Configure Role-Based Authorization for Confluent Platform Using Confluent for Kubernetes Blueprints

Confluent for Kubernetes (CFK) Blueprints supports Role-Based Access Control (RBAC). RBAC is powered by Confluent’s Metadata Service (MDS), which integrates with an LDAP server and manages authorization and authentication data. RBAC leverages role bindings to determine which users and groups can access specific resources and what actions the users can perform on those resources.

There are a set of principals and role bindings required for the Confluent components to function, and those are automatically generated when CFK Blueprints is deployed.

Note

RBAC with CFK Blueprints can be enabled only for new installations. You cannot upgrade an existing cluster and enable it with RBAC.

Use the following custom resources (CRs) to configure and manage RBAC:

  • CredentialStoreConfig CR

    RBAC credentials are managed through a CredentialStoreConfig CR.

    A CredentialStoreConfig CR has to be deployed before the ConfluentPlatformBlueprint CR when enabling RBAC.

  • ConfluentPlatformBlueprint CR

    The confluentPlatformBlueprints CR defines the global RBAC settings for all deployments.

The high-level workflow to enable RBAC is:

  1. Configure an identity provider.
  2. Configure a metadata service (MDS).
  3. Enable RBAC.

Prerequisites

For enabling Confluent RBAC, have an LDAP server that Confluent Platform can use for authentication, and create the following user principals in LDAP.

  • To allow Metadata Service (MDS) to query LDAP about other users, create the LDAP user/password for a user who has a minimum of LDAP read-only permissions.
  • Create a user for the Admin REST service in LDAP and provide the username and password.

Configure an identity provider

You must set up an identity provider, for example, Active Directory (AD), before configuring and starting up Confluent Platform clusters with RBAC.

  1. If TLS is required for the identity provider, set up the certificates for the identity provider at the Blueprint or the Deployment level:

  2. Provide the LDAP authentication credentials:

    1. Create a .txt file and add the LDAP credentials in the following format:

      username=<user>
      password=<password>
      
    2. Create a Kubernetes secret with the key and the file you created in the previous step if the credential is required.

      The default key is ldap-server-simple.txt. If using a different key, specify that key in the next step in blueprint.credentialStoreRef.key.

      kubectl create secret generic <secret name> \
        --from-file=ldap-server-simple.txt=<path to the credential file> \
        --namespace <namespace>
      
  3. Create a CredentialStoreConfig CR with reference to the secret created in the previous step.

  4. Configure the identity provider in the ConfluentPlatformBlueprint CR:

    kind: ConfluentPlatformBlueprint
    spec:
      identityProvider:
        type: ldap                    --- [1]
        ldap:                         --- [2]
          address:                    --- [3]
          authentication:
            type: simple              --- [4]
            simple:                   --- [5]
              providerType: blueprint --- [6]
              blueprint:              --- [7]
                credentialStoreRef:
                   name:              --- [8]
                   key:               --- [9]
          tlsClientConfig:            --- [10]
            providerType: blueprint   --- [11]
            blueprint:                --- [12]
              certificateStoreConfig:
                name:                 --- [13]
          configurations:             --- [14]
            groupMemberAttribute:     --- [15]
            groupMemberAttributePattern:- [16]
            groupNameAttribute:       --- [17]
            groupObjectClass:         --- [18]
            groupSearchBase:          --- [19]
            groupSearchFilter:        --- [20]
            groupSearchScope:         --- [21]
            userMemberOfAttributePattern: [22]
            userNameAttribute:        --- [23]
            userObjectClass:          --- [24]
            userSearchBase:           --- [25]
            userSearchFilter:         --- [26]
            userSearchScope:          --- [27]
    
    • [1] Required. The identity provider type. Set to ldap.

    • [2] Required.

    • [3] Required. The address of the LDAP server, for example, ldaps://ldap.confluent.svc.cluster.local:636.

    • [4] Required. The authentication method to access the LDAP server. Set to simple.

    • [5] Required when the authentication type is set to simple in [4].

    • [6] Required. Specify where the credentials are provided. Set to blueprint.

    • [7] Required.

    • [8] The value of the credentialStoreConfigRefs.name in this ConfluentPlatformBlueprint CR.

    • [9] The name of the key in the secret the credentialStoreConfigRefs.name set in [8] refers to.

    • [10] TLS configuration for LDAP when enabled.

    • [11] Required. Specify where the TLS certificates are provided. Set it to blueprint.

      See Configure Network Encryption for Confluent Platform Using Confluent for Kubernetes Blueprints for details on TLS and certificate configuration.

    • [12] Required.

    • [13] Specify the name of the CertificateStoreConfig CR that you created in the first step.

    • [14] Required. The LDAP configuration settings.

    • [15] Specify the LDAP group member attribute.

    • [16] Specify the regular expression pattern for the LDAP group member attribute.

    • [17] Specify the LDAP group name attribute.

    • [18] Specify the LDAP group object class.

    • [19] Specify the LDAP search base for the group-based search.

    • [20] Specify the LDAP search filter for the group-based search.

    • [21] Specify the LDAP search scope for the group-based search.

    • [22] Specify the regular expression pattern for the LDAP user member attribute.

    • [23] Specify the LDAP username attribute.

    • [24] Specify the LDAP user object class.

    • [25] Specify the LDAP search base for the user-based search.

