Configure RBAC using the REST API in Confluent Platform¶
Use the sample curl statements below to configure RBAC for different components using the REST API.
Note
The guidance here is based on the assumption that you are using default
topics and cluster IDs. Replace all variable entries (in <>
) with values
from your installation.
Schema Registry¶
To configure RBAC for Schema Registry using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the Security Admin role to a Schema Registry user:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","schema-registry-cluster":"<schema-registry-ID, default is schema-registry>"}}
Grant the Resource Owner role to the group that Schema Registry nodes use to coordinate access across the cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster": "<cluster-id>"}}, "resourcePatterns":[{"resourceType":"Group","name": "schema-registry","patternType":"LITERAL"}]}'
Connect¶
To configure Connect RBAC role bindings using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the Security Admin role to a Connect cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<your-connect-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<kafka-cluster-id>","connect-cluster":"<connect-cluster-id>"}}
Grant the Connect user the ResourceOwner role on the group that Connect nodes use to coordinate across the cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Group","name":"connect-cluster","patternType":"LITERAL"}]}'
Grant the Resource Owner role on the configuration storage topic:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-configs","patternType":"LITERAL"}]}'
Grant the Resource Owner role on the offset storage topic:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-offsets","patternType":"LITERAL"}]}'
Grant the Resource Owner role on the status storage topic:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-status","patternType":"LITERAL"}]}'
ksqlDB¶
To configure RBAC for ksqlDB using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the Security Admin role to a ksqlDB user:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}}'
Grant the Resource Owner role to the ksqlDB user on the ksqlDB cluster:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}},"resourcePatterns":[{"resourceType": "KsqlCluster","name": "ksql-cluster"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
Grant the Resource Owner role to the ksqlDB user with three resourcePatterns:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>"}}, "resourcePatterns": [{"resourceType": "Topic", "name": "confluent-ksql-defaultcommand_topic","patternType":"LITERAL"},{"resourceType":"Topic","name":"default-ksql_processing_log","patternType":"LITERAL"},{"resourceType":"Group","name":"confluent-ksql-default","patternType":"PREFIXED"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
Confluent Control Center¶
To configure RBAC for Control Center using the REST API:
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant the System Admin role to the Control Center user:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<control-center-principal>/roles/SystemAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters": {"kafka-cluster": "<your-kafka-cluster-id>"}}'
Confluent Platform for Apache Flink¶
RBAC for Flink can be configured using the Confluent CLI, which is the most common and recommended approach. However, you can use the MDS REST API if you need automation or integration with custom tooling.
With Flink, Confluent Manager for Apache Flink® (CMF) enforces authorization by calling MDS. RBAC role bindings are stored centrally in MDS.
Get the MDS token:
curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s https://<localhost>:8090/security/1.0/authenticate
Grant roles. For example, to grant the
SecurityAdmin
role to a FlinkUser:1
you would:curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST https://<mds-hostname>:8090/security/1.0/principals/User:<flink-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{ "clusters": { "kafka-cluster": "<cluster-id>", "flink-cluster": "default_" }}'