Configure RBAC using the REST API in Confluent Platform

Use the sample curl statements below to configure RBAC for different components using the REST API.

Note

The guidance here is based on the assumption that you are using default topics and cluster IDs. Replace all variable entries (in <>) with values from your installation.

Schema Registry

To configure RBAC for Schema Registry using the REST API:

1. Get the MDS token:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s http://<localhost>:8090/security/1.0/authenticate
   

2. Grant the Security Admin role to a Schema Registry user:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","schema-registry-cluster":"<schema-registry-ID, default is schema-registry>"}}
   

3. Grant the Resource Owner role to the group that Schema Registry nodes use to coordinate access across the cluster:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<schema-registry-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster": "<cluster-id>"}}, "resourcePatterns":[{"resourceType":"Group","name": "schema-registry","patternType":"LITERAL"}]}'
   

Connect

To configure Connect RBAC role bindings using the REST API:

1. Get the MDS token:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s http://<localhost>:8090/security/1.0/authenticate
   

2. Grant the Security Admin role to a Connect cluster:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<your-connect-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<kafka-cluster-id>","connect-cluster":"<connect-cluster-id>"}}
   

3. Grant the Connect user the ResourceOwner role on the group that Connect nodes use to coordinate across the cluster:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Group","name":"connect-cluster","patternType":"LITERAL"}]}'
   

4. Grant the Resource Owner role on the configuration storage topic:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-configs","patternType":"LITERAL"}]}'
   

5. Grant the Resource Owner role on the offset storage topic:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-offsets","patternType":"LITERAL"}]}'
   

6. Grant the Resource Owner role on the status storage topic:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<connect-principal>/roles/ResourceOwner/bindings -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"scope":{"clusters":{"kafka-cluster":"<kafka-cluster-id>"}},"resourcePatterns":[{"resourceType":"Topic","name":"connect-status","patternType":"LITERAL"}]}'
   

ksqlDB

To configure RBAC for ksqlDB using the REST API:

1. Get the MDS token:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s http://<localhost>:8090/security/1.0/authenticate
   

2. Grant the Security Admin role to a ksqlDB user:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/SecurityAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters":{"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}}'
   

3. Grant the Resource Owner role to the ksqlDB user on the ksqlDB cluster:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>","ksql-cluster":"default_"}},"resourcePatterns":[{"resourceType": "KsqlCluster","name": "ksql-cluster"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
   

4. Grant the Resource Owner role to the ksqlDB user with three resourcePatterns:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<ksql-principal>/roles/ResourceOwner/bindings -d '{ "scope": {"clusters": {"kafka-cluster":"<cluster-id>"}}, "resourcePatterns": [{"resourceType": "Topic", "name": "confluent-ksql-defaultcommand_topic","patternType":"LITERAL"},{"resourceType":"Topic","name":"default-ksql_processing_log","patternType":"LITERAL"},{"resourceType":"Group","name":"confluent-ksql-default","patternType":"PREFIXED"}]}' -H "Content-Type: application/json" -H "Authorization: Bearer <your-token>"
   

Confluent Control Center (Legacy)

To configure RBAC for Control Center (Legacy) using the REST API:

1. Get the MDS token:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -u <mds-super-user>:<mds-super-user-password> -s http://<localhost>:8090/security/1.0/authenticate
   

2. Grant the System Admin role to the Control Center (Legacy) user:

   curl --cacert <path-to-your-cacert> --key <path-to-your-private-key> --cert <path-to-your-cert> -X POST http://<mds-hostname>:8090/security/1.0/principals/User:<control-center-principal>/roles/SystemAdmin -H "accept: application/json" -H "Authorization: Bearer <your-token>" -H "Content-Type: application/json" -d '{"clusters": {"kafka-cluster": "<your-kafka-cluster-id>"}}'