The Ultimate Engineering Toolkit for Apache Kafka®
Search…
kPow User Guide
About
Introduction
Our Team
Releases
Trials and Licenses
Support
Data Collection
Installation
Quick Start
System Requirements
Deployment Notes
Minimum ACL Permissions
Application Logs
OpenShift
AWS Marketplace
Troubleshooting
Configuration
Environment Variables
Kafka Cluster
Schema Registry
Kafka Connect
Multi-Cluster Management
Azure Event Hubs
Confluent Cloud
Redpanda
User Authentication
Overview
LdapLoginModule
PropertyFileLoginModule
JDBCLoginModule
OpenID/OAuth 2.0
SAML
User Authorization
Overview
Simple Access Control
Role Based Access Control
Multi-Tenancy
Administration
Features
Kafka Streams
Data Governance (Audit Log)
Data Policies
HTTPS Connections
Live Mode
Data Inspect
Data Produce
Prometheus Integration
Slack Integration
Kafka Management
Topics
Groups
Brokers
ACLs
Connect
Schema Registry
Powered By GitBook
Role Based Access Control
Secure kPow with RBAC
Role Based Access Control (RBAC) provides fine-grained control of user actions.
RBAC integrates with User Authentication, leveraging roles assigned to users in the credentials system of your choice. User roles are granted ALLOW, DENY, or STAGE to actions on specific resources.
RBAC configuration is defined in a YAML file and configured with an environment variable:
1
RBAC_CONFIGURATION_FILE=/path/to/rbac-config.yaml
Copied!

Authorized Roles

kPow will restrict UI access to users who have at least one role defined in the RBAC configuration.
You may override this behaviour by providing a specific list of authorized_roles in your config.
1
## Allow all users access to the UI ("*" is a role held by everyone)
2
authorized_roles:
3
- "*"
4
5
## Or, allow users with specific roles access to the UI
6
authorized_roles:
7
- "kafka-user"
8
- "kafka-admin"
9
- "ops-support"
Copied!

Admin Roles

You can optionally provide admin_roles, a list of roles considered to be admins in kPow.
You can learn more about administration in kPow here.
1
admin_roles:
2
- "kafka-admin"
Copied!

Policies

An RBAC policy contains:
  • Resource: The resource that this policy controls access to
  • Effect: Whether to deny, allow, or stage access to the Resource
  • Actions: A list of actions that this policy Effects
Then either:
  • Role: The user role that this policy applies to
  • Roles: The list of user roles that this policy applies to

Example Configuration

The following configuration applies controls to three roles and permits all authenticated users access.
Note: Where multiple policies apply to one resource, Deny effects take precedence.
1
authorized_roles:
2
- "*"
3
4
policies:
5
- resource: ["cluster", "N9xnGujkR32eYxHICeaHuQ"]
6
effect: "Allow"
7
actions: ["TOPIC_INSPECT", "TOPIC_PRODUCE", "TOPIC_EDIT"]
8
role: "kafka-admin"
9
- resource: ["cluster", "N9xnGujkR32eYxHICeaHuQ", "topic", "tx_audit"]
10
effect: "Deny"
11
actions: ["TOPIC_PRODUCE", "TOPIC_EDIT"]
12
role: "kafka-admin"
13
- resource: ["cluster", "*"]
14
effect: "Allow"
15
actions: ["GROUP_EDIT"]
16
roles: ["kafka-admin"]
17
- resource: ["cluster", "*"]
18
effect: "Stage"
19
actions: ["GROUP_EDIT"]
20
roles: ["kafka-user"]
Copied!
kafka-admin is allowed to inspect, produce, and edit all topics in a specific cluster, then explicitly denied produce and edit actions to one specific topic in that same cluster.
kafka-admin is then permitted group edit permissions on all clusters, kafka-user are permitted stage access to the group edit action - meaning the request will have to be confirmed by an admin user.
All remaining actions are implicitly denied actions to all users on all resources.

Resources

Resources are defined within a taxonomy that describes the hierarchy of objects in kPow.
1
[DOMAIN_TYPE, DOMAIN_ID, OBJECT_TYPE?, OBJECT_ID?]
Copied!
Where:
  • Domain Type: The top-level resource, either cluster, schema, or connect
  • Domain ID: Unique identifier of the domain or "*" for all/wildcard
  • Object Type: Either topic, group, connector, subject, or broker
  • Object ID: Unique identified of the object. Wildcard not supported
Specifying the object is optional. If not provided the resource includes all objects within a domain.

Example Resources

1
["cluster", "*"] - all clusters and all objects
2
["cluster", "*", "topic"] - all topics on all clusters
3
["cluster", "N9xnGujkR32eYxHICeaHuQ"] - all objects in a cluster
4
["cluster", "*", "topic", "tx-events"] - named topic in all clusters
5
["schema", "*"] - all schema registries and all objects
6
["schema", "*", "subject", "tx-events"] - named subject in all schema registries
7
["connect", "*"] - all connect clusters and all objects
8
["connect", "*", "connector", "csv-in"] - named connector in all connect clusters
Copied!

Resource IDs

kPow logs the IDs of all top-level domains at startup.
1
Connected to [2] Kafka clusters:
2
* g10tMLohRLKthriTt0749g (Local):
3
- kafka connect: http://kafka:8083 (g10tMLohRLKthriTt0749g)
4
- schema registry not configured
5
* lkc-lo019 (Confluent Cloud):
6
- kafka connect not configured
7
- schema registry: https://xxx.us-east-2.aws.confluent.cloud (a2f06a916672d71d675f) (Confluent Cloud)
Copied!
In the example above we have four domain resources:
  • Two Kafka Clusters (g10tMLohRLKthriTt0749g, lkc-lo0o9)
  • One Kafka Connect Cluster (g10tMLohRLKthriTt0749g)
  • One Schema Registry (a2f06a916672d71d675f)

Resource ID Definitions

  • Kafka Cluster: - the ID of the Kafka cluster as returned by a broker
  • Kafka Connect: the ID of the Kafka cluster associated with the Kafka Connect installation
  • Schema Registry: a SHA256 hash of the Schema Registry endpoint

Effects

Specify Allow, Deny or Stage to indicate whether the policy allows or denies access to a resource. View Staged mutations documentation to learn about the Stage effect.
Where no matching policy exists the effect is an implicit deny.

Actions

Roles

Define a user role to which you would like to allow or deny access.
Can be a wildcard (*) to specify the policy is for all roles.

Role Evaluation

User access to an action on a resource is determined by gathering all policies for roles assigned to a user and evaluating them with the following logic.

User Access Governance

All actions are retained in the kPow Audit Log. See: Data Governance.

Role Mapping

To use RBAC you must configure User Authentication and ensure users have assigned roles.

Integration Guides

Below are integration guides for common authentication providers:

SAML Integration (Generic)

Operatr can integrate with your SAML IdP as a service provider.
Roles are defined in a Roles attribute in the SAMLResponse from your IdP.
If you would like to use a field other than the Roles attribute, you can extend the YAML configuration as follows:
1
saml:
2
role_field: "Groups"
Copied!
Now, kPow will look to the Groups attribute for its basis of roles.
User Authorization - Previous
Simple Access Control
Next - User Authorization
Multi-Tenancy
Last modified 3mo ago
Copy link
Contents
Authorized Roles
Admin Roles
Policies
Example Configuration
Resources
Example Resources
Resource IDs
Effects
Actions
Roles
Role Evaluation
User Access Governance
Role Mapping
Integration Guides
SAML Integration (Generic)