Skip to main content

ConsoleGroup

  • API key(s): AdminToken
  • Managed with: UI, CLI, API, TF
  • Labels support: Missing
Creates a group with members and permissions in Console. 
---
apiVersion: iam/v2
kind: Group
metadata:
  name: developers-a
spec:
  displayName: "Developers Team A"
  description: "Members of the Team A - Developers"
  externalGroups:
    - "LDAP-GRP-A-DEV"
  externalGroupRegex:
    - "LDAP*"
  members:
    - [email protected]
    - [email protected]
  permissions:
    - resourceType: TOPIC
      cluster: shadow-it
      patternType: PREFIXED
      name: toto-
      permissions:
        - topicViewConfig
        - topicConsume
        - topicProduce
Groups checks:
  • spec.description is optional
  • spec.externalGroups is a list of LDAP or OIDC groups to sync with this Console Group
    • Members added this way will not appear in spec.members but spec.membersFromExternalGroups instead
  • spec.externalGroupRegex is a list of regex patterns that can match to a series of LDAP or OIDC groups to sync with this Console group. Members added this way will not appear in spec.members list.
    • Supports regex patterns for dynamic group matching (e.g., ^TEAM-.* to match all groups starting with “TEAM-”)
  • spec.membersFromExternalGroups is a read-only list of members added through spec.externalGroups or spec.externalGroupRegex
  • spec.members must be email addresses of members you wish to add to this group
  • spec.permissions are valid permissions as defined in Permissions
Side effects in Console and Kafka:
  • Console
    • Members of the Group are given the associated permissions in the UI over the resources
    • Members of the LDAP or OIDC groups will be automatically added or removed upon login
  • Kafka
    • No side effects

ConsoleUser

  • API key(s): AdminToken
  • Managed with: UI, CLI, API, TF
  • Labels support: Missing
Creates a user with Console permissions. 
---
apiVersion: iam/v2
kind: User
metadata:
  name: [email protected]
spec:
  firstName: "John"
  lastName: "Doe"
  permissions:
    - resourceType: PLATFORM
      permissions:
        - taasView
        - datamaskingView
    - resourceType: TOPIC
      cluster: shadow-it
      patternType: PREFIXED
      name: toto-
      permissions:
        - topicViewConfig
        - topicConsume
        - topicProduce
Make sure you set permissions for this user, otherwise it won’t have access to Console functionality (such as Application Catalog or Kafka resources.
User checks:
  • spec.permissions are valid permissions as defined in Permissions
Side effects in Console and Kafka:
  • Console
    • User is given the associated permissions in the UI over the resources
  • Kafka
    • No side effects

KafkaCluster

Creates a Kafka cluster definition in Console.
  • API key(s): AdminToken
  • Managed with: UI, CLI, API, TF
  • Labels support: Partial
---
apiVersion: console/v2
kind: KafkaCluster
metadata:
  name: my-dev-cluster
spec:
  displayName: "My Dev Cluster"
  icon: "kafka"
  color: "#000000"
  bootstrapServers: "localhost:9092"
  ignoreUntrustedCertificate: false
  properties:
    sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";
    security.protocol: SASL_SSL
    sasl.mechanism: PLAIN
  schemaRegistry:
    type: "ConfluentLike"
    url: http://localhost:8080
    security:
      type: BasicAuth
      username: some_user
      password: some_password
    ignoreUntrustedCertificate: false
  kafkaFlavor:
    type: "Confluent"
    key: "string"
    secret: "string"
    confluentEnvironmentId: "string"
    confluentClusterId: "string"
metadata.name, spec.displayName, spec.icon and spec.color are combined to create the visual identity of the KafkaCluster within Console.
KafkaCluster checks:
  • spec.icon (optional, default kafka) is a valid entry from our Icon Sets
  • spec.color (optional, default #000000) is a HEX color for spec.icon
  • spec.ignoreUntrustedCertificate (optional, default false) must be one of [true, false]
  • spec.schemaRegistry.type (optional) must be one of [ConfluentLike, Glue]
  • spec.kafkaFlavor.type (optional) must be one of [Confluent, Aiven, Gateway]
Conduktor CLI does not verify that your Kafka configuration (spec.bootstrapServers, spec.properties, etc.) is valid. You need to check that in Console directly.

