access-mgmt-kafka

Managing account access in OpenShift Streams for Apache Kafka

As an owner of a Kafka instance in OpenShift Streams for Apache Kafka, you can manage the level of access that other user accounts and service accounts have to your instance. You can allow or deny access to your instance for specific accounts or for all accounts in your organization. You can also allow other users or service accounts to manage the level of access to your instance for you.

You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.

As an instance owner, you automatically have a set of permissions for all resources within a Kafka instance including topics, groups, transactional IDs, and Access Control Lists (ACLs). This set of permissions cannot be changed and cannot be seen by you or any other user in the Permission list in the OpenShift Streams for Apache Kafka web console or from Kafka APIs.

Access management in Streams for Apache Kafka

OpenShift Streams for Apache Kafka uses Access Control Lists (ACLs) provided by Apache Kafka that enable you to manage how other user accounts and service accounts are permitted to access the Kafka resources that you create. You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.

An account in Streams for Apache Kafka is either a user account or a service account. A user account enables users in your organization to access your resources. A service account enables your application or tool to connect securely to your instance and access your resources.

A resource in an ACL can be a Kafka instance, topic, consumer group, or producer transaction. You use the ACL to define how specific accounts or all accounts in an organization are permitted to access these resources.

An ACL permission setting typically consists of the following components:

• A single named account or all accounts within the organization that you want to manage access for

• A single named resource, all resources of a particular type (such as a topic, consumer group, or transactional ID), or all resources of a particular type with a specified prefix

• A single operation (such as Write) or all operations for the specified resource or resources

You can also allow other users or service accounts to manage access to the resources in your instance for you.

If two or more permission settings in an ACL match a request being made to the Kafka broker and at least one of the matching permissions specifies that the action is denied, then the request is denied.

Additional resources

• Authorization and ACLs in Kafka documentation

Supported ACL permissions in Streams for Apache Kafka

An ACL acts as a mapping of permitted operations on specified resources for a selected account or for all accounts in an organization. An account can be either a user account or a service account. Operations correspond to Kafka APIs or request types that relate to the specified resource.

For example, a Read operation for a Topic resource corresponds to the Fetch, OffsetCommit, and TxnOffsetCommit Kafka requests. A Write operation for a Topic resource corresponds to the Produce and AddPartitionsToTxn Kafka requests.

The following table lists the supported ACL permissions in Streams for Apache Kafka.

Note	The resource identifier Is supports the wildcard character * to denote any occurrences of the specified resource. For example, Topic is * means any topic in a Kafka instance.

Table 1. Supported ACL permissions

Resource type	Resource identifier	Access type	Operations
Consumer group (For consumer group access to a resource)	Starts with Is	Allow Deny	All Read Delete Describe
Topic (For access to a topic)	Starts with Is	Allow Deny	All Read Write Create Delete Alter Alter configs Describe Describe configs
Transactional ID (For producer access to a resource)	Starts with Is	Allow Deny	All Write Describe
Kafka instance (For access to Kafka instance permissions in ACLs)	None	Allow Deny	Alter Describe

By default, new Kafka instances have the permissions shown in the following table. These permissions allow all accounts in the organization to view the instance permissions and to view topics in the instance, but not to produce or consume messages.

Table 2. Default ACL permissions for new Kafka instances

Account	Resource	Access type	Operation
All accounts	Topic is * (Any topic)	Allow	Describe, Describe configs
All accounts	Consumer group is * (Any consumer group)	Allow	Describe
All accounts	Kafka instance (Kafka instance permissions in ACLs)	Allow	Describe

Additional resources

Authorization Primitives in Kafka documentation

Setting account permissions in a Kafka instance in Streams for Apache Kafka

In OpenShift Streams for Apache Kafka, you can create Access Control Lists (ACLs) in your Kafka instances and set permissions for how other user accounts or service accounts can interact with an instance and its resources. You can manage access for only the Kafka instances that you create or for the instances that the owner has enabled you to access and alter.

Prerequisites

• You have a running Kafka instance in Streams for Apache Kafka (see Getting started with OpenShift Streams for Apache Kafka).

