From feaed8fb4dfa7f811b5b4decad10bbe0e26c21b1 Mon Sep 17 00:00:00 2001 From: Joshua Nathaniel Miller Date: Wed, 10 Dec 2025 17:49:08 -0600 Subject: [PATCH] docs: add CONNECTOR resource type for granular connector-level permissions - Add CONNECTOR to supported resource types - Document connector actions and value format (connectName/connectorName) - Add examples for specific connector and wildcard permissions - Remove outdated "connectors selector not implemented yet" comment --- .../rbac-role-based-access-control/README.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/configuration/rbac-role-based-access-control/README.md b/configuration/rbac-role-based-access-control/README.md index 0a4b16e..ec1648f 100644 --- a/configuration/rbac-role-based-access-control/README.md +++ b/configuration/rbac-role-based-access-control/README.md @@ -99,7 +99,7 @@ Find the more detailed examples in a full example file lower. The next thing which is present in your roles file is, surprisingly, permissions. They consist of: -1. Resource Can be one of the: `CLUSTERCONFIG`, `TOPIC`, `CONSUMER`, `SCHEMA`, `CONNECT`, `KSQL`, `ACL`. +1. Resource Can be one of the: `CLUSTERCONFIG`, `TOPIC`, `CONSUMER`, `SCHEMA`, `CONNECT`, `CONNECTOR`, `KSQL`, `ACL`. 2. The resource value is either a fixed string or a regular expression identifying a resource. Value is not applicable to `clusterconfig` and `ksql` resources. Please do not fill it out. 3. Actions It's a list of actions (the possible values depend on the resource, see the lists below) that will be applied to the certain permission. Also, note, there's a special action for any of the resources called "all", it will virtually grant all the actions within the corresponding resource. An example for enabling viewing and creating topics whose name start with "derp": @@ -119,7 +119,8 @@ A list of all the actions for the corresponding resources (please note neither r * `topic`: `view`, `create`, `edit`, `delete`, `messages_read`, `messages_produce`, `messages_delete`, `analysis_run`, `analysis_view` * `consumer`: `view`, `delete`, `reset_offsets` * `schema`: `view`, `create`, `delete`, `edit`, `modify_global_compatibility` -* `connect`: `view`, `edit`, `create`, `delete`,`operate`, `reset_offsets` +* `connect`: `view`, `edit`, `create`, `delete`, `operate`, `reset_offsets` — applies to all connectors in a connect cluster +* `connector`: `view`, `edit`, `create`, `delete`, `operate`, `reset_offsets` — granular per-connector permissions (value format: `connectName/connectorName`) * `ksql`: `execute` * `acl`: `view`, `edit` * `audit`: `view` @@ -218,11 +219,16 @@ rbac: - resource: connect value: "local" actions: [ view, edit, create, delete, operate, reset_offsets ] - # connectors selector not implemented yet, use connects - # selector: - # connector: - # name: ".*" - # class: 'io.kafbat.connectorName' + + # Granular connector-level permissions (value format: connectName/connectorName) + - resource: connector + value: "local/my-specific-connector" + actions: [ view, edit, operate ] + + # Wildcard for all connectors in a connect cluster + - resource: connector + value: "local/prod-.*" + actions: [ view ] - resource: ksql # value not applicable for ksql