Managing account access in Red Hat OpenShift Streams for Apache Kafka

Guide
  • Red Hat OpenShift Streams for Apache Kafka 1
  • Updated 22 November 2022
  • Published 12 October 2021

Managing account access in Red Hat OpenShift Streams for Apache Kafka

Guide
Red Hat OpenShift Streams for Apache Kafka 1
  • Updated 22 November 2022
  • Published 12 October 2021

As an owner of a Kafka instance in Red Hat OpenShift Streams for Apache Kafka, you can manage the level of access that other user accounts and service accounts have to your instance. You can allow or deny access to your instance for specific accounts or for all accounts in your organization. You can also allow other users or service accounts to manage the level of access to your instance for you.

You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.

As an instance owner, you automatically have a set of permissions for all resources within a Kafka instance including topics, groups, transactional IDs, and Access Control Lists (ACLs). This set of permissions cannot be changed and cannot be seen by you or any other user in the Permission list in the Red Hat OpenShift Streams for Apache Kafka web console or from Kafka APIs.

Access management in OpenShift Streams for Apache Kafka

Red Hat OpenShift Streams for Apache Kafka uses Access Control Lists (ACLs) provided by Apache Kafka that enable you to manage how other user accounts and service accounts are permitted to access the Kafka resources that you create. You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.

An account in OpenShift Streams for Apache Kafka is either a user account or a service account. A user account enables users in your organization to access your resources. A service account enables your application or tool to connect securely to your instance and access your resources.

A resource in an ACL can be a Kafka instance, topic, consumer group, or producer transaction. You use the ACL to define how specific accounts or all accounts in an organization are permitted to access these resources.

An ACL permission setting typically consists of the following components:

  • A single named account or all accounts within the organization that you want to manage access for

  • A single named resource, all resources of a particular type (such as a topic, consumer group, or transactional ID), or all resources of a particular type with a specified prefix

  • A single operation (such as Write) or all operations for the specified resource or resources

You can also allow other users or service accounts to manage access to the resources in your instance for you.

If two or more permission settings in an ACL match a request being made to the Kafka broker and at least one of the matching permissions specifies that the action is denied, then the request is denied.

Additional resources

Supported ACL permissions in OpenShift Streams for Apache Kafka

An ACL acts as a mapping of permitted operations on specified resources for a selected account or for all accounts in an organization. An account can be either a user account or a service account. Operations correspond to Kafka APIs or request types that relate to the specified resource.

For example, a Read operation for a Topic resource corresponds to the Fetch, OffsetCommit, and TxnOffsetCommit Kafka requests. A Write operation for a Topic resource corresponds to the Produce and AddPartitionsToTxn Kafka requests.

The following table lists the supported ACL permissions in OpenShift Streams for Apache Kafka.

The resource identifier Is supports the wildcard character * to denote any occurrences of the specified resource. For example, Topic is * means any topic in a Kafka instance.
Table 1. Supported ACL permissions

Resource type

Resource identifier

Access type

Operations

Consumer group

(For consumer group access to a resource)

  • Starts with

  • Is

  • Allow

  • Deny

  • All

  • Read

  • Delete

  • Describe

Topic

(For access to a topic)

  • Starts with

  • Is

  • Allow

  • Deny

  • All

  • Read

  • Write

  • Create

  • Delete

  • Alter

  • Alter configs

  • Describe

  • Describe configs

Transactional ID

(For producer access to a resource)

  • Starts with

  • Is

  • Allow

  • Deny

  • All

  • Write

  • Describe

Kafka instance

(For access to Kafka instance permissions in ACLs)

None

  • Allow

  • Deny

  • Alter

  • Describe

By default, new Kafka instances contain the permissions shown in the following table. These permissions allow all accounts in the organization to view the instance permissions and to view topics in the instance, but not to produce or consume messages.

