Discover Identifiers for Clusters

When you assign user roles using the Confluent CLI, you need the identifiers for the clusters in your Confluent Platform deployment.

For example, the following command assigns the DeveloperRead role on a topic in the Kafka cluster identified by <kafka-id>.

# Grant read-only access for a user to a topic.
confluent iam rbac role-binding create \
  --principal User:<user-name> \
  --role DeveloperRead \
  --resource Topic:<topic-name> \
  --kafka-cluster-id <kafka-id>

When creating role bindings for Schema Registry, ksqlDB, and Connect you must provide two identifiers: the Kafka cluster identifier and an additional component cluster identifier. For example, the following command assigns the DeveloperWrite role on a topic in a Schema Registry cluster:

# Grant write access for a user to a topic in Schema Registry.
confluent iam rbac role-binding create \
  --principal User:<user-name> \
  --role DeveloperWrite \
  --resource Topic:<topic-name> \
  --kafka-cluster-id <kafka-id> \
  --schema-registry-cluster-id <schema-registry-cluster-id>

Viewing Cluster IDs

Before searching for a component’s cluster ID, you must know the URL (for example, http://127.0.0.1:8080/) for all of your Confluent Platform components. Contact your IT admin to get the HTTP address (which depends on your setup) for each component.

To view the cluster ID for a Confluent Platform component:

confluent cluster describe --url <service url>

Kafka Example

For Kafka, your output should resemble:

confluent cluster describe --url http://localhost:8090
Scope:
       Type       |           ID
+-----------------+------------------------+
  kafka-cluster   | LRx92c9yQ+ws786HYosuBn

In this example, the Kafka cluster ID is LRx92c9yQ+ws786HYosuBn.

Use the Kafka cluster ID with the kafka-cluster-id option when you assign a role or an ACL to a user. The following Confluent CLI command shows how to grant the DeveloperRead role on this cluster.

# Grant read-only access for a user to a topic.
confluent iam rbac role-binding create \
  --principal User:<user-name> \
  --role DeveloperRead \
  --resource Topic:<topic-name> \
  --kafka-cluster-id LRx92c9yQ+ws786HYosuBn

ksqlDB Example

For ksqlDB, your output should resemble:

confluent cluster describe --url http://localhost:8088
Scope:
       Type       |           ID
+-----------------+------------------------+
  ksql-cluster    | ksql-cluster
  kafka-cluster   | JFb61d2pD6fe224FbsjoZl

In this example, the ksqlDB service ID is ksql-cluster.

Use the ksqlDB service ID with the ksql-cluster-id option when you assign a role to a user. The following Confluent CLI command shows how to grant the ResourceOwner role on this cluster.

confluent iam rbac role-binding create \
    --principal User:<user-name> \
    --role ResourceOwner \
    --kafka-cluster-id JFb61d2pD6fe224FbsjoZl \
    --ksql-cluster-id ksql-cluster \
    --resource KsqlCluster:ksql-cluster

Schema Registry Example

For Schema Registry, your output should resemble:

confluent cluster describe --url http://localhost:8081
Scope:
          Type           |           ID
+------------------------+--------------------------+
 schema-registry-cluster |  schema-registry
 kafka-cluster           |  DCs16f7dN-pu781RtumkJd

In this example, the Schema Registry cluster ID is schema-registry.

The following Confluent CLI command shows how to grant the DeveloperRead role on a Schema Registry cluster that has the default cluster ID.

confluent iam rbac role-binding create \
  --principal User:<user-name> \
  --role DeveloperRead \
  --schema-registry-cluster-id schema-registry \
  --kafka-cluster-id DCs16f7dN-pu781RtumkJd

The Schema Registry cluster ID is the schema.registry.group.id configuration setting in the schema-registry.properties file. The default value is schema-registry. Assign the ID by using the schema-registry-cluster-id option in the confluent iam rbac role-binding create command.

Use the cluster ID of the Kafka cluster that stores schemas. This cluster is configured with the kafkastore.boostrap.servers property.

If the kafkastore.boostrap.servers property is not set, use the cluster that has ZooKeeper configured with the kafkastore.connection.url property. For more information, see Single Datacenter Setup.

Connect Example

For Connect, your output should resemble:

confluent cluster describe --url http://localhost:8083
Scope:
       Type       |           ID
+-----------------+------------------------+
  connect-cluster | connect-cluster
  kafka-cluster   | DEk20b9rR-at315LMtcuUw

In this example, the Connect cluster ID is connect-cluster.

The following Confluent CLI command shows how to grant the DeveloperRead role on the connect-cluster Connect cluster.

confluent iam rbac role-binding create \
  --principal User:<user-name> \
  --role DeveloperRead \
  --connect-cluster-id connect-cluster \
  --kafka-cluster-id DEk20b9rR-at315LMtcuUw

The Connect cluster ID is the group.id setting from your worker configuration file. Assign the ID by using the connect-cluster-id option in the confluent iam rbac role-binding create command.

Use the cluster ID of the Kafka cluster that stores connector configuration, status, and offset information. This cluster is configured in the Connect worker file that has the bootstrap.servers property. For more information, see Distributed Worker Configuration.

Note

If running in standalone mode, the connect-cluster-id is STANDALONE, in all capital letters.