• The user account or service account that you’re setting permissions for has been created in the organization.

Procedure

1. On the Kafka Instances page of the Streams for Apache Kafka web console, click the name of the Kafka instance that you want to set permissions for.

2. Click the Access tab to view the current ACL permissions for this instance.

3. Use this Access page to set permissions for a new account, add permissions to an existing account, or delete account permissions in this instance.

   • To set permissions for a new account in this instance, follow these steps:

     1. Click Manage access.

     2. In the Account list, select the new user account or service account that you want to set permissions for. You can also select All accounts to set permissions for all user accounts and service accounts in the organization.

        If you don’t see users in the Account list, ask your organization administrator to grant access to view other user accounts. For more information, see Allowing users to view other user accounts.

     3. Click Next.

        The Review existing permissions section lists any permission settings in this instance that are already defined for all accounts in the organization and for the same account that you previously selected, if applicable. You can delete existing permissions now if needed, or you can wait to delete existing permissions later from the main Access page.

        If you previously selected a specific account, you can delete only permission entries that apply to individual accounts. If you previously selected All accounts, you can delete only permission entries that apply to all accounts.

     4. Under Assign Permissions, use the list to select and define the permissions for the specified account or all accounts for a resource type, such as a topic.

        The following permission options are available:

        • Add permission: Empty permission entry that you must define manually

        • Consume from a topic: Predefined permission entry for consuming from one or more specified topics

        • Produce to a topic: Predefined permission entry for producing to one or more specified topics

        • Manage access: Predefined permission entry for allowing other user accounts or service accounts to access and alter the permissions in the Kafka instance

        For example, when you create a new service account, select the Consume from a topic and Produce to a topic predefined options and set all resource identifiers and values to Is *.

        These permission settings are shown in the following table:

        Table 3. Example ACL permissions for a new service account

        Resource type	Resource identifier and value	Access type	Operation
        Topic (For consuming)	Is = *	Allow	Read, Describe
        Consumer group (For consuming)	Is = *	Allow	Read
        Topic (For producing)	Is = *	Allow	Write, Create, Describe

        The permissions shown in the table enable applications associated with the service account to create topics in the Kafka instance, to produce and consume messages in any topic in the instance, and to use any consumer group.

        Note

        Alternatively, you can click Add permission to individually create one Topic entry and one Consumer group entry, both with Allow access to All operations. This enables both consuming and producing for the topic in a single entry, and enables all permissions for the consumer group in a single entry. But you must configure these entries individually without using the predefined permission options.

     5. Click Save to finish.

   • To add permissions to an existing account in this instance, follow these steps:

     1. For the account that you want to add permissions to, select the options icon (three vertical dots) for that entry and click Manage.

        The Review existing permissions section lists any permission settings in this instance that are already defined for all accounts in the organization and for the same account that you previously selected, if applicable. You can delete existing permissions now if needed, or you can wait to delete existing permissions later from the main Access page.

        If you selected a permission entry that applies to a specific account, you can delete only permission entries that apply to individual accounts. If you selected a permission entry that applies to all accounts, you can delete only permission entries that apply to all accounts.

     2. Under Assign Permissions, use the list to select and define the permissions for the specified account or all accounts for a resource type, such as a topic. You can click Add permission to add permissions individually, or you can select from the predefined permission options as described previously.

     3. Click Save to finish.

   • To delete existing account permissions in this instance, use the following options:

     • Select one or more permission entries, select the options icon (three vertical dots) at the top of the table, and click Delete selected permissions.

     • For the account that you want to delete, select the options icon (three vertical dots) for that entry and click Delete.

   Important

   If you delete a user account or service account, you must also delete any ACL permissions associated with that account. If you don’t delete unused ACL permissions, then a future account with the same ID of a previously deleted account could inherit the ACL permissions and have automatic access to a Kafka instance.

Additional resources

• Authorization and ACLs in Kafka documentation

Example account access scenarios in Streams for Apache Kafka

The following example Access Control Lists (ACLs) illustrate common scenarios for managing the level of access for user accounts or service accounts in OpenShift Streams for Apache Kafka. Some examples differ from the predefined permissions in Streams for Apache Kafka to demonstrate various possible ACL scenarios. Use these examples as a guide for your own ACLs.

