Configure RBAC using the REST API in Confluent Platform

Use the sample curl statements below to configure RBAC for different components using the REST API.

Note

The guidance here is based on the assumption that you are using default topics and cluster IDs. Replace all variable entries (in <>) with values from your installation.

Schema Registry

To configure RBAC for Schema Registry using the REST API:

  1. Get the MDS token:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
    
  2. Grant the Security Admin role to a Schema Registry user:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","schema-registry-cluster":"<schema-registry-ID, default is schema-registry>"}}
    
  3. Grant the Resource Owner role to the group that Schema Registry nodes use to coordinate access across the cluster:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster": "<cluster-id>"}}, "resourcePatterns":[{"resourceType":"Group","name": "schema-registry","patternType":"LITERAL"}]}'
    

Connect

To configure Connect RBAC role bindings using the REST API:

  1. Get the MDS token:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
    
  2. Grant the Security Admin role to a Connect cluster:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<your-connect-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<kafka-cluster-id>","connect-cluster":"<connect-cluster-id>"}}
    
  3. Grant the Connect user the ResourceOwner role on the group that Connect nodes use to coordinate across the cluster:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Group","name":"connect-cluster","patternType":"LITERAL"}]}'
    
  4. Grant the Resource Owner role on the configuration storage topic:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-configs","patternType":"LITERAL"}]}'
    
  5. Grant the Resource Owner role on the offset storage topic:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-offsets","patternType":"LITERAL"}]}'
    
  6. Grant the Resource Owner role on the status storage topic:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-status","patternType":"LITERAL"}]}'
    

ksqlDB

To configure RBAC for ksqlDB using the REST API:

  1. Get the MDS token:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
    
  2. Grant the Security Admin role to a ksqlDB user:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}}'
    
  3. Grant the Resource Owner role to the ksqlDB user on the ksqlDB cluster:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}},"resourcePatterns":[{"resourceType": "KsqlCluster","name": "ksql-cluster"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
    
  4. Grant the Resource Owner role to the ksqlDB user with three resourcePatterns:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>"}}, "resourcePatterns": [{"resourceType": "Topic", "name": "confluent-ksql-defaultcommand_topic","patternType":"LITERAL"},{"resourceType":"Topic","name":"default-ksql_processing_log","patternType":"LITERAL"},{"resourceType":"Group","name":"confluent-ksql-default","patternType":"PREFIXED"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
    

Confluent Control Center

To configure RBAC for Control Center using the REST API:

  1. Get the MDS token:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
    
  2. Grant the System Admin role to the Control Center user:

    curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<control-center-principal>/roles/SystemAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters": {"kafka-cluster": "<your-kafka-cluster-id>"}}'