Example role-binding sequence¶
The following is an example sequence for configuring RBAC role bindings when working with Kafka Connect and connectors. This assumes configuration parameters are configured as described in previous sections.
Note
For instructions on getting your actual cluster IDs, refer to Discover Identifiers for Clusters.
To use the Connect REST API to set up role bindings, see Configure RBAC using the REST API.
The following tasks are completed by the RBAC System Administrator. These
are the steps used to grant permissions to the Connect cluster service principal.
$CONNECT_USER
is the example service principal being configured in the following
steps.
Grant principal
User:$CONNECT_USER
theResourceOwner
role forTopic:connect-configs
.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role ResourceOwner \ --resource Topic:connect-configs \ --kafka-cluster-id $KAFKA_CLUSTER_ID
Grant principal
User:$CONNECT_USER
theResourceOwner
role forTopic:connect-offsets
.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role ResourceOwner \ --resource Topic:connect-offsets \ --kafka-cluster-id $KAFKA_CLUSTER_ID
Grant principal
User:$CONNECT_USER
theResourceOwner
role forTopic:connect-statuses
.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role ResourceOwner \ --resource Topic:connect-statuses \ --kafka-cluster-id $KAFKA_CLUSTER_ID
Grant principal
User:$CONNECT_USER
theResourceOwner
role forGroup:connect-cluster
.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role ResourceOwner \ --resource Group:connect-cluster \ --kafka-cluster-id $KAFKA_CLUSTER_ID
Grant principal
User:$CONNECT_USER
theSecurityAdmin
role. This allowsUser:$CONNECT_USER
permission to make requests to the Metadata Service (MDS) to find out if a user making calls to the MDS REST API is authorized to perform required operations.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role SecurityAdmin \ --kafka-cluster-id $KAFKA_CLUSTER_ID --connect-cluster-id $CONNECT_CLUSTER_ID
List the role bindings for the principal
User:$CONNECT_USER
. Verify that all the role bindings are properly configured.confluent iam rolebinding list \ --principal User:$CONNECT_USER \ --kafka-cluster-id $KAFKA_CLUSTER_ID \ --connect-cluster-id $CONNECT_CLUSTER_ID
The following two steps are required if using a Connect Secret Registry.
Grant principal
User:$CONNECT_USER
theResourceOwner
role toTopic:_confluent-secrets
.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role ResourceOwner \ --resource Topic:_secrets \ --kafka-cluster-id $KAFKA_CLUSTER_ID
Grant principal
User:$CONNECT_USER
theResourceOwner
role toGroup:secret-registry
.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role ResourceOwner \ --resource Group:secret-registry \ --kafka-cluster-id $KAFKA_CLUSTER_ID
The following steps configure role bindings for a user that is creating a
connector. The example user name in the steps is User:$CLIENT
. The
example uses $CONNECTOR_NAME
for the connector name and $DATA_TOPIC
for
the topic name.
Grant principal
User:$CLIENT
theResourceOwner
role forConnector:$CONNECTOR_NAME
.confluent iam rolebinding create \ --principal User:$CLIENT \ --role ResourceOwner \ --resource Connector:$CONNECTOR_NAME \ --kafka-cluster-id $KAFKA_CLUSTER_ID \ --connect-cluster-id $CONNECT_CLUSTER_ID
Grant principal
User:$CONNECT_USER
theResourceOwner
role toTopic:$DATA_TOPIC
.confluent iam rolebinding create \ --principal User:$CONNECT_USER \ --role ResourceOwner \ --resource Topic:$DATA_TOPIC \ --kafka-cluster-id $KAFKA_CLUSTER_ID
List the role bindings for the principal
User:$CLIENT
to the Connect cluster.confluent iam rolebinding list \ --principal User:$CLIENT \ --kafka-cluster-id $KAFKA_CLUSTER_ID \ --connect-cluster-id $CONNECT_CLUSTER_ID
After completing these steps:
- The service principal for the Connect worker should have sufficient permissions and it should be possible to successfully start the worker.
- The user should have sufficient permissions to create and manage the connector in the example.
- The service principal for the connector in the example should have sufficient permissions to access the
$DATA_TOPIC
.