Access Control for Confluent Manager for Apache Flink¶
Confluent Manager for Apache Flink® models its access control around two central resources to which different types of users have access.
- FlinkApplication: This defines your Flink application, which starts the Flink Cluster in Application mode. Depending on their assigned role, developers have access to their Flink environment to create, update, and view Flink applications.
- FlinkEnvironment: The environment contains where and how to deploy the application, such as the Kubernetes namespace or central configurations that cannot be overridden. You can use Flink environments to separate the privileges of different teams or organizations. System administrators are responsible for managing the Flink environments and provisioning them correctly.
Understand user roles for Flink resources¶
You grant a user access to CMF resources.
The following table shows roles and the operations the role is allowed for CMF resources.
| Role Name: Role Scope | Create new FlinkEnvironment | Update FlinkEnvironment | Create/Update FlinkApplication in FlinkEnvironment | View FlinkApplication and access the Flink Web UI in FlinkEnvironment | Add new role-bindings |
|---|---|---|---|---|---|
| super.user: Cluster-level | Yes | Yes | Yes | Yes | Yes |
| SystemAdmin: Cluster-level | Yes | Yes | Yes | Yes | Yes |
| ClusterAdmin: Cluster-level | Yes | Yes | Yes | Yes | No |
| UserAdmin: Cluster-level | No | No | No | No | Yes |
| ResourceOwner: Resource-level | No | No | Yes | Yes | Yes |
| DeveloperRead: Resource-level | No | No | No | Yes | No |
| DeveloperManage: Resource-level | No | No | Yes | Yes | No |
The following roles have access to the CMF resources.
- SecurityAdmin
- AuditAdmin
- Operator
- DeveloperWrite
Cluster identifiers¶
To create role bindings, you need the cluster identifiers for the components in your CMF deployment. For CMF, you use the following cluster identifiers:
cmf: Always set to the CMF-id, which is the identifier for the CMF cluster. Currently, changing this ID is not supported.flinkEnvironment: your environment name
Important
Currently, only a single instance of CMF is supported per MDS installation.
The following example command shows how to create a role binding with the identifiers for your cluster.
Example:
confluent iam rbac role-binding create \
--principal User:<user> \
--role DeveloperRead \
--cmf CMF-id \
--flinkEnvironment <flink-environment-name>
--resource FlinkApplication:<flink-application-name>