Configure Role-based Authorization using Confluent for Kubernetes Blueprints¶
Confluent for Kubernetes (CFK) Blueprints supports Role-Based Access Control (RBAC). RBAC is powered by Confluent’s Metadata Service (MDS), which integrates with an LDAP server and manages authorization and authentication data. RBAC leverages role bindings to determine which users and groups can access specific resources and what actions the users can perform on those resources.
There are a set of principals and role bindings required for the Confluent components to function, and those are automatically generated when CFK Blueprints is deployed.
Note
RBAC with CFK Blueprints can be enabled only for new installations. You cannot upgrade an existing cluster and enable it with RBAC.
Use the following custom resources (CRs) to configure and manage RBAC:
CredentialStoreConfig CR
RBAC credentials are managed through a CredentialStoreConfig CR.
A CredentialStoreConfig CR has to be deployed before the ConfluentPlatformBlueprint CR when enabling RBAC.
ConfluentPlatformBlueprint CR
The confluentPlatformBlueprints CR defines the global RBAC settings for all deployments.
The high-level workflow to enable RBAC is:
Prerequisites¶
For enabling Confluent RBAC, have an LDAP server that Confluent Platform can use for authentication, and create the following user principals in LDAP.
- To allow Metadata Service (MDS) to query LDAP about other users, create the LDAP user/password for a user who has a minimum of LDAP read-only permissions.
- Create a user for the Admin REST service in LDAP and provide the username and password.
Configure an identity provider¶
You must set up an identity provider, for example, Active Directory (AD), before configuring and starting up Confluent Platform clusters with RBAC.
If TLS is required for the identity provider, set up the certificates for the identity provider at the Blueprint or the Deployment level:
Provide the LDAP authentication credentials:
Create a
.txt
file and add the LDAP credentials in the following format:username=<user> password=<password>
Create a Kubernetes secret with the key and the file you created in the previous step if the credential is required.
The default key is
ldap-server-simple.txt
. If using a different key, specify that key in the next step inblueprint.credentialStoreRef.key
.kubectl create secret generic <secret name> \ --from-file=ldap-server-simple.txt=<path to the credential file> \ --namespace <namespace>
Create a CredentialStoreConfig CR with reference to the secret created in the previous step.
Configure the identity provider in the ConfluentPlatformBlueprint CR:
kind: ConfluentPlatformBlueprint spec: identityProvider: type: ldap --- [1] ldap: --- [2] address: --- [3] authentication: type: simple --- [4] simple: --- [5] providerType: blueprint --- [6] blueprint: --- [7] credentialStoreRef: name: --- [8] key: --- [9] tlsClientConfig: --- [10] providerType: blueprint --- [11] blueprint: --- [12] certificateStoreConfig: name: --- [13] configurations: --- [14] groupMemberAttribute: --- [15] groupMemberAttributePattern:- [16] groupNameAttribute: --- [17] groupObjectClass: --- [18] groupSearchBase: --- [19] groupSearchFilter: --- [20] groupSearchScope: --- [21] userMemberOfAttributePattern: [22] userNameAttribute: --- [23] userObjectClass: --- [24] userSearchBase: --- [25] userSearchFilter: --- [26] userSearchScope: --- [27]
[1] Required. The identity provider type. Set to
ldap
.[2] Required.
[3] Required. The address of the LDAP server, for example,
ldaps://ldap.confluent.svc.cluster.local:636
.[4] Required. The authentication method to access the LDAP server. Set to
simple
.[5] Required when the authentication type is set to
simple
in [4].[6] Required. Specify where the credentials are provided. Set to
blueprint
.[7] Required.
[8] The value of the
credentialStoreConfigRefs.name
in this ConfluentPlatformBlueprint CR.[9] The name of the key in the secret the
credentialStoreConfigRefs.name
set in [8] refers to.[10] TLS configuration for LDAP when enabled.
[11] Required. Specify where the TLS certificates are provided. Set it to
blueprint
.See Configure Network Encryption using Confluent for Kubernetes Blueprints for details on TLS and certificate configuration.
[12] Required.
[13] Specify the name of the CertificateStoreConfig CR that you created in the first step.
[14] Required. The LDAP configuration settings.
[15] Specify the LDAP group member attribute.
[16] Specify the regular expression pattern for the LDAP group member attribute.
[17] Specify the LDAP group name attribute.
[18] Specify the LDAP group object class.
[19] Specify the LDAP search base for the group-based search.
[20] Specify the LDAP search filter for the group-based search.
[21] Specify the LDAP search scope for the group-based search.
[22] Specify the regular expression pattern for the LDAP user member attribute.
[23] Specify the LDAP username attribute.
[24] Specify the LDAP user object class.
[25] Specify the LDAP search base for the user-based search.