    • [26] Specify the LDAP search filter for the user-based search.

    • [27] Specify the LDAP search scope for the user-based search.

    An example configurations object:

    configurations:
      groupNameAttribute: cn
      groupObjectClass: group
      groupMemberAttribute: member
      groupMemberAttributePattern: CN=(.*),DC=test,DC=com
      groupSearchBase: dc=test,dc=com
      userNameAttribute: cn
      userMemberOfAttributePattern: CN=(.*),DC=test,DC=com
      userObjectClass: organizationalRole
      userSearchBase: dc=test,dc=com
    

Configure a metadata service

Configure the metadata service (MDS) settings for RBAC.

  1. Create and store the MDS token key pair that is required to authenticate to MDS.

    1. Create two .txt files for the MDS token key and public key in the following format:

      -----BEGIN RSA PRIVATE KEY-----
      Add the private key here
      -----BEGIN RSA PRIVATE KEY-----
      
      -----BEGIN PUBLIC KEY-----
      Add the public key here
      -----END PUBLIC KEY-----
      
    2. Create a Kubernetes secret using the files created in the previous step.

      The expected keys are:

      • mds-token-key.txt for the MDS token key
      • mds-public-key.txt for the MDS public key
      kubectl create secret <secret name>
        --from-file=mds-token-key.txt=<path to the MDS token key file>
        --from-file=mds-public-key.txt=<path to the MDS public key file>
        --namespace <namespace>
      
    3. Create a CredentialStoreConfig CR with reference to the secret created in the previous step.

  2. Configure the metadata service (MDS) settings in the ConfluentPlatformBlueprint CR:

    kind: ConfluentPlatformBlueprint
    spec:
      metaDataService:
        identityProviderType:       --- [1]
        tokenKeyPair:               --- [2]
          publicKey:                --- [3]
            providerType: blueprint --- [4]
            blueprint:
              credentialStoreRef:
                name:               --- [5]
                key:                --- [6]
          tokenKey:                 --- [7]
            providerType: blueprint --- [8]
            blueprint:
              credentialStoreRef:
                name:               --- [9]
                key:                --- [10]
           tlsConfig:               --- [11]
    
    • [1] Required. Set to ldap.
    • [2] Required. The token key pair to configure the MDS.
    • [3] Required. The public key of the MDS token key pair.
    • [4] [8] Required. Specify where the credentials are provided. Set to blueprint.
    • [5] [9] The value of the credentialStoreConfigRefs.name in the ConfluentPlatformBlueprint CR.
    • [6] [10] The name of the key in the secret the credentialStoreConfigRefs.name refers to.
    • [7] Required. The private key of the MDS token key pair.
    • [11] TLS configuration for MDS. See Configure Network Encryption for Confluent Platform Using Confluent for Kubernetes Blueprints for details.

Enable RBAC for Confluent Platform

To configure and deploy Confluent Platform with RBAC, specify the RBAC settings in the ConfluentPlatformBlueprint CR:

kind: ConfluentPlatformBlueprint
spec:
  authorization:
    type:                        --- [1]
    superUsers:                  --- [2]
    mdsClient:                   --- [3]
  • [1] Required. Set to rbac.

  • [2] Required. The super users with the admin privilege on the Kafka cluster.

    Specify the list in the User:<user-name> format. For example:

    superUsers:
      - User:kafka
      - User:testadmin
    

    These users have no access to resources in other Confluent Platform clusters unless they are also configured with specific role bindings on the clusters.

  • [3] Required. For the steps to set up the required credentials and this object, see Configure the MDS clients.

Configure the MDS clients

Set up the client-side configuration to access MDS when RBAC is enabled.

  1. Create a .txt file and add the client-side bearer credentials in the following format:

    username=<username>
    password=<password>
    

    You must use one of the superusers (spec.authorization.superuser in the ConfluentPlatformnBlueprint CR) you provided in Enable RBAC for Confluent Platform.

  2. Create a Kubernetes secret using the expected key and the value file you created in the previous step.

    The expected key is mds-client-bearer.txt.

    kubectl create secret generic <secret name> \
      --from-file=<key>=<path to the credential .txt file> \
      --namespace <namespace>
    

    The following example command creates a Kubernetes secret, using the ./mds-client-bearer.txt file that contains the credentials:

    kubectl create secret generic credential \
      --from-file=mds-client-bearer.txt=./mds-client-bearer.txt \
      --namespace confluent
    
  3. Create a CredentialStoreConfig CR with reference to the secret created in the previous step.

  4. Configure the MDS client in the ConfluentPlatformBlueprint CR:

    kind: ConfluentPlatformBlueprint
    spec:
      confluentPlatform:
        authorization:
          mdsClient:
            authentication:
              type: bearer              --- [1]
              bearer:                   --- [2]
                providerType: blueprint --- [3]
                blueprint:
                  credentialStoreRef:
                    name:               --- [4]
                    key:                --- [5]
    
    • [1] Required. Set to bearer.
    • [2] Required.
    • [3] Required. Specify where the credentials are provided. Set to blueprint.
    • [4] The value of the spec.credentialStoreConfigRefs.name in the ConfluentPlatformBlueprint CR. The value must contains one of the super user.
    • [5] The name of the key in the secret the credentialStoreConfigRefs.name refers to.