Table 2. Default ACL permissions for new Kafka instances

Account

Resource

Access type

Operation

All accounts

Topic is *

(Any topic)

Allow

Describe, Describe configs

All accounts

Consumer group is *

(Any consumer group)

Allow

Describe

All accounts

Kafka instance

(Kafka instance permissions in ACLs)

Allow

Describe

Additional resources

Authorization Primitives in Kafka documentation

Setting account permissions in a Kafka instance in OpenShift Streams for Apache Kafka

In Red Hat OpenShift Streams for Apache Kafka, you can create Access Control Lists (ACLs) in your Kafka instances and set permissions for how other user accounts or service accounts can interact with an instance and its resources. You can manage access for only the Kafka instances that you create or for the instances that the owner has enabled you to access and alter.

Prerequisites
  • You’ve created a Kafka instance and the instance is in the Ready state.

  • The user account or service account that you’re setting permissions for has been created in the organization.

Procedure
  1. On the Kafka Instances page of the OpenShift Streams for Apache Kafka web console, click the name of the Kafka instance that you want to set permissions for.

  2. Click the Access tab to view the current ACL permissions for this instance.

  3. Use this Access page to set permissions for a new account, add permissions to an existing account, or delete account permissions in this instance.

    • To set permissions for a new account in this instance, follow these steps:

      1. Click Manage access.

      2. In the Account list, select the new user account or service account that you want to set permissions for. You can also select All accounts to set permissions for all user accounts and service accounts in the organization.

        If you don’t see users in the Account list, ask your organization administrator to grant access to view other user accounts. For more information, see Allowing users to view other user accounts.

      3. Click Next.

        The Review existing permissions section lists any permission settings in this instance that are already defined for all accounts in the organization and for the same account that you previously selected, if applicable. You can delete existing permissions now if needed, or you can wait to delete existing permissions later from the main Access page.

        If you previously selected a specific account, you can delete only permission entries that apply to individual accounts. If you previously selected All accounts, you can delete only permission entries that apply to all accounts.

      4. Under Assign Permissions, use the list to select and define the permissions for the specified account or all accounts for a resource type, such as a topic.

        The following permission options are available:

        • Add permission: Empty permission entry that you must define manually

        • Consume from a topic: Predefined permission entry for consuming from one or more specified topics

        • Produce to a topic: Predefined permission entry for producing to one or more specified topics

        • Manage access: Predefined permission entry for allowing other user accounts or service accounts to access and alter the permissions in the Kafka instance

        For example, when you create a new service account, select the Consume from a topic and Produce to a topic predefined options and set all resource identifiers and values to Is *. These permissions enable applications associated with the service account to create and delete topics in the Kafka instance, to produce and consume messages in any topic in the instance, and to use any consumer group and any producer.

        These permission settings result in the following ACL permissions for the new service account:

        Table 3. Example ACL permissions for a new service account

        Resource type

        Resource identifier and value

        Access type

        Operation

        Topic

        (For consuming)

        Is = *

        Allow

        Read, Describe

        Consumer group

        (For consuming)

        Is = *

        Allow

        Read

        Topic

        (For producing)

        Is = *

        Allow

        Write, Create, Describe

        Alternatively, you can click Add permission to individually create one Topic entry and one Consumer group entry, both with Allow access to All operations. This enables both consuming and producing for the topic in a single entry, and enables all permissions for the consumer group in a single entry. But you must configure these entries individually without using the predefined permission options.
      5. Click Save to finish.

    • To add permissions to an existing account in this instance, follow these steps:

      1. For the account that you want to add permissions to, select the options icon (three vertical dots) for that entry and click Manage.

        The Review existing permissions section lists any permission settings in this instance that are already defined for all accounts in the organization and for the same account that you previously selected, if applicable. You can delete existing permissions now if needed, or you can wait to delete existing permissions later from the main Access page.

        If you selected a permission entry that applies to a specific account, you can delete only permission entries that apply to individual accounts. If you selected a permission entry that applies to all accounts, you can delete only permission entries that apply to all accounts.

      2. Under Assign Permissions, use the list to select and define the permissions for the specified account or all accounts for a resource type, such as a topic. You can click Add permission to add permissions individually, or you can select from the predefined permission options as described previously.

      3. Click Save to finish.

    • To delete existing account permissions in this instance, use the following options:

      • Select one or more permission entries, select the options icon (three vertical dots) at the top of the table, and click Delete selected permissions.

      • For the account that you want to delete, select the options icon (three vertical dots) for that entry and click Delete.

