Role-Based Access Control Predefined Roles¶
Confluent Platform provides predefined roles to help implement granular permissions for specific resources and to simplify access control across the Confluent Platform. A predefined role is a Confluent-defined job function that is assigned a set of permissions required to perform specific actions or operations on Confluent resources. Each role is bound to a principal and Confluent resources. Users can have multiple roles assigned to them. You cannot use a predefined role to override denial-of-access (DENY) that is configured in an ACL.
When a role is assigned at the cluster-level (Kafka cluster, Schema Registry cluster, ksqlDB cluster,
or Connect cluster) it means that users who are assigned this role have access to
all resources in a cluster. For example, the ClusterAdmin
of a Kafka cluster
has access to Confluent Control Center alerts. There are corresponding resource types for each
cluster type. For example, you can assign the ResourceOwner
role to the
resource types KsqlCluster:ksql-cluster
or Cluster:kafka-cluster
to provide a user all the ResourceOwner
privileges for a ksqlDB or Kafka
cluster.
When a role is assigned at the resource-level it means that users assigned this role only have access to specific resources as defined in the role binding.
The resource types for which you can assign RBAC roles and role bindings are:
- Kafka cluster
- Topic
- Consumer group
- TransactionalID
- Schema Registry cluster
- Schema Registry subject
- ksqlDB cluster
- Connect cluster
- Connector
Confluent Platform provides the following predefined roles:
Role Name | Role Scope | View Role Bindings of Others | Manage Role Bindings | Monitor | Resource Read | Resource Write | Resource Manage |
---|---|---|---|---|---|---|---|
super.user | Cluster-level | Yes | Yes | Yes | Yes | Yes | Yes |
SystemAdmin | Cluster-level | Yes | Yes | Yes | Yes | Yes | Yes |
ClusterAdmin | Cluster-level | No | No | Yes | Yes | Yes | Yes |
UserAdmin | Cluster-level | Yes | Yes | No | No | No | No |
SecurityAdmin | Cluster-level | Yes | No | No | No | No | No |
AuditAdmin | Cluster-level | No | No | No | No | No | Yes (1) |
Operator | Cluster-level | No | No | Yes | No | No | Yes (2) |
ResourceOwner | Resource-level | Yes | Yes | No | Yes | Yes | Yes |
DeveloperRead | Resource-level | No | No | No | Yes | No | No |
DeveloperWrite | Resource-level | No | No | No | No | Yes | No |
DeveloperManage | Resource-level | No | No | No | No | No | Yes |
- Notes:
- The AuditAdmin role provides sufficient access for creating and managing the audit log configuration.
- For Operator Resource Manage, Operators can only pause, resume, and scale Connectors.
- super.user
The purpose of
super.user
is to have a bootstrap user who can initially grant another user theSystemAdmin
role.Technically speaking,
super.user
is not a predefined role. It is aserver.properties
attribute that defines a user who has full access to all resources within a Metadata Service (MDS) cluster. Asuper.user
has no access to resources in other clusters (unless also configured as asuper.user
on other clusters). The primary use of super.user is to bootstrap Confluent Platform and assign a SystemAdmin. On MDS clusters,super.user
can create role bindings for all other clusters. Permissions granted bysuper.user
apply only to the broker where thesuper.user
attribute is specified, and not to other brokers, clusters, or Confluent Platform components. No authorization is enforced on users defined assuper.user
. It is strongly recommended that this role is assigned only to a limited number of users (for example, 1-2 users who are responsible for bootstrapping).- SystemAdmin
Provides full access to all scoped resources in the cluster (ksqlDB cluster, Kafka cluster, or Schema Registry cluster).
It is strongly recommended that this role is assigned only to a limited number of users (one or two per cluster) who need full permission for initial setup or to address urgent issues when absolutely necessary in production instances. You may wish to assign this role more liberally in small test and development use cases, or when working in ksqlDB clusters that are primarily single tenant. Otherwise, it is recommended that you do not assign this role.
- ClusterAdmin
Sets up clusters (ksqlDB cluster, Kafka cluster, or Schema Registry cluster).
