Manage RBAC roles with Control Center on Confluent Platform

Manage RBAC role assignments (role bindings) for users and groups to a cluster scope and resource scopes in the Control Center UI. You can add and delete role assignments. Role assignments cannot be edited; you must delete an assignment and add it again for any necessary changes. Role assignments in Confluent Platform RBAC operate on an allow model only. Deny role assignments are not supported. Only predefined (built-in) roles are supported; custom roles are not supported.

Prerequisites

  • RBAC is enabled for Control Center and all Confluent Platform components in your environment. Refer to the Prerequisites in the Control Center RBAC configuration documentation.
  • You are assigned an appropriate role to manage RBAC role assignments in Control Center.

Role permissions required for managing roles

If you have the appropriate role permissions, you can administer RBAC role assignments in the Control Center UI rather than using the Confluent CLI. The following predefined RBAC roles can manage roles or view roles for other users in Confluent Platform:

  • SystemAdmin
  • UserAdmin
  • ResourceOwner (for their respective resources only)
  • SecurityAdmin (can view but not manage the Cluster and Resource roles. Add and remove buttons are not visible.)

Important

If a principal is a Kafka super.user but does not have a role assignment, they cannot view or assign roles using the Control Center UI. The super.user can still use the CLI to assign roles. For more information on super.user access and use, see Troubleshoot role assignments.

For complete descriptions of each role, review the Roles page in the UI and the RBAC predefined-roles documentation.

When RBAC is enabled for Control Center, and you have the proper role permissions, the View my role assignments and the Manage role assignments options appear on the Control Center Administration menu:

Control Center Administration menu role assignments

Control Center Administration menu role assignments options

If you do not have a role that allows managing RBAC role assignments, the Manage role assignments option does not appear in the Administration menu.

Roles page

To access the Roles page, click the Manage role assignments option from the Control Center Administration menu.

Use this page to view the available RBAC roles and their descriptions.

Note

There are no actions to take on this page; it is for informational purposes only.

Confluent Platform RBAC roles and descriptions

Confluent Platform RBAC roles and descriptions

Tip

Click the RBAC role descriptions link to access the RBAC predefined-roles documentation.

Manage Role Assignments page

To access the Assignments page:

  1. From the Control Center Administration menu, click the Manage role assignments option.
  2. Click the Assignments tab.

Use this page to:

  • View the clusters for which you can manage permissions.

  • Search for clusters by name and ID.

  • View existing cluster-level assignments.

  • Filter the cluster view by cluster type: Connect, Kafka, ksqlDB, Schema Registry.

    Note

    If there is only one type of cluster for which you are authorized to manage role assignments, the Cluster type (All clusters) list does not appear. Only the cluster types that you have role permissions to manage appear in the list.

  • Drill into a cluster to access the Cluster roles and Resource roles pages where you can add and delete role assignments for Groups and Users.

    Confluent Platform Cluster Role Assignments page

    Confluent Platform Cluster Role Assignments page

Add a role assignment

Add a role assignment (role binding) using the Control Center UI. You must have an appropriate role to add a role assignment.

To use the CLI to add a role assignment, see confluent iam rbac role-binding create.

You can add up to a limit of 1,000 role bindings. For more information, see RBAC limitations.

Add role assignment form

Complete this form to add a role assignment to a cluster or its resources. All fields are required. Some additional fields appear for the resource scope. In addition to assigning roles for a cluster, you can add a role assignment to the following cluster resources, depending on the cluster type:

  • Apache Kafka® cluster resources:

  • Schema Registry cluster resources:

    • Subjects
  • Connect cluster resources:

    • Connectors

The following figure shows the Add role assignment form for a Connect cluster:

Confluent Platform Add role assignment Connect cluster

Confluent Platform Add role assignment to Connect cluster

Fields

Principal type
LDAP/AD Group or User.
Principal name

Principal name or ID. You can select an existing principal or create a new principal.

Important

The list of principals is pre-populated with those available from your LDAP/AD environment. If you create a principal rather than select an existing principal, ensure you create a corresponding principal in your LDAP/AD environment.

Role
List of available roles depending on the scope context (cluster or cluster resource).
Define a scope

Cluster ID or Resource ID. View only.

Pattern type
Literal or Prefixed. For Prefixed, you do not need to enter an asterisk as it is prepended for you.
For a Literal pattern, only a full wildcard is allowed. For example, if you are searching for topics with a certain prefix followed by a wildcard, you must use Prefixed and not Literal.
Select or enter resource ID

Applicable to Resource scopes only (Consumer Group, Topics, Transactional ID, Subject, and Connector).

