Conduktor Now Offers Topic-Level RBAC

We're pleased to announce that topic-level role-based access control is now available in the latest versions of Conduktor.

james
James Jul 12, 2022

For those users who have paid careful attention, you may have noticed a new feature was recently rolled out for Conduktor UI. Topic-level role-based access control (RBAC) was one of the most requested features we received; it is now available in the latest versions of Conduktor.

If you’re wondering what all the fuss is about, it is worth understanding just what RBAC is and why it can be such a powerful feature. As the name implies, RBAC allows an admin to determine what different users can do with a system by assigning roles: some users could have roles that permit reads only, for example. In Conduktor, RBAC can be used to restrict read and write access per topic, meaning you can control a user’s ability to use the consumer/producer functionality depending on the topic.

Why use RBAC?

The major benefits of this feature relate to compliance, security, and privacy. For businesses and enterprises making use of Kafka, there is always going to be a need to perform data governance. There is no reason for users to have access to every single facet of Apache Kafka in most cases. AWS have the principle of “least privilege”: the idea that only the permissions required to complete a task should be granted. It is one the AWS Well Architected best practices and can be a good addition to governance policies.

Looking at security, there is also the possibility of users making mistakes or deliberately doing damage during routine operations. Restricting permissions limits the damage that can be done. Potentially, these restrictions can also help against phishing attacks and other malicious actions. 

Given these risks, enterprises would have to deploy manual security measures and authorizations if RBAC wasn’t available, so having the feature also makes it easier and quicker to set up. Authorization can be done at scale by administrators.

How can I implement RBAC?

Topic level RBAC is available for Conduktor UI for enterprise users. A full guide to getting setup is available in the Conduktor documentation, but a brief guide is detailed below:

To get started with RBAC, you will need to head to your account on conduktor.io. In the account settings, head to the “My Clusters” tab:

My Clusters view

RBAC is available at both the cluster level and the topic level. To enable it at a cluster level, you simply need to click on the “Manage access” button. This will prevent you with the following screen:

RBAC view

Turn on the “Access Control” setting to enable RBAC for clusters. Below, the “Topic permissions” section is where you can setup RBAC at the topic level. Click on “Define topic permissions to do that:

topic Permissions view

What permissions can be applied?

  • Ability to consume

  • Ability to produce

  • Ability to update topic configuration

  • Ability to import data

  • Ability to update leader election

  • Ability to update partitions

  • Ability to cleanup partitions

  • Ability to change replication factor

  • Ability to empty topic

  • Ability to check reassignments

  • Ability to update replication factor

  • Ability to read topic size

Once you’ve determined what permissions you will need, they will be applied once you connect to a cluster from within Conduktor UI.