For those users who have paid careful attention, you may have noticed a new feature was recently rolled out for Conduktor UI. Topic-level role-based access control (RBAC) was one of the most requested features we received; it is now available in the latest versions of Conduktor.
If you’re wondering what all the fuss is about, it is worth understanding just what RBAC is and why it can be such a powerful feature. As the name implies, RBAC allows an admin to determine what different users can do with a system by assigning roles: some users could have roles that permit reads only, for example. In Conduktor, RBAC can be used to restrict read and write access per topic, meaning you can control a user’s ability to use the consumer/producer functionality depending on the topic.
Why use RBAC?
The major benefits of this feature relate to compliance, security, and privacy. For businesses and enterprises making use of Kafka, there is always going to be a need to perform data governance. There is no reason for users to have access to every single facet of Apache Kafka in most cases. AWS has the principle of “least privilege”: the idea that only the permissions required to complete a task should be granted. It is one of the AWS Well-Architected best practices and can be a good addition to governance policies.
Looking at security, there is also the possibility of users making mistakes or deliberately doing damage during routine operations. Restricting permissions limits the damage that can be done. Potentially, these restrictions can also help against phishing attacks and other malicious actions.
Given these risks, enterprises would have to deploy manual security measures and authorizations if RBAC wasn’t available, so having the feature also makes it easier and quicker to set up. Authorization can be done at scale by administrators.
How can I implement RBAC?
Topic level RBAC is available for Conduktor UI for enterprise users. A full guide to getting setup is available in the Conduktor documentation, but a brief guide is detailed below:
To get started with RBAC, you will need to head to your account on conduktor.io. In the account settings, head to the “My Clusters” tab:
RBAC is available at both the cluster level and the topic level. To enable it at a cluster level, you simply need to click on the “Manage access” button. This will present you with the following screen:
Turn on the “Access Control” setting to enable RBAC for clusters. Below, the “Topic permissions” section is where you can setup RBAC at the topic level. Click on “Define topic permissions to do that:
What permissions can be applied?
Ability to consume
Ability to produce
Ability to update topic configuration
Ability to import data
Ability to update leader election
Ability to update partitions
Ability to cleanup partitions
Ability to change replication factor
Ability to empty topic
Ability to check reassignments
Ability to update replication factor
Ability to read topic size
Once you’ve determined what permissions you will need, they will be applied once you connect to a cluster from within Conduktor UI.