All Products
Search

This Product

    ApsaraMQ for Kafka:Examples of RBAC authorization using Confluent CLI

    Document Center

    ApsaraMQ for Kafka:Examples of RBAC authorization using Confluent CLI

    Last Updated:May 27, 2025

    This topic describes common examples of role-based access control (RBAC) authorization using Confluent CLI.

    Cluster and resource types

    The following table describes ApsaraMQ for Confluent cluster types and their corresponding resource types.

    Cluster type

    Resource type

    Kafka

    Cluster

    Group

    Topic

    Transactional ID

    KSQL

    Cluster

    Schema Registry

    Cluster

    Subject

    Connect

    Cluster

    Connector

    Kafka

    Kafka includes the following resource types: Cluster, Group, Topic, and Transactional ID.

    Cluster

    You can configure the following roles for a Kafka cluster:

    • AuditAdmin

    • ClusterAdmin

    • DeveloperManage

    • DeveloperWrite

    • Operator

    • ResourceOwner

    • SecurityAdmin

    • SystemAdmin

    • UserAdmin

    Example 1: Authorize the test user with permissions included in the SystemAdmin role of a Kafka cluster

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role SystemAdmin  --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role SystemAdmin  --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role SystemAdmin  --kafka-cluster <kafka-cluster-id>

    Example 2: Authorize the test user with permissions included in the ResourceOwner role of a Kafka cluster

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner  --resource Cluster:kafka-cluster --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner  --resource Cluster:kafka-cluster --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner  --resource Cluster:kafka-cluster --kafka-cluster <kafka-cluster-id>

    Group

    You can configure the following roles for a Kafka group:

    • DeveloperManage

    • DeveloperRead

    • ResourceOwner

    Example 1: Authorize the test user with permissions included in the DeveloperRead role of the test_group group

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role DeveloperRead  --resource Group:group_test --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role DeveloperRead --resource Group:group_test --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role DeveloperRead --resource Group:group_test --kafka-cluster <kafka-cluster-id>

    Example 2: Authorize the test user with permissions included in the ResourceOwner role of Kafka groups prefixed with demo

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner  --resource Group:demo --prefix --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner  --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Group:demo --prefix --kafka-cluster <kafka-cluster-id>

    Example 3: Authorize the test user with permissions included in the ResourceOwner role of all Kafka groups

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner  --resource Group:* --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner  --resource Group:* --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Group:* --kafka-cluster <kafka-cluster-id>

    Topic

    You can configure the following roles for a Kafka topic:

    • DeveloperManage

    • DeveloperRead

    • DeveloperWrite

    • ResourceOwner

    Example 1: Authorize the test user with permissions included in the DeveloperWrite role of the test_topic topic

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role DeveloperWrite  --resource Topic:test_topic --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role DeveloperWrite --resource Topic:test_topic --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role DeveloperWrite --resource Topic:test_topic --kafka-cluster <kafka-cluster-id>

    Example 2: Authorize the test user with permissions included in the ResourceOwner role of Kafka topics prefixed with demo

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner  --resource Topic:demo --prefix --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Topic:demo --prefix --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Topic:demo --prefix --kafka-cluster <kafka-cluster-id>

    Example 3: Authorize the test user with permissions included in the ResourceOwner role of all Kafka topics

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner  --resource Topic:* --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Topic:* --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Topic:* --kafka-cluster <kafka-cluster-id>

    Transactional ID

    You can configure the following roles for a Kafka transactional ID:

    • DeveloperManage

    • DeveloperRead

    • DeveloperWrite

    • ResourceOwner

    Example: Authorize the test user with permissions included in the ResourceOwner role of all Kafka transactional IDs

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner  --resource TransactionalId:* --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource TransactionalId:* --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource TransactionalId:* --kafka-cluster <kafka-cluster-id>

    KSQL

    KSQL includes only the Cluster resource type.

    Cluster

    You can configure the following roles for a KSQL cluster:

    • AuditAdmin

    • ClusterAdmin

    • DeveloperManage

    • DeveloperWrite

    • Operator

    • ResourceOwner

    • SecurityAdmin

    • SystemAdmin

    • UserAdmin

    Example: Authorize the test user with permissions included in the ResourceOwner role of a KSQL cluster

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource KsqlCluster:ksql-cluster --ksql-cluster <ksql-cluster-id> --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource KsqlCluster:ksql-cluster --ksql-cluster <ksql-cluster-id> --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource KsqlCluster:ksql-cluster --ksql-cluster <ksql-cluster-id> --kafka-cluster <kafka-cluster-id>

    Schema Registry

    Schema Registry includes the following resource types: Cluster and Subject.

    Cluster

    You can configure the following roles for a Schema Registry cluster:

    • AuditAdmin

    • ClusterAdmin

    • Operator

    • SecurityAdmin

    • SystemAdmin

    • UserAdmin

    Example: Authorize the test user with permissions included in the SystemAdmin role of a Schema Registry cluster

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role SystemAdmin --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role SystemAdmin --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role SystemAdmin --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>

    Subject

    You can configure the following roles for a Schema Registry subject:

    • DeveloperManage

    • DeveloperRead

    • DeveloperWrite

    • ResourceOwner

    Example: Authorize the test user with permissions included in the ResourceOwner role of all Schema Registry subjects

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Subject:* --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Subject:* --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Subject:* --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>

    Connect

    Connect includes the following resource types: Cluster and Connector.

    Cluster

    You can configure the following roles for a Connect cluster:

    • AuditAdmin

    • ClusterAdmin

    • Operator

    • SecurityAdmin

    • SystemAdmin

    • UserAdmin

    Example: Authorize the test user with permissions included in the SystemAdmin role of a Connect cluster

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role SystemAdmin  --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role SystemAdmin  --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role SystemAdmin  --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>

    Connector

    You can configure the following roles for a Connect connector:

    • DeveloperManage

    • DeveloperRead

    • DeveloperWrite

    • ResourceOwner

    Example: Authorize the test user with permissions included in the ResourceOwner role of all Connect connectors

    # Create authorization.
confluent iam rbac role-binding create --principal User:test --role ResourceOwner  --resource Connector:*  --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>

# View authorization.
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Connector:*  --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>

# Delete authorization.
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Connector:*  --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>