Responsible for setting up and managing Kafka clusters, brokers, networking, ksqlDB clusters, Connect clusters, and adding or removing nodes and performing upgrades. The
ClusterAdmin
typically creates topics and sets the properties of those topics, for example performance and capacity, but cannot read or write to topics, and has no access to data. For monitoring applications, it is recommended that this role is delegated to the operator who monitors your applications. Typically, theClusterAdmin
user does not possess knowledge about the content of the cluster data and he/she delegates the ownership responsibility of those resources to users assigned theResourceOwner
role. For example, after creating topics theClusterAdmin
can set ownership to a specific user familiar with the topic data.- UserAdmin
Manages role bindings for users and groups in all clusters managed by MDS.
Manages users and groups in a cluster, including the mapping of users and groups to roles. Has no access to any other resources. Typically, users with the
UserAdmin
role are tasked with setting up access to resources. Users granted this role should be extremely trustworthy because they can grant roles to themselves and others. You can monitor the actions of theUserAdmin
using audit logs.- SecurityAdmin
Enables management of platform-wide security initiatives.
Sets up security-related features (for example, encryption, tracking of audit logs, and watching for abnormal behavior). Provides a dedicated set of users for the initial setup and ongoing management of security functions.
- AuditAdmin
- Users or groups assigned this role on the MDS cluster and every registered Kafka cluster can manage the audit log configuration using the Confluent Metadata API.
- Operator
Provides operational management of clusters and scale applications as needed.
Monitors the health of applications and clusters, including monitoring uptime. This role cannot create applications, nor does it allow you to view or edit the content of the topics. However, you can view what topics and partitions exist.
- ResourceOwner
Transfers the ownership of critical resources and to scale the ability to manage authorizations for those resources.
Owns the resource and has full access to it, including read, write, and list. ResourceOwner can grant permission to others who need access to resources. Owner cannot change some of the configurations, for example the number of partitions. Must own the resource to grant others access to it. Enables scaling of authorization for critical resources.
- DeveloperRead, DeveloperWrite, DeveloperManage
- Allows developers to drive the implementation of applications they are working on and manage the content.
RBAC role use cases¶
These use cases are based on a new project where security is managed using RBAC predefined roles as follows:
Predefined Role | Plan |
---|---|
super.user | Sam is granted full access to all project resources and operations. He will create the initial set of roles for the project. |
ResourceOwner | Ryan will own all topics with the prefix
finance_ . He can grant others permission to
access and use this resource. In this use case,
he is the ResourceOwner for the finance topics. |
UserAdmin | Uri will manage the users and groups for the project. |
Operator | Olivia will be responsible for the operational and health management of the platform and applications. |
ClusterAdmin | Cindy is a member of the Kafka cluster central team. |
DeveloperRead, DeveloperWrite, DeveloperManage | David will be responsible for developing and managing the application. |
The use cases below guide you through the application of predefined roles to illustrate one possible way you can leverage and use RBAC predefined roles.
Use Case | Description | Roles |
---|---|---|
Project started by super.user | During the initial configuration, Sam is granted super.user access through the configuration file. Now Sam has access to all the resources within the Kafka cluster that is hosting MDS, and also can create role bindings to any resource managed by MDS. | super.user |
Invite (using corporate tools like JIRA) users to build Confluent Platform platform | Sam sets up role bindings for users and groups:
|
UserAdmin, SystemAdmin |
UserAdmin defines and assigns roles | Uri takes the following actions:
|
UserAdmin, ResourceOwner, ClusterAdmin, Operator |
ClusterAdmin creates topics and other resources | Cindy joins the project to manage a Kafka cluster. She:
|
ClusterAdmin |
Data governance is implemented |
|
ResourceOwner |
Developer creates applications | David needs to create a new application that produces
to a topic (
|
DeveloperWrite, DeveloperRead, DeveloperManage |
Monitor health of the cluster and take proper actions | Olivia is responsible for managing the health of the resources in the cluster and takes actions when necessary. For example, if a connector has performance issues then she can increase the number of instances or scale them up. | Operator |