Schema registry

This section lets you associate a schema registry to your KafkaCluster.

Confluent or Confluent-like Registry

spec:
  schemaRegistry:
    type: "ConfluentLike"
    url: http://localhost:8080
    ignoreUntrustedCertificate: false
    security:
      type: BasicAuth
      username: some_user
      password: some_password
Confluent schema registry checks:
  • spec.schemaRegistry.urls must be a single URL of a Kafka Connect cluster
    • Multiple URLs are not supported for now. Coming soon
  • spec.schemaRegistry.ignoreUntrustedCertificate (optional, default false) must be one of [true, false]
  • spec.schemaRegistry.properties (optional) is Java Properties formatted key values to further configure the SchemaRegistry
  • spec.security.type (optional) must be one of [BasicAuth, BearerToken, SSLAuth]

AWS Glue registry

spec:
  schemaRegistry:
    type: "Glue"
    region: eu-west-1
    registryName: default
    security:
      type: Credentials
      accessKeyId: accessKey
      secretKey: secretKey
AWS Glue registry checks:
  • spec.schemaRegistry.region must be a valid AWS region
  • spec.schemaRegistry.registryName must be a valid AWS Glue Registry in this region
  • spec.schemaRegistry.security.type must be one of [Credentials, FromContext, FromRole]
Credentials
Use AWS API Key/Secret to connect to the Glue registry. 
    security:
      type: Credentials
      accessKeyId: AKIAIOSFODNN7EXAMPLE
      secretKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
FromContext 
    security:
      type: FromContext
      profile: default
FromRole 
    security:
      type: FromRole
      role: arn:aws:iam::123456789012:role/example-role

Kafka provider

This section lets you configure the Kafka provider for this KafkaCluster. Confluent Cloud Provide your Confluent Cloud details to get additional features in Console:
  • Confluent Cloud service account support
  • Confluent Cloud API key support
spec:
  kafkaFlavor:
    type: "Confluent"
    key: "yourApiKey123456"
    secret: "yourApiSecret123456"
    confluentEnvironmentId: "env-12345"
    confluentClusterId: "lkc-67890"
Aiven Provide your Aiven Cloud details to get additional features in Console:
  • Aiven service accounts support
  • Aiven ACLs support
spec:
  kafkaFlavor:
    type: "Aiven"
    apiToken: "a1b2c3d4e5f6g7h8i9j0"
    project: "my-kafka-project"
    serviceName: "my-kafka-service"
Gateway Provide your Gateway details to get additional features in Console:
  • Interceptor support
spec:
  kafkaFlavor:
    type: "Gateway"
    url: "http://gateway:8888"
    user: "admin"
    password: "admin"
    virtualCluster: passthrough

Icon sets

cloudBoltcloudRainbowcloudsnowflake
pooStormpoopboltumbrella
tennisBallrugbyBalltrafficConefaucet
basketShoppingboxscaleBalancedsunglasses
swordaxeBattlevialfeatherPointed
bombflagheartkey
fireExtinguisherfireFlameCurvedalienhelmetBattle
ghostrobotdogelephant
birdcrabcatSpaceplanetRinged
meteormoonspaceStationrocketLaunch
paperPlanecarSidebuildingColumnscastle
acornburgerLettucecroissantmug
cactusclovercameraCctvcalendar
alarmClockcompassgamepadModernserver
shieldBlankcomputerClassicdharmachakrakafka

