | Invited At | 2022-09-01 15:35:17.508228 | | | | | Redeemed At | | | Invite Expiration | 2022-09-08 15:35:17.508228 | +----------------------------+----------------------------+
To share data with the REST API for a schema-enabled cluster that includes a schema subject, send an HTTP POST call to the https://api.confluent.cloud/cdx/v1/provider-shares
endpoint, specifying the environment, cluster, any schema subjects, and delivery method in a JSON payload.
POST /cdx/v1/provider-shares
{
"delivery_method": "Email",
"consumer_restriction": {
"kind": "Email",
"email": "user@example.com"
},
"resources": [
"crn://confluent.cloud/environment=env-abc123/cloud-cluster=lkc-q55555/kafka=lkc-q55555/topic=users"
"crn://confluent.cloud/environment=env-abc123/schema-registry=lsrc-12345/subject=users-value"
]
}
Schema subjects are optional but require a schema-enabled cluster.
Your response should resemble:
{
"api_version": "v1",
"cloud_cluster": {
"environment": "env-abc123",
"id": "lkc-q55555",
"related": "",
"resource_name": ""
},
"consumer_restriction": {
"email": "user@example.com",
"kind": "Email"
},
"consumer_user_name": "user@example.com",
"delivery_method": "Email",
"id": "ss-ex123",
"invite_expires_at": "2023-01-31T00:39:07.626255Z",
"invited_at": "2023-01-24T00:39:07.624591Z",
"kind": "ProviderShare",
"metadata": {
"created_at": "2023-01-24T00:39:07.624591Z",
"resource_name": "crn://confluent.cloud/organization=example-7abc-4abc-a123-123456789b19/environment=env-abc123/cloud-cluster=lkc-q55555/provider-share=ss-ex123",
"self": "https://api.confluent.cloud/cdx/v1/provider-shares/ss-ex123",
"updated_at": "2023-01-24T00:39:07.624591Z"
},
"provider_user": {
"id": "u-q50gkd",
"related": "",
"resource_name": ""
},
"provider_user_name": "rogert",
"service_account": {
"id": "",
"related": "",
"resource_name": ""
},
"status": {
"phase": "INVITED"
}
}
Note
If you share a topic from a cluster on a Confluent Cloud network, you are providing the email recipient with details on how to connect to your private Confluent Cloud network.
List stream shares¶
List the streams you have shared with other users.
Sign in to Confluent Cloud with an administrator account.
From the navigation menu, select Stream shares.
The Stream shares page opens.
View the list of shared streams in Data shared by you.
To view a list of data streams you have shared:
Sign in to Confluent Cloud with an administrator account.
confluent login
List the shares with the
list
command.confluent stream-share provider share list
Your response should resemble:
To list shared data with an API, perform an HTTP GET against
the https://api.confluent.cloud/cdx/v1/provider-shares
URI.
The request must also include an authorization header that contains the API key and secret, base-64 encoded. For more, see Authentication.
An example request to list the shared data:
GET /cdx/v1/provider-shares
Your response should resemble:
{
"api_version": "v1",
"data": [
{
"api_version": "v1",
"cloud_cluster": {
"environment": "env-abc123",
"id": "lkc-q55555",
"related": "",
"resource_name": ""
},
"consumer_restriction": {
"email": "user@example.com",
"kind": "Email"
},
"consumer_user_name": "user@example.com",
"delivery_method": "Email",
"id": "ss-ex123",
"invite_expires_at": "2023-01-31T00:39:07.626255Z",
"invited_at": "2023-01-24T00:39:07.624591Z",
"kind": "ProviderShare",
"metadata": {
"created_at": "2023-01-24T00:39:07.624591Z",
"resource_name": "crn://confluent.cloud/organization=example-7abc-4abc-a123-123456789b19/environment=env-abc123/cloud-cluster=lkc-q55555/provider-share=ss-ex123",
"self": "https://api.confluent.cloud/cdx/v1/provider-shares/ss-ex123",
"updated_at": "2023-01-24T00:39:07.624591Z"
},
"provider_user": {
"id": "u-q50gkd",
"related": "",
"resource_name": ""
},
"provider_user_name": "rogert",
"service_account": {
"id": "",
"related": "",
"resource_name": ""
},
"status": {
"phase": "INVITED"
}
},
{
"api_version": "v1",
"cloud_cluster": {
"environment": "env-abc123",
"id": "lkc-q55555",
"related": "",
"resource_name": ""
},
"consumer_restriction": {
"email": "user@example.com",
"kind": "Email"
},
"consumer_user_name": "user@example.com",
"delivery_method": "Email",
"id": "ss-exabc",
"invite_expires_at": "2023-01-31T00:31:13.108718Z",
"invited_at": "2023-01-24T00:31:13.106964Z",
"kind": "ProviderShare",
"metadata": {
"created_at": "2023-01-24T00:31:13.106964Z",
"resource_name": "crn://confluent.cloud/organization=example-7abc-4abc-a123-123456789b19/environment=env-abc123/cloud-cluster=lkc-q55555/provider-share=ss-exabc",
"self": "https://api.confluent.cloud/cdx/v1/provider-shares/ss-exabc",
"updated_at": "2023-01-24T00:31:13.106964Z"
},
"provider_user": {
"id": "u-q50gkd",
"related": "",
"resource_name": ""
},
"provider_user_name": "rogert",
"service_account": {
"id": "",
"related": "",
"resource_name": ""
},
"status": {
"phase": "INVITED"
}
},
],
"kind": "ProviderShareList",
"metadata": {}
}
Revoke stream share access¶
You can revoke access to shared data by with the Confluent Cloud Console by revoking access, and by deleting a share with the Confluent CLI or REST APIs.
