Configure RBAC using the REST API¶
Use the sample curl statements below to configure RBAC for different components using the REST API.
Note
The guidance here is based on the assumption that you are using default
topics and cluster IDs. Replace all variable entries (in <>
) with values
from your installation.
Schema Registry¶
To configure RBAC for Schema Registry using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the Security Admin role to a Schema Registry user:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","schema-registry-cluster":"<schema-registry-ID, default is schema-registry>"}}
Grant the Resource Owner role to the group that Schema Registry nodes use to coordinate access across the cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster": "<cluster-id>"}}, "resourcePatterns":[{"resourceType":"Group","name": "schema-registry","patternType":"LITERAL"}]}'
Connect¶
To configure Connect RBAC role bindings using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the Security Admin role to a Connect cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<your-connect-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<kafka-cluster-id>","connect-cluster":"<connect-cluster-id>"}}
Grant the Connect user the ResourceOwner role on the group that Connect nodes use to coordinate across the cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Group","name":"connect-cluster","patternType":"LITERAL"}]}'
Grant the Resource Owner role on the configuration storage topic:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-configs","patternType":"LITERAL"}]}'
Grant the Resource Owner role on the offset storage topic:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-offsets","patternType":"LITERAL"}]}'
Grant the Resource Owner role on the status storage topic:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-status","patternType":"LITERAL"}]}'
ksqlDB¶
To configure RBAC for ksqlDB using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the Security Admin role to a ksqlDB user:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}}'
Grant the Resource Owner role to the ksqlDB user on the ksqlDB cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}},"resourcePatterns":[{"resourceType": "KsqlCluster","name": "ksql-cluster"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
Grant the Resource Owner role to the ksqlDB user with three resourcePatterns:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>"}}, "resourcePatterns": [{"resourceType": "Topic", "name": "confluent-ksql-defaultcommand_topic","patternType":"LITERAL"},{"resourceType":"Topic","name":"default-ksql_processing_log","patternType":"LITERAL"},{"resourceType":"Group","name":"confluent-ksql-default","patternType":"PREFIXED"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
Confluent Control Center¶
To configure RBAC for Control Center using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the System Admin role to the Control Center user:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<control-center-principal>/roles/SystemAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters": {"kafka-cluster": "<your-kafka-cluster-id>"}}'