Access for a new service account in a Kafka instance

You’ve created a new service account and you want to allow it to create and delete topics in the instance, to produce and consume messages in any topic in the instance, and to use any consumer group.

Table 4. Example ACL permissions

Account	Resource type	Resource identifier and value	Access type	Operation
srvc-acct-1a2b3c4d-…​	Topic	Is = *	Allow	All
srvc-acct-1a2b3c4d-…​	Consumer group	Is = *	Allow	Read

Access for all accounts in a Kafka instance

You want this Kafka instance to be fully accessible to all accounts in the organization. You want any user to be able to read all topics, write to all topics, and use any consumer group.

Table 5. Example ACL permissions

Account	Resource	Resource identifier and value	Access type	Operations
All accounts	Topic	Is = *	Allow	All
All accounts	Consumer group	Is = *	Allow	All

Access for a specific user in a Kafka instance

You want this Kafka instance to be fully accessible to a specific user. You don’t know which topics or consumer groups the user will use, so you want the user to be able to read any topic, write to any topic, and join any consumer group in the instance.

Table 6. Example ACL permissions

Account	Resource	Resource identifier and value	Access type	Operations
usr-acct-1a2b3c4d-…​	Topic	Is = *	Allow	All
usr-acct-1a2b3c4d-…​	Consumer group	Is = *	Allow	All

Access for a specific producer to write to a topic

You want to allow a user account with a producer that is associated with a specific transactional.id value to produce messages to a specific topic in this Kafka instance.

Table 7. Example ACL permissions

Account	Resource	Resource identifier and value	Access type	Operations
usr-acct-1a2b3c4d-…​	Topic	Is = topic-1	Allow	Write
usr-acct-1a2b3c4d-…​	Transactional ID	Is = producer-1	Allow	All

Access for specific consumer groups to consume from a topic

You want to allow a service account with consumers from consumer groups whose names start with app to consume messages from a specific topic in this Kafka instance.

Table 8. Example ACL permissions

Account	Resource	Resource identifier and value	Access type	Operations
srvc-acct-1a2b3c4d-…​	Topic	Is = topic-1	Allow	Read
srvc-acct-1a2b3c4d-…​	Consumer group	Starts with = app	Allow	Read

Access for a specific user to manage all permissions in the ACL of a Kafka instance

You want to allow a user account to manage all permissions in the ACL for this Kafka instance. You’ve removed all other permissions from this instance so that the new authorized user can define the new ACL as needed.

Table 9. Example ACL permissions

Account	Resource	Resource identifier and value	Access type	Operations
usr-acct-1a2b3c4d-…​	Kafka instance	None	Allow	Alter
usr-acct-1a2b3c4d-…​	Kafka instance	None	Allow	Describe

Allowing users to view other user accounts

As an organization administrator, you can use Role-Based Access Control (RBAC) to allow users to view other users in an organization.

You set up access by assigning a predefined role called User Access principal viewer to a user group. By assigning the role, users within the group are able to perform the following actions:

• View and select other users when changing owners and managing access to Kafka instances in the Openshift Streams for Apache Kafka web console.

• Specify user names when using the rhoas CLI for OpenShift Streams for Apache Kafka.

Prerequisites

• You’re logged into the Red Hat Hybrid Cloud Console as an organization administrator.

• A user group contains the users to assign the role to.

Note	If you want to add the User Access principal viewer role to a single user, create a new group for that user only.

Procedure

1. In the toolbar of the Streams for Apache Kafka web console, select the gear icon.

2. Click Identity & Access Management > User Access > Groups.

3. Click the name of the user group.

4. From the Roles tab, click Add role and select User Access principal viewer.

5. Click Add to group.

   The role is added to the list of selected roles on the Roles tab.

Additional resources

• Getting started with OpenShift Streams for Apache Kafka

• Getting started with the rhoas CLI for OpenShift Streams for Apache Kafka

• CLI command reference (rhoas)