A quick tip for how to give a developer access to the IBM Event Streams UI only for the Kafka topics used by their application, and not everything else.
Imagine I’m a Kafka cluster admin. I’m running a cluster with a variety of topics on it.
Only viewing their own topics
One of my developers is responsible for the flight tracking app, and wants to use the Event Streams UI. But I don’t want them to be able to access the other sensitive topics for other applications.
I can create them their own login for the UI, that only lets them see their own topics.
The permissions I want to give them are:
- operation: Read
resource:
name: FLIGHT.
patternType: prefix
type: topic
(Remember, managing my Kafka cluster through Kubernetes resources is a good fit with a CI/CD workflow.)
In context of a user definition, that looks like:
apiVersion: eventstreams.ibm.com/v1beta2
kind: KafkaUser
metadata:
labels:
eventstreams.ibm.com/cluster: es
name: flight-topics
spec:
authentication:
type: scram-sha-512
authorization:
acls:
- operation: Read
resource:
name: FLIGHT.
patternType: prefix
type: topic
- operation: Read
resource:
name: '*'
patternType: literal
type: group
- operation: Read
resource:
name: __schema_
patternType: prefix
type: topic
type: simple
(I’ve also given them access to view schemas, and see the consumer applications as well.)
When they login with their flight-topics username and password, they only see the topics that have names starting with FLIGHT..
They can click into their topics to see the events:
Creating and viewing their own topics
I can do the same for the developer of the stock prices app. But that developer needs a bit more flexibility.
I still want them to only see topics relating to their application – with names that start with STOCK.PRICES., but I want them to be able to create new topics like that without needing to come and ask me to do it for them.
So I give them an extra Create permission:
- operation: Create
resource:
name: STOCK.PRICES.
patternType: prefix
type: topic
- operation: Read
resource:
name: STOCK.PRICES.
patternType: prefix
type: topic
In context of a whole user specification, that looks like:
apiVersion: eventstreams.ibm.com/v1beta2
kind: KafkaUser
metadata:
labels:
eventstreams.ibm.com/cluster: es
name: stock-price-topics
spec:
authentication:
type: scram-sha-512
authorization:
acls:
- operation: Create
resource:
name: STOCK.PRICES.
patternType: prefix
type: topic
- operation: Read
resource:
name: STOCK.PRICES.
patternType: prefix
type: topic
- operation: Read
resource:
name: '*'
patternType: literal
type: group
- operation: Read
resource:
name: __schema_
patternType: prefix
type: topic
type: simple
When they login with their stock-price-topics username and password, they access topics with names starting with STOCK.PRICES.
And they get the button for creating a new topic.
Importantly, they will only be allowed to create new topics with names starting with STOCK.PRICES. – as their Create permission only covers that.
If they try and create a topic with a name that doesn’t match that prefix, that will fail.
Deleting their own topics
If I really want to give the stock price app developer control over these topics, I could also let them delete their own topics by adding another permission:
- operation: Delete
resource:
name: STOCK.PRICES.
patternType: prefix
type: topic
Enabling all of this
To do this, you need to switch the Event Streams UI to using SCRAM credentials as an authentication mechanism. In your EventStreams instance, you add:
spec:
adminUI:
authentication:
- type: scram-sha-512
If you do that, the login page changes to look like this:
Then I just need to give myself an admin user that can see everything:
apiVersion: eventstreams.ibm.com/v1beta2
kind: KafkaUser
metadata:
labels:
eventstreams.ibm.com/cluster: es
name: admin
spec:
authentication:
type: scram-sha-512
authorization:
acls:
- operation: Delete
resource:
name: '*'
patternType: literal
type: topic
- operation: Write
resource:
name: '*'
patternType: literal
type: topic
- operation: Read
resource:
name: '*'
patternType: literal
type: topic
- operation: Create
resource:
name: '*'
patternType: literal
type: topic
- operation: Read
resource:
name: '*'
patternType: literal
type: group
- operation: Read
resource:
name: __schema_
patternType: prefix
type: topic
- operation: Alter
resource:
name: __schema_
patternType: prefix
type: topic
- operation: Write
resource:
name: '*'
patternType: literal
type: transactionalId
type: simple
Tags: apachekafka, eventstreams, ibmeventstreams, kafka