Getting started with RBAC and Kafka Connect¶
RBAC uses roles and role mappings to provide different levels of access for a principal (user or service principal) to authenticate with Connect and Kafka.
See also
To get started, try the automated RBAC example that showcases the RBAC functionality in Confluent Platform.
Connect Role Mappings¶
The table below shows the permitted Connect operations for each RBAC role.
Roles [1] | Register Connect Cluster | Create Connector | Read Connector Configuration | Read Status | Pause/ Restart Connector | Scale Connector | Configure Connector | Manage Access | Delete |
---|---|---|---|---|---|---|---|---|---|
SystemAdmin | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
UserAdmin | No | No | No | No | No | No | No | Yes | No |
ClusterAdmin | Yes | Yes | Yes | Yes | [2] | [2] | No | Yes | Yes |
Operator | No | No | No | Yes | Yes | Yes | Yes | No | No |
SecurityAdmin | No | No | No | No | No | No | No | No | No |
ResourceOwner | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
DeveloperRead | No | No | Yes | Yes | No | No | No | No | No |
DeveloperWrite | No | No | No | Yes | No | No | Yes | No | No |
DeveloperManage | No | Yes | No | Yes | Yes | Yes | No | No | No |
Table Notes:
[1] Review the following additional information about roles:
- Each role has either a Cluster-level scope or a Resource-level scope. Yes means that the operation is permitted, but restricted to the role scope. See predefined roles for more information about role scoping.
- Cluster-level roles:
SystemAdmin
,UserAdmin
,ClusterAdmin
,Operator
,SecurityAdmin
- Resource-level roles:
ResourceOwner
,DeveloperRead
,DeveloperWrite
,DeveloperManage
- Cluster-level roles:
- Read Connector Configuration: Yes means that read-access to both the connector and task configurations is allowed.
- Read Status: Yes means that read-access is allowed for the task status.
- Scale Connector: Yes means that the role can change the number of tasks.
- Configure Connector: Yes means that the role can change any of the connector configuration parameters, except for
tasks.max
. - Delete: Yes means that the role can stop and delete connectors and the Connect cluster.
[2] Yes; but typically this is delegated to the Operator role.
Connect RBAC workflow¶
The following is a high-level workflow for configuring RBAC for a Connect cluster and connectors.
- Verify that you have a role that can complete the required operations. See confluent iam for information about using the CLI to list and describe roles and permissions for your environment.
- Configure RBAC for a Connect cluster.
- Configure RBAC for a Connect worker.
- Configure RBAC for a connector.
- See the role binding sequence for additional details.
- To use the Connect REST API to set up role bindings, see Configure RBAC using the REST API.