KafkaConnectCluster

Creates a Kafka Connect cluster definition in Console.
  • API key(s): AdminToken
  • Managed with: API, CLI, UI, TF
  • Labels support: Partial
---
apiVersion: console/v2
kind: KafkaConnectCluster
metadata:
  cluster: my-dev-cluster
  name: connect-1
spec:
  displayName: "Connect 1"
  urls: "http://localhost:8083"
  headers:
    X-PROJECT-HEADER: value
    AnotherHeader: test
  ignoreUntrustedCertificate: false
  security:
    type: "BasicAuth"
    username: "toto"
    password: "my-secret"
KafkaConnectCluster checks:
  • metadata.cluster has to be a valid KafkaCluster name.
  • spec.urls has to be a single URL of a Kafka Connect cluster. Multiple URLs are not currently supported.
  • spec.ignoreUntrustedCertificate (optional, default false). Has to be true or false.
  • spec.headers (optional) has to be key-value pairs of HTTP headers.
  • spec.security.type (optional) has to be BasicAuth, BearerToken or SSLAuth. Find out more.

KsqlDBCluster

  • API key(s): AdminToken
  • Managed with: UI, CLI, API
  • Labels support: Missing
Creates a ksqlDB cluster definition in Console. 
---
apiVersion: console/v2
kind: KsqlDBCluster
metadata:
  cluster: my-dev-cluster
  name: ksql-1
spec:
  displayName: "KSQL 1"
  url: "http://localhost:8088"
  ignoreUntrustedCertificate: false
  security:
    type: "BasicAuth"
    username: "toto"
    password: "my-secret"
KafkaConnectCluster checks:
  • metadata.cluster has to be a valid KafkaCluster name.
  • spec.url has to be a single URL of a KsqlDB cluster.
  • spec.ignoreUntrustedCertificate (optional), default is false. Has to be true or false.
  • spec.headers (optional) has to be key-value pairs of HTTP headers.
  • spec.security.type (optional) has to be BasicAuth, BearerToken or SSLAuth. Find out more.

Integrations

Manage your integrations for alerts in Console.
  • API key(s): AdminToken
  • Managed with: UI, CLI, API
  • **Labels support: Missing
---
apiVersion: v3
kind: Integration
metadata:
    name: Teams
spec: {}

---
apiVersion: v3
kind: Integration
metadata:
    name: Slack
spec:
    config:
        token: myToken
        type: Slack
---
Monitoring checks:
  • metadata.name has to be a valid integration name, here is the currently available integration: [Teams, Slack, Webhook, Email]
  • spec is equal to an empty object when you don’t have any configuration attached to a specific integration: [Teams, Webhook]
  • spec.config should be a valid configuration for [Slack, Email], the spec.config.type should match the name of the integration

