{"id":4754,"date":"2022-12-09T14:08:14","date_gmt":"2022-12-09T14:08:14","guid":{"rendered":"https:\/\/dalelane.co.uk\/blog\/?p=4754"},"modified":"2022-12-09T14:08:14","modified_gmt":"2022-12-09T14:08:14","slug":"setting-up-the-event-streams-ui-for-developer-only-use","status":"publish","type":"post","link":"https:\/\/dalelane.co.uk\/blog\/?p=4754","title":{"rendered":"Setting up the Event Streams UI for developer-only use"},"content":{"rendered":"

A quick tip for how to give a developer access to the IBM Event Streams UI only for the Kafka topics used by their application, and not everything else.<\/strong><\/p>\n

Imagine I’m a Kafka cluster admin. I’m running a cluster with a variety of topics on it.<\/p>\n

<\/p>\n

Only viewing their own topics<\/h3>\n

One of my developers is responsible for the flight tracking app, and wants to use the Event Streams UI. But I don’t want them to be able to access the other sensitive topics for other applications.<\/p>\n

I can create them their own login for the UI, that only lets them see their own topics<\/strong>.<\/p>\n

The permissions I want to give them are:<\/p>\n

- operation: Read\n  resource:\n    name: FLIGHT.\n    patternType: prefix\n    type: topic<\/pre>\n
(Remember, managing my Kafka cluster through Kubernetes resources is a good fit with a CI\/CD workflow<\/a>.)<\/p>\n
In context of a user definition, that looks like:<\/p>\n
apiVersion: eventstreams.ibm.com\/v1beta2\nkind: KafkaUser\nmetadata:\n  labels:\n    eventstreams.ibm.com\/cluster: es\n  name: flight-topics\nspec:\n  authentication:\n    type: scram-sha-512\n  authorization:\n    acls:\n      - operation: Read\n        resource:\n          name: FLIGHT.\n          patternType: prefix\n          type: topic\n      - operation: Read\n        resource:\n          name: '*'\n          patternType: literal\n          type: group\n      - operation: Read\n        resource:\n          name: __schema_\n          patternType: prefix\n          type: topic\n    type: simple<\/pre>\n
(I’ve also given them access to view schemas, and see the consumer applications as well.)<\/p>\n
When they login with their flight-topics<\/code> username and password, they only see the topics that have names starting with FLIGHT.<\/code>.<\/p>\n
<\/p>\n
They can click into their topics to see the events:<\/p>\n
<\/p>\n
Creating and viewing their own topics<\/h3>\n
I can do the same for the developer of the stock prices app. But that developer needs a bit more flexibility.<\/p>\n
I still want them to only see topics relating to their application – with names that start with STOCK.PRICES.<\/code>, but I want them to be able to create new topics like that without needing to come and ask me to do it for them.<\/p>\n
So I give them an extra Create<\/code> permission:<\/p>\n
- operation: Create\n  resource:\n    name: STOCK.PRICES.\n    patternType: prefix\n    type: topic\n- operation: Read\n  resource:\n    name: STOCK.PRICES.\n    patternType: prefix\n    type: topic<\/pre>\n
In context of a whole user specification, that looks like:<\/p>\n
apiVersion: eventstreams.ibm.com\/v1beta2\nkind: KafkaUser\nmetadata:\n  labels:\n    eventstreams.ibm.com\/cluster: es\n  name: stock-price-topics\nspec:\n  authentication:\n    type: scram-sha-512\n  authorization:\n    acls:\n      - operation: Create\n        resource:\n          name: STOCK.PRICES.\n          patternType: prefix\n          type: topic\n      - operation: Read\n        resource:\n          name: STOCK.PRICES.\n          patternType: prefix\n          type: topic\n      - operation: Read\n        resource:\n          name: '*'\n          patternType: literal\n          type: group\n      - operation: Read\n        resource:\n          name: __schema_\n          patternType: prefix\n          type: topic\n    type: simple<\/pre>\n
When they login with their stock-price-topics<\/code> username and password, they access topics with names starting with STOCK.PRICES.<\/code><\/p>\n
<\/p>\n
And<\/strong> they get the button for creating a new topic.<\/p>\n
<\/p>\n
Importantly, they will only be allowed to create new topics with names starting with STOCK.PRICES.<\/code> – as their Create<\/code> permission only covers that.<\/p>\n
<\/p>\n
If they try and create a topic with a name that doesn’t match that prefix, that will fail.<\/p>\n
Deleting their own topics<\/h3>\n
If I really want to give the stock price app developer control over these topics, I could also let them delete their own topics by adding another permission:<\/p>\n
- operation: Delete\n  resource:\n    name: STOCK.PRICES.\n    patternType: prefix\n    type: topic<\/pre>\n
Enabling all of this<\/h3>\n
To do this, you need to switch the Event Streams UI to using SCRAM credentials as an authentication mechanism. In your EventStreams<\/code> instance, you add:<\/p>\n
spec:\n  adminUI:\n    authentication:\n      - type: scram-sha-512<\/pre>\n
If you do that, the login page changes to look like this:<\/p>\n
<\/p>\n
Then I just need to give myself an admin user that can see everything:<\/p>\n
apiVersion: eventstreams.ibm.com\/v1beta2\nkind: KafkaUser\nmetadata:\n  labels:\n    eventstreams.ibm.com\/cluster: es\n  name: admin\nspec:\n  authentication:\n    type: scram-sha-512\n  authorization:\n    acls:\n      - operation: Delete\n        resource:\n          name: '*'\n          patternType: literal\n          type: topic\n      - operation: Write\n        resource:\n          name: '*'\n          patternType: literal\n          type: topic\n      - operation: Read\n        resource:\n          name: '*'\n          patternType: literal\n          type: topic\n      - operation: Create\n        resource:\n          name: '*'\n          patternType: literal\n          type: topic\n      - operation: Read\n        resource:\n          name: '*'\n          patternType: literal\n          type: group\n      - operation: Read\n        resource:\n          name: __schema_\n          patternType: prefix\n          type: topic\n      - operation: Alter\n        resource:\n          name: __schema_\n          patternType: prefix\n          type: topic\n      - operation: Write\n        resource:\n          name: '*'\n          patternType: literal\n          type: transactionalId\n    type: simple<\/pre>\n","protected":false},"excerpt":{"rendered":"
A quick tip for how to give a developer access to the IBM Event Streams UI only for the Kafka topics used by their application, and not everything else. Imagine I’m a Kafka cluster admin. I’m running a cluster with a variety of topics on it. Only viewing their own topics One of my developers […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,4],"tags":[593,582,583,584],"class_list":["post-4754","post","type-post","status-publish","format-standard","hentry","category-code","category-ibm","tag-apachekafka","tag-eventstreams","tag-ibmeventstreams","tag-kafka"],"_links":{"self":[{"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4754"}],"version-history":[{"count":0,"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4754\/revisions"}],"wp:attachment":[{"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dalelane.co.uk\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}