[26] Specify the LDAP search filter for the user-based search.
[27] Specify the LDAP search scope for the user-based search.
An example
configurations
object:configurations: groupNameAttribute: cn groupObjectClass: group groupMemberAttribute: member groupMemberAttributePattern: CN=(.*),DC=test,DC=com groupSearchBase: dc=test,dc=com userNameAttribute: cn userMemberOfAttributePattern: CN=(.*),DC=test,DC=com userObjectClass: organizationalRole userSearchBase: dc=test,dc=com
Configure a metadata service¶
Configure the metadata service (MDS) settings for RBAC.
Create and store the MDS token key pair that is required to authenticate to MDS.
Create two
.txt
files for the MDS token key and public key in the following format:-----BEGIN RSA PRIVATE KEY----- Add the private key here -----BEGIN RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY----- Add the public key here -----END PUBLIC KEY-----
Create a Kubernetes secret using the files created in the previous step.
The expected keys are:
mds-token-key.txt
for the MDS token keymds-public-key.txt
for the MDS public key
kubectl create secret <secret name> --from-file=mds-token-key.txt=<path to the MDS token key file> --from-file=mds-public-key.txt=<path to the MDS public key file> --namespace <namespace>
Create a CredentialStoreConfig CR with reference to the secret created in the previous step.
Configure the metadata service (MDS) settings in the ConfluentPlatformBlueprint CR:
kind: ConfluentPlatformBlueprint spec: metaDataService: identityProviderType: --- [1] tokenKeyPair: --- [2] publicKey: --- [3] providerType: blueprint --- [4] blueprint: credentialStoreRef: name: --- [5] key: --- [6] tokenKey: --- [7] providerType: blueprint --- [8] blueprint: credentialStoreRef: name: --- [9] key: --- [10] tlsConfig: --- [11]
- [1] Required. Set to
ldap
. - [2] Required. The token key pair to configure the MDS.
- [3] Required. The public key of the MDS token key pair.
- [4] [8] Required. Specify where the credentials are provided. Set to
blueprint
. - [5] [9] The value of the
credentialStoreConfigRefs.name
in the ConfluentPlatformBlueprint CR. - [6] [10] The name of the key in the secret the
credentialStoreConfigRefs.name
refers to. - [7] Required. The private key of the MDS token key pair.
- [11] TLS configuration for MDS. See Configure Network Encryption using Confluent for Kubernetes Blueprints for details.
- [1] Required. Set to
Enable RBAC for Confluent Platform¶
To configure and deploy Confluent Platform with RBAC, specify the RBAC settings in the ConfluentPlatformBlueprint CR:
kind: ConfluentPlatformBlueprint
spec:
authorization:
type: --- [1]
superUsers: --- [2]
mdsClient: --- [3]
[1] Required. Set to
rbac
.[2] Required. The super users with the admin privilege on the Kafka cluster.
Specify the list in the
User:<user-name>
format. For example:superUsers: - User:kafka - User:testadmin
These users have no access to resources in other Confluent Platform clusters unless they are also configured with specific role bindings on the clusters.
[3] Required. For the steps to set up the required credentials and this object, see Configure the MDS clients.
Configure the MDS clients¶
Set up the client-side configuration to access MDS when RBAC is enabled.
Create a
.txt
file and add the client-side bearer credentials in the following format:username=<username> password=<password>
You must use one of the superusers (
spec.authorization.superuser
in the ConfluentPlatformnBlueprint CR) you provided in Enable RBAC for Confluent Platform.Create a Kubernetes secret using the expected key and the value file you created in the previous step.
The expected key is
mds-client-bearer.txt
.kubectl create secret generic <secret name> \ --from-file=<key>=<path to the credential .txt file> \ --namespace <namespace>
The following example command creates a Kubernetes secret, using the
./mds-client-bearer.txt
file that contains the credentials:kubectl create secret generic credential \ --from-file=mds-client-bearer.txt=./mds-client-bearer.txt \ --namespace confluent
Create a CredentialStoreConfig CR with reference to the secret created in the previous step.
Configure the MDS client in the ConfluentPlatformBlueprint CR:
kind: ConfluentPlatformBlueprint spec: confluentPlatform: authorization: mdsClient: authentication: type: bearer --- [1] bearer: --- [2] providerType: blueprint --- [3] blueprint: credentialStoreRef: name: --- [4] key: --- [5]
- [1] Required. Set to
bearer
. - [2] Required.
- [3] Required. Specify where the credentials are provided. Set to
blueprint
. - [4] The value of the
spec.credentialStoreConfigRefs.name
in the ConfluentPlatformBlueprint CR. The value must contains one of the super user. - [5] The name of the key in the secret the
credentialStoreConfigRefs.name
refers to.
- [1] Required. Set to