Skip to content

docs: add CONNECTOR resource type for granular connector-level permissions #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
joshuaNathaniel wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: add CONNECTOR resource type for granular connector-level permissions #73

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions configuration/rbac-role-based-access-control/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ Find the more detailed examples in a full example file lower.

The next thing which is present in your roles file is, surprisingly, permissions. They consist of:

1. Resource Can be one of the: `CLUSTERCONFIG`, `TOPIC`, `CONSUMER`, `SCHEMA`, `CONNECT`, `KSQL`, `ACL`.
1. Resource Can be one of the: `CLUSTERCONFIG`, `TOPIC`, `CONSUMER`, `SCHEMA`, `CONNECT`, `CONNECTOR`, `KSQL`, `ACL`.
2. The resource value is either a fixed string or a regular expression identifying a resource. Value is not applicable to `clusterconfig` and `ksql` resources. Please do not fill it out.
3. Actions It's a list of actions (the possible values depend on the resource, see the lists below) that will be applied to the certain permission. Also, note, there's a special action for any of the resources called "all", it will virtually grant all the actions within the corresponding resource. An example for enabling viewing and creating topics whose name start with "derp":

Expand All @@ -119,7 +119,8 @@ A list of all the actions for the corresponding resources (please note neither r
* `topic`: `view`, `create`, `edit`, `delete`, `messages_read`, `messages_produce`, `messages_delete`, `analysis_run`, `analysis_view`
* `consumer`: `view`, `delete`, `reset_offsets`
* `schema`: `view`, `create`, `delete`, `edit`, `modify_global_compatibility`
* `connect`: `view`, `edit`, `create`, `delete`,`operate`, `reset_offsets`
* `connect`: `view`, `edit`, `create`, `delete`, `operate`, `reset_offsets` — applies to all connectors in a connect cluster
* `connector`: `view`, `edit`, `create`, `delete`, `operate`, `reset_offsets` — granular per-connector permissions (value format: `connectName/connectorName`)
* `ksql`: `execute`
* `acl`: `view`, `edit`
* `audit`: `view`
Expand Down Expand Up @@ -218,11 +219,16 @@ rbac:
- resource: connect
value: "local"
actions: [ view, edit, create, delete, operate, reset_offsets ]
# connectors selector not implemented yet, use connects
# selector:
# connector:
# name: ".*"
# class: 'io.kafbat.connectorName'

# Granular connector-level permissions (value format: connectName/connectorName)
- resource: connector
value: "local/my-specific-connector"
actions: [ view, edit, operate ]

# Wildcard for all connectors in a connect cluster
- resource: connector
value: "local/prod-.*"
actions: [ view ]

- resource: ksql
# value not applicable for ksql
Expand Down