    If you delete a user account or service account, you must also delete any ACL permissions associated with that account. If you don’t delete unused ACL permissions, then a future account with the same ID of a previously deleted account could inherit the ACL permissions and have automatic access to a Kafka instance.
Additional resources

Example account access scenarios in OpenShift Streams for Apache Kafka

The following example Access Control Lists (ACLs) illustrate common scenarios for managing the level of access for user accounts or service accounts in Red Hat OpenShift Streams for Apache Kafka. Some examples differ from the predefined permissions in OpenShift Streams for Apache Kafka to demonstrate various possible ACL scenarios. Use these examples as a guide for your own ACLs.

Access for a new service account in a Kafka instance

You’ve created a new service account and you want to allow it to create and delete topics in the instance, to produce and consume messages in any topic in the instance, and to use any consumer group and any producer.

Table 4. Example ACL permissions

Account

Resource type

Resource identifier and value

Access type

Operation

srvc-acct-1a2b3c4d-…​

Topic

Is = *

Allow

All

srvc-acct-1a2b3c4d-…​

Consumer group

Is = *

Allow

Read

Access for all accounts in a Kafka instance

You want this Kafka instance to be fully accessible to all accounts in the organization. You want any user to be able to read all topics, write to all topics, use any consumer group, and use any producer.

Table 5. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

All accounts

Topic

Is = *

Allow

All

All accounts

Consumer group

Is = *

Allow

All

Access for a specific user in a Kafka instance

You want this Kafka instance to be fully accessible to a specific user. You don’t know which topics or consumer groups the user will use, so you want the user to be able to read any topic, write to any topic, and join any consumer group in the instance.

Table 6. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

usr-acct-1a2b3c4d-…​

Topic

Is = *

Allow

All

usr-acct-1a2b3c4d-…​

Consumer group

Is = *

Allow

All

Access for a specific producer to write to a topic

You want to allow a user account with a producer that is associated with a specific transactional.id value to produce messages to a specific topic in this Kafka instance.

Table 7. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

usr-acct-1a2b3c4d-…​

Topic

Is = topic-1

Allow

Write

usr-acct-1a2b3c4d-…​

Transactional ID

Is = producer-1

Allow

All

Access for specific consumer groups to consume from a topic

You want to allow a service account with consumers from consumer groups whose names start with app to consume messages from a specific topic in this Kafka instance.

Table 8. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

srvc-acct-1a2b3c4d-…​

Topic

Is = topic-1

Allow

Read

srvc-acct-1a2b3c4d-…​

Consumer group

Starts with = app

Allow

Read

Access for a specific user to manage all permissions in the ACL of a Kafka instance

You want to allow a user account to manage all permissions in the ACL for this Kafka instance. You’ve removed all other permissions from this instance so that the new authorized user can define the new ACL as needed.

Table 9. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

usr-acct-1a2b3c4d-…​

Kafka instance

None

Allow

Alter

usr-acct-1a2b3c4d-…​

Kafka instance

None

Allow

Describe

Allowing users to view other user accounts

As an organization administrator, you can use Role-Based Access Control (RBAC) to allow users to view other users in an organization.

You set up access by assigning a predefined role called User Access principal viewer to a user group. By assigning the role, users within the group are able to perform the following actions:

  • View and select other users when changing owners and managing access to Kafka instances in the Openshift Streams for Apache Kafka web console.

  • Specify user names when using the rhoas CLI for Red Hat OpenShift Streams for Apache Kafka.

Prerequisites
  • You’re logged into the Red Hat Hybrid Cloud Console as an organization administrator.

  • A user group contains the users to assign the role to.

If you want to add the User Access principal viewer role to a single user, create a new group for that user only.

For more information on setting up user access in the Red Hat Hybrid Cloud Console, see the User Access Configuration Guide for Role-based Access Control (RBAC).

Procedure
  1. In the upper-right corner of the OpenShift Streams for Apache Kafka web console, select the gear icon, and click Settings > User Access > Groups

  2. Click the name of the user group.

  3. From the Roles tab, click Add role and select User Access principal viewer.

  4. Click Add to group to add the role to the group.

    The role is added to the list of selected roles on the Roles tab.