Important

If a user already has permissions granted to certain prefixes or literal patterns, the list is pre-populated with options for you to select. If you create a resource ID rather than select an existing one from the list, ensure you create a corresponding resource in Confluent Platform.

Add a role assignment (cluster scope)

Follow these steps to add a role assignment (role binding) at the cluster scope level.

  1. Log in to Control Center.

  2. From the Control Center Administration menu, click Manage role assignments.

  3. Click the Assignments tab. The Assignments page appears.

  4. In the Cluster ID column, click the underlined link for the cluster name that you want to add role assignments to. Any tabs appropriate for the cluster type appear, open to the Cluster tab by default.

  5. Click + Add role assignment. The Add role assignment form appears.

  6. Specify a Principal type of either Group or User.

  7. Specify a Principal name or ID.

    Tip

    Type some characters to search for a principal.

  8. Select a role from the Role list.

  9. Click Save. The top banner displays the Successfully created role assignment message.

Add a role assignment (resource scope)

Follow these steps to add a role assignment (role binding) at the resource scope level.

  1. Log in to Control Center.

  2. From the Control Center Administration menu, click Manage role assignments.

  3. Click the Assignments tab.

  4. In the Cluster ID column, click the underlined link for the cluster name that you want to add role assignments to. Any tabs appropriate for the cluster type appear, open to the Cluster tab by default.

  5. Navigate to the appropriate cluster resource tab:

    • Consumer Group, Topic, or Transactional ID (Kafka clusters)
    • Subject (Schema Registry clusters)
    • Connector (Connect clusters)
  6. Click + Add role assignment. The Add role assignment form appears.

  7. Specify a Principal type of either Group or User.

  8. Specify a Principal name or ID.

    Tip

    Type some characters to search for a principal.

  9. Select a role from the Role list.

  10. Complete the fields in the Define a scope pane:

    • Select the Pattern type of either Prefixed or Literal. For Prefixed, you do not need to enter an asterisk as it is prepended for you. For a Literal pattern, only a full wildcard is allowed. For example, if you are searching for topics with a certain prefix followed by a wildcard, you must use Prefixed and not Literal.

    • Type the Resource ID of the resource you are assigning a role to.

      Tip

      If you are assigning a role to a topic that does not exist yet, you can create a topic on the fly by clicking the Create new topic link.

  11. Click Save. The top banner displays the Successfully created role assignment message.

Delete a role assignment

Delete a role assignment (role binding) using the Control Center UI. You can delete only one role assignment at a time. You must have an appropriate role to delete a role assignment. Deleting a role assignment removes access to a cluster or its resources for a user or group.

To use the CLI to delete a role assignment, see confluent iam rbac role-binding list.

Delete a role assignment (cluster or resource)

Follow these steps to delete a role assignment (role binding) at the cluster or resource scope level.

  1. Log in to Control Center.

  2. From the Control Center Administration menu, click Manage role assignments.

  3. Click the Assignments tab. The Assignments page appears.

  4. In the Cluster ID column, click the underlined cluster link for the cluster name that you want to remove access from.

  5. If applicable, navigate to the appropriate resource scope page for a cluster, such as:

    • Consumer Group, Topic, or Transactional ID for a Kafka cluster.
    • Subject for a Schema Registry cluster.
    • Connector for a Connect cluster.
  6. Depending on which scope:

    • (Cluster) Select the role assignment to delete in the Principal name column.

      Cluster scope delete role assignment

      Cluster scope delete role assignment

    • (Resource) Select the role assignment to delete in the Resource ID column.

      Resource scope delete role assignment

      Resource scope delete role assignment

  7. Click the trash icon. You are prompted to confirm deleting the role assignment.

  8. Type or copy and paste the Cluster or Resource ID into the text box and click Delete. The top banner displays Successfully deleted role assignment.

    ../../_images/c3-rbac-delete-role-assign-success.png

Troubleshoot role assignments

Issue: User can add a role assignment successfully in Control Center but cannot view the newly added role assignment.

Reason and remedy: The user most likely is a broker super.user who also has a ResourceOwner role. So that user has permissions to create a role assignment but does not have permissions to view or manage the roles. The broker super.user should be used to bootstrap the initial UserAdmin and SystemAdmin roles and users, and not used thereafter.