Alerts

  • API key(s): AdminToken, AppToken
  • Managed with: UI, CLI, API
  • Labels support: Missing
Creates an alert in Console. 
---
apiVersion: console/v3
kind: Alert
metadata:
  name: messages-in-dead-letter-queue
  group: support-team # will be the owner of the alert, can be either a user, a group or an appInstance
  # user: [email protected]
  # appInstance: my-app-instance
spec:
  cluster: my-dev-cluster
  type: TopicAlert
  topicName: wikipedia-parsed-DLQ
  metric: MessageCount
  operator: GreaterThan
  threshold: 0
  description: "Alert for monitoring messages in dead letter queue"
  displayName: "DLQ message count alert"
  destination:
    type: Slack
    channel: "alerts-p1"
Alert checks:
  • metadata.user|metadata.group|metadata.appInstance has to be a valid user, group or appInstance.
  • metadata.destination.type can be either Slack, Teams or Webhook. When set to:
    • Slack: has to be a valid Slack channel ID
    • Teams: has to be a valid Teams webhook URL
    • Webhook:
      • spec.destination.url has to be a valid URL
      • spec.destination.method has to be GET, POST, PUT or DELETE
      • spec.destination.headers (optional) has to be key-value pairs of HTTP headers
      • spec.destination.authentication.type (optional) has to be BasicAuth (define spec.destination.authentication.username and spec.destination.authentication.password) or BearerToken (define spec.destination.authentication.token).
  • spec.cluster has to be a valid KafkaCluster name.
  • spec.type has to be BrokerAlert,TopicAlert, KafkaConnectAlert or ConsumerGroupAlert. When set to:
    • BrokerAlert: spec.metric has to be MessageIn, MessageOut, MessageSize, OfflinePartitionCount, PartitionCount, UnderMinIsrPartitionCount or UnderReplicatedPartitionCount.
    • TopicAlert: spec.metric has to be MessageCount, MessageIn, MessageOut or MessageSize and the spec.topicName has to be a Kafka topic that the owner can access.
    • KafkaConnectAlert:spec.metric has to be FailedTaskCount;spec.connectName has to be a valid KafkaConnect cluster associated to this spec.cluster Kafka cluster and spec.connectorName has to be a Kafka Connect Connector that the owner can access.
    • ConsumerGroupAlert:spec.metric has to be OffsetLag or TimeLag and spec.consumerGroupName has to be a Kafka Consumer group that the owner can access.
  • spec.metric depends on the spec.type.
  • spec.operator has to be GreaterThan, GreaterThanOrEqual, LessThan, LessThanOrEqual or NotEqual.
  • spec.threshold has to be a number.
  • spec.description (optional) provides a text description of the alert.
  • spec.displayName (optional) provides a display name for the alert.
  • spec.disable (optional), default is false. Has to be true or false.
Alert resolution: Alerts resolve (stop firing) when the metric value no longer meets the threshold condition defined by the comparison operator (GreaterThan, LessThan, etc.).