Sign in to Confluent Cloud with an administrator account.
From the navigation menu, select Stream shares.
The Stream shares page opens.
In Data shared by you, select the data that you want to revoke access to.
Select the Shared with tab
Select the account you want to revoke and click Revoke access.
To revoke access to shared data with the Confluent CLI.
Sign in to Confluent Cloud with an administrator account.
confluent login
If you don’t know the identifer for the share to delete, list the shares with the
list
command.confluent stream-share provider share list
Choose the share to delete and use the
delete
command, specifying the share identifier.confluent stream-share delete ss-exabc
Your response should resemble:
Deleted provider share "ss-exabc".
Optionally list the shares as described in List stream shares to obtain the identifier for the share you want to delete.
Send an HTTP DELETE message to
https://api.confluent.cloud/cdx/v1/provider-shares
URI, specifying the ID for the share to be deleted. This example deletes sharess-exabc
.The request must also include an authorization header that contains the API key and secret, base-64 encoded. For more, see Authentication.
DELETE /cdx/v1/provider-shares/ss-exabc
If the call succeeds you will receive a
204 No Content
in response.
Describe stream shares¶
You can annotate your shared data with a description, organization name and logo, schema for the data, and more using the Cloud Console or the REST API.
To annotate or modify shared data:
Sign in to Confluent Cloud with an administrator account.
From the navigation menu, select Stream shares.
The Stream shares page opens.
In Data shared by you, select the data that you want annotate or modify.
The shared topic details page appears.
From the shared topic details page, take one of the following actions:
- To edit share content, click Edit share content
- To add share content, click Add share content
Modify or add the following optional descriptive details:
- Display name
- Schema subjects
- Organization description
- Contact email
- Logo
Note
Shared data includes a topic description and any tags added to the topic. You can add or edit tags and the topic description from the topic details page.
Click Save to save your changes.
You can update or add information to a shared resource by making a PATCH call to the
https://api.confluent.cloud/cdx/v1/provider-shared-resources/
URL, specifying the
share you want to modify.
PATCH cdx/v1/provider-shared-resources/sr-12abc
{
"resources": [
"crn://confluent.cloud/environment=env-abc123/cloud-cluster=lkc-q55555/kafka=lkc-q55555/topic=user"
],
"display_name": "Stock Trades",
"organization_description": "ABC Corp is the biggest online retailer",
"organization_contact": "jane.doe@example.com"
}
The response will resemble:
{
"api_version": "v1",
"cloud_cluster": {
"environment": "env-abc123",
"id": "lkc-q55555",
"related": "",
"resource_name": ""
},
"cluster_name": "cluster_1",
"crn": "crn://confluent.cloud/organization=example-7abc-4abc-a123-123456789b19/environment=env-abc123/cloud-cluster=lkc-q55555/kafka=lkc-q55555/topic=user",
"display_name": "Stock Trades",
"environment_name": "test",
"id": "sr-12abc",
"kind": "ProviderSharedResource",
"logo_url": "",
"metadata": {
"created_at": "2023-01-24T00:31:12.930903Z",
"resource_name": "crn://confluent.cloud/organization=example-7abc-4abc-a123-123456789b19/environment=env-abc123/cloud-cluster=lkc-q55555/provider-shared-resource=sr-12abc",
"self": "https://api.confluent.cloud/cdx/v1/provider-shared-resources/sr-12abc",
"updated_at": "2023-01-24T00:31:13.103715Z"
},
"organization_contact": "jane.doe@example.com",
"organization_description": "ABC Corp is the biggest online retailer",
"organization_name": "Confluent",
"resources": [
"crn://confluent.cloud/organization=example-7abc-4abc-a123-123456789b19/environment=env-abc123/cloud-cluster=lkc-q55555/kafka=lkc-q55555/topic=user"
],
"schemas": [],
"tags": null
}