Securing Kafka Topics with Confluent Cloud Role-Based Access Control
PythonTo secure Kafka topics with Confluent Cloud using Role-Based Access Control (RBAC), you should set up topics and define access control lists (ACLs) that specify which principals (users or service accounts) can perform operations such as
read
,write
,create
, oradminister
on those topics. Here's how you'd do it with Pulumi in Python:- Define the Kafka Cluster: This resource represents your Confluent Cloud Kafka cluster.
- Create Kafka Topics: Kafka topics are categories or feed names to which messages are published.
- Manage ACLs with KafkaAcl: These resources define fine-grained access control policies for different users or applications, allowing or denying specific actions on Kafka topics within your Confluent Cloud environment.
- Establish Role Bindings: Role bindings associate roles (like DeveloperRead, DeveloperWrite, etc.) to users or groups over a set of resources within the Kafka cluster, thereby granting permissions defined by those roles.
Below is the Python code that uses Pulumi to create a Kafka topic in Confluent Cloud, configure an ACL for it, and establish a role binding:
import pulumi import pulumi_confluentcloud as confluentcloud # Replace these with your Confluent Cloud environment and cluster IDs environment_id = "env-abc123" kafka_cluster_id = "lkc-abcdef" # Create a new Kafka Topic kafka_topic = confluentcloud.KafkaTopic("my-topic", kafka_cluster=confluentcloud.KafkaClusterKafkaClusterArgs( id=kafka_cluster_id, ), topic_name="pulumi-topic", config=confluentcloud.KafkaTopicConfigArgs( cleanup_policy="delete", retention_ms=3600000, ), partitions_count=3, ) # Define an ACL for the Kafka Topic for a principal kafka_acl = confluentcloud.KafkaAcl("my-acl", kafka_cluster=confluentcloud.KafkaClusterKafkaClusterArgs( id=kafka_cluster_id, ), principal="User:12345678", # This should be replaced with the actual user principal host="*", operation="WRITE", permission="ALLOW", resource_type="TOPIC", pattern_type="LITERAL", resource_name=kafka_topic.topic_name, ) # Establish a Role Binding for a user, granting them permissions on a topic role_binding = confluentcloud.RoleBinding("my-role-binding", principal="User:12345678", # This should be replaced with the actual user principal role_name="DeveloperWrite", crn_pattern=f"crn://confluent.cloud/organization=org-123/environment={environment_id}/kafka={kafka_cluster_id}/topic={kafka_topic.topic_name}", ) # Export the Kafka topic name pulumi.export("topic_name", kafka_topic.topic_name)
In this code snippet:
- We are using the
pulumi_confluentcloud
package which provides the necessary resources to interact with Confluent Cloud. - We define a
KafkaTopic
resource with a specific topic name and configuration. - We define a
KafkaAcl
resource, which creates an ACL allowing the specified principal to write to the Kafka topic. - We establish a
RoleBinding
resource, which binds a role to a principal for the specific Kafka topic, effectively granting the permissions associated with that role to the principal.
Please note that you need to replace
"User:12345678"
with the actual ID of the user or service account principal that you want to grant permissions to. Also, replaceenv-abc123
andlkc-abcdef
with your actual Confluent Cloud environment and cluster IDs, which you can find in your Confluent Cloud dashboard.