This guide shows the minimum level of permissions required by Conduktor Console.
The minimum set of permissions at Kafka level would be:
| Permission | Operation | ResourceType | ResourceName | PatternType | Description |
| ALLOW | DESCRIBE | TOPIC | * | LITERAL | List topic, fetch metadata |
| ALLOW | DESCRIBE_CONFIGS | TOPIC | * | LITERAL | See topic configuration |
| ALLOW | READ | TOPIC | * | LITERAL | Read data |
| ALLOW | DESCRIBE | CONSUMER GROUP | * | LITERAL | List consumer groups and fetch metadata on it |
| ALLOW | READ | CONSUMER GROUP | * | LITERAL | Be able to fetch offset definition (used to compute lag) |
| ALLOW | DESCRIBE | CLUSTER | kafka-cluster | LITERAL | Describe Kafka ACLs, fetch the amount of data stored on disk |
| ALLOW | DESCRIBE_CONFIGS | CLUSTER | kafka-cluster | LITERAL | Describe cluster/broker configuration |
If you want to take advantage of all the capabilities of the product (highly recommended) you could add the following permissions:
| Permission | Operation | ResourceType | ResourceName | PatternType | Description |
| ALLOW | WRITE | TOPIC | * | LITERAL | Produce messages via Console / Testing |
| ALLOW | IDEMPOTENT_WRITE | CLUSTER | kafka-cluster | LITERAL | Used to produce messages with enable.idempotence=true. Adding this ACL entry is only necessary for AK versions 3.0.x and below. |
| ALLOW | CREATE | TOPIC | * | LITERAL | Create topics via Console |
| ALLOW | ALTER | TOPIC | * | LITERAL | Increase the number of partitions via Console |
| ALLOW | ALTER_CONFIGS | TOPIC | * | LITERAL | Change topic configuration via Console |
| ALLOW | DELETE | TOPIC | * | LITERAL | Delete topic via Console |
Confluent specifics
NOTE: The way Confluent determines the size of the messages is not available through the Kafka API so this piece of information on the "Topics Monitoring" tab in Conduktor Monitoring is not available.
Self-managed Confluent RBAC
If you are on self-managed Confluent RBAC can support Role Binding and ACLs if configured appropriately, see the Confluent docs. The specific configuration is confluent.authorizer.access.rule.providers and this needs to have the correct value, for ACLs it would be ZK_ACL.
Confluent Cloud RBAC
If you are using Confluent Cloud, you shouldn't need role assignments you can use RBAC role bindings together with ACLs see docs from Confluent here.
Comments
0 comments
Please sign in to leave a comment.