Getting started with RBAC and Kafka Connect

RBAC uses roles and role mappings to provide different levels of access for a principal (user or service principal) to authenticate with Connect and Kafka.

See also

To get started, try the automated RBAC demo that showcases the RBAC functionality in Confluent Platform.

Connect Role Mappings

The table below shows the permitted Connect operations for each RBAC role.

Roles [1] Register Connect Cluster Create Connector Read Connector Configuration Read Status Pause/ Restart Connector Scale Connector Configure Connector Manage Access Delete
SystemAdmin Yes Yes Yes Yes Yes Yes Yes Yes Yes
UserAdmin No No No No No No No Yes No
ClusterAdmin Yes Yes Yes Yes [2] [2] No Yes Yes
Operator No No No Yes Yes Yes Yes No No
SecurityAdmin No No No No No No No No No
ResourceOwner No Yes Yes Yes Yes Yes Yes Yes Yes
DeveloperRead No No Yes Yes No No No No No
DeveloperWrite No No No Yes No No Yes No No
DeveloperManage No Yes No Yes Yes Yes No No No

Table Notes:

[1] Review the following additional information about roles:

  • Each role has either a Cluster-level scope or a Resource-level scope. Yes means that the operation is permitted, but restricted to the role scope. See predefined roles for more information about role scoping.
    • Cluster-level roles: SystemAdmin, UserAdmin, ClusterAdmin, Operator, SecurityAdmin
    • Resource-level roles: ResourceOwner, DeveloperRead, DeveloperWrite, DeveloperManage
  • Read Connector Configuration: Yes means that read-access to both the connector and task configurations is allowed.
  • Read Status: Yes means that read-access is allowed for the task status.
  • Scale Connector: Yes means that the role can change the number of tasks.
  • Configure Connector: Yes means that the role can change any of the connector configuration parameters, except for tasks.max.
  • Delete: Yes means that the role can stop and delete connectors and the Connect cluster.

[2] Yes; but typically this is delegated to the Operator role.

Connect RBAC workflow

The following is a high-level workflow for configuring RBAC for a Connect cluster and connectors.

  1. Verify that you have a role that can complete the required operations. See confluent iam for information about using the CLI to list and describe roles and permissions for your environment.
  2. Configure RBAC for a Connect cluster.
  3. Configure RBAC for a Connect worker.
  4. Configure RBAC for a connector.

See the role binding sequence for additional details.