User authorization
Overview
Kpow supports two methods of controlling user access to User actions.
- Simple Access Control creates global access controls from environment variable config
- Role Based Access Control integrates with User authentication and respects role based controls
User actions
Note: User actions apply to specific Domains. This is important when configuring Role Based Access Control.
The following actions are supported by both methods of access control.
| Domain | Action | Control (when TRUE) |
|---|---|---|
| CLUSTER | TOPIC_DATA_QUERY | Allow users to read topic key and value data |
| TOPIC_DATA_DOWNLOAD | Allow users to download topic data from data inspect results | |
| TOPIC_PRODUCE | Allow users to write new messages to topics | |
| TOPIC_CREATE | Allow users to create new topics | |
| TOPIC_EDIT | Allow users to edit topic configuration | |
| TOPIC_DELETE | Allow users to delete topics | |
| TOPIC_TRUNCATE | Allow users to truncate topics | |
| TOPIC_ELECT_LEADER | Allow users to elect the leader replica of a topic partition | |
| TOPIC_ALTER_REASSIGNMENTS | Allow users to edit the reassignments of a topic partition | |
| GROUP_EDIT | Allow users edit consumer groups and reset consumer offsets | |
| GROUP_DELETE | Allow users to delete consumer groups and remove group members | |
| BROKER_EDIT | Allow users to edit broker configuration | |
| BROKER_UNREGISTER | Allow users to unregister brokers for clusters using Raft | |
| ACL_EDIT | Allow users to create and delete Kafka ACLs | |
| PRODUCER_EDIT | Allow users to abort transactions and fence Kafka Producers | |
| QUOTA_EDIT | Allow users to create, edit and delete Kafka Quotas | |
| ADMIN | Allow users to be a Kpow admin (view audit log, staged mutations) | |
| BULK_ACTION | Allow users to perform bulk actions | |
| SCHEMA | SCHEMA_CREATE | Allow users to create new schemas and subjects |
| SCHEMA_VERSION_EDIT | Allow users to edit schemas and subjects | |
| SCHEMA_DELETE | Allow users to delete subjects schemas (both soft and permanent | |
| BULK_ACTION | Allow users to perform bulk actions | |
| CONNECT | CONNECT_CREATE | Allow users to create new connectors |
| CONNECT_ALTER_STATE | Allow users to pause, stop, resume and restart connectors and tasks | |
| CONNECT_EDIT_CONFIG | Allow users to edit connector config | |
| CONNECT_DELETE | Allow users to delete connectors | |
| CONNECT_INSPECT | Allow users to view connector config | |
| BULK_ACTION | Allow users to perform bulk actions. | |
| KSQLDB | KSQLDB_QUERY | Allow users to execute ksqlDB SQL queries (push or pull) |
| KSQLDB_EXECUTE | Allow users to execute ksqlDB SQL statements (eg, CREATE_TABLE) | |
| KSQLDB_TERMINATE_QUERY . | Allow users to terminate ksqlDB streaming push queries | |
| KSQLDB_INSERT | Allow users to insert ksqlDB rows into source tables or streams | |
| BULK_ACTION | Allow users to perform bulk actions |
User permissions
Users are denied permissions on all actions by default.
To give permission to a specific action you must configure it true.
In most cases where the user is denied permission to an particular action the UI will show that denial directly to the user. In some cases the permission is determined on the back end and the user is informed after the fact that they do not have the ability to take the requested action.