Partner Zones

  • API key(s): AdminToken
  • Managed with: UI, CLI, API
  • Labels support: Partial
Create or update a Partner Zone. 
---
apiVersion: console/v2
kind: PartnerZone
metadata:
  name: external-partner-zone
spec:
  displayName: External Partner Zone
  description: An external partner to exchange data with.
  url: https://partner1.com
  partner:
    name: John Doe
    role: Data analyst
    email: [email protected]
    phone: 07827 837 177
  cluster: cdk-gateway
  underlyingCluster: cluster1
  authenticationMode:
    serviceAccount: partner-external-partner
    type: PLAIN
  vclusterName: custom-vcluster-name
  topics:
    - name: topic-a
      backingTopic: kafka-topic-a
      permission: WRITE
    - name: topic-b
      backingTopic: kafka-topic-a
      permission: READ
  trafficControlPolicies:
    maxProduceRate: 1e+06
    maxConsumeRate: 1e+06
    limitCommitOffset: 30
  headers:
    addOnProduce:
        - key: partner-name
          value: external-analytics-partner
          overrideIfExists: false
        - key: client-info
          value: "Client:{{clientId}}, from IP:{{userIp}}"
          overrideIfExists: true
        - key: kafka-api
          value: "Kafka API Key:{{apiKey}}, version {{apiKeyVersion}}"
          overrideIfExists: true
        - key: produce-metadata
          value: "User:{{user}}, via Gateway:{{gatewayHost}}, at timestampMillis:{{timestampMillis}}"
          overrideIfExists: true
    removeOnConsume:
        - keyRegex: my_team_prefix.*
Partner Zone checks:
  • spec.displayName is mandatory.
  • spec.description, spec.url and spec.partner (optional), useful for context information.
  • spec.cluster has to be a valid Console cluster technical ID with the Provider configured as Gateway.
  • spec.underlyingCluster has to be a valid Console cluster technical ID where the cluster has to be defined under the Gateway defined by the spec.gatewayClusterId.
    • When not specified, the value is inferred to be equal to the spec.gatewayClusterId field, hence selecting the main cluster behind Gateway by default.
  • spec.authenticationMode.type must be one of [PLAIN, OAUTHBEARER, MTLS]. See authentication examples for detailed configuration.
  • spec.authenticationMode.serviceAccount requirements depend on the authentication type:
    • PLAIN: Any unique identifier for your partner (e.g., partner-external-partner). This will be created as a local Gateway service account automatically if it doesn’t exist.
    • OAUTHBEARER: Must match the “sub” claim in the partner’s OAuth/OIDC token (e.g., oauth-partner-service-account). The partner needs to authenticate using their OAuth provider.
    • MTLS: Must match the client’s Distinguished Name (DN) from their certificate, unless you’ve modified GATEWAY_SSL_PRINCIPAL_MAPPING_RULES (e.g., CN=partner-client,OU=Engineering,O=PartnerCorp,C=US).
  • spec.vclusterName (optional), custom name for the Virtual Cluster. If not provided, it will be auto-generated.
  • topics[].name is the name of the topic as it should appear to your external partner. This can be different from backingTopic.
  • topics[].backingTopic is the internal name of the topic that you want to share.
  • topics[].permission has to be set to either READ or WRITE (which includes READ).
  • trafficControlPolicies.maxProduceRate (optional), sets the maximum rate (in bytes/s) at which the partner can produce messages to the topics per Gateway node.
  • trafficControlPolicies.maxConsumeRate (optional), sets the maximum rate (in bytes/s) at which the partner can consume messages from the topics per Gateway node.
  • trafficControlPolicies.limitCommitOffset (optional), sets the maximum number of commit requests (in requests/minute) that the partner can make per Gateway node.
  • headers.addOnProduce (optional), list of headers to inject when producing messages. The value field supports special variables: {{user}}, {{userIp}}, {{clientId}}, {{apiKey}}, {{apiKeyVersion}}, {{gatewayHost}}, {{timestampMillis}}.
  • headers.removeOnConsume (optional), list of header key patterns (regex) to remove when consuming messages.
Side effects in Console and Kafka: Once created or updated, the following fields will be made available:
  • metadata.updatedAt (by consecutive get from the CLI/API).
  • metadata.status (by consecutive get from the CLI/API.) Possible values are PENDING, READY or FAILED.
  • metadata.failedReason will be populated in case of FAILED status.
  • The service account will be created if it doesn’t exist and will be granted the permissions as declared in spec.topics.
  • The traffic control policies will be applied to the service account.

DataQualityRule

  • API key(s): AdminToken
  • Managed with: UI, CLI, API
  • Labels support: Yes
Create or update a data quality rule that validates data quality for Kafka topics. 
---
apiVersion: v1
kind: DataQualityRule
metadata:
  name: email-validation-rule
  labels:
    category: validation
    team: data-quality
spec:
  type: Cel
  displayName: Email validation rule
  description: Validates that email field contains a valid email address
  celExpression: 'record.email.matches("^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$")'
  customErrorMessage: Email address is not valid
DataQualityRule checks:
  • metadata.name is mandatory and must be unique.
  • metadata.labels is optional and can be used to organize rules.
  • spec.type has to be one of: Cel, JsonSchema, EnforceAvro, EnforceSchemaId.
  • spec.displayName is mandatory and is shown in the Console UI.
  • spec.description is optional but recommended to explain what the rule validates.
  • spec.customErrorMessage is optional and provides a custom error message when validation fails.
  • For Cel type:
    • spec.celExpression is mandatory and contains the CEL (Common Expression Language) expression to validate records.
  • For JsonSchema type:
    • spec.schema is mandatory and contains the JSON schema object to validate records against.
  • For EnforceAvro type:
    • Validates that records conform to an Avro schema.
  • For EnforceSchemaId type:
    • Validates that records use a specific schema ID from Schema Registry.
Side effects in Console and Kafka: Once created or updated, the following fields will be made available:
  • metadata.createdAt (read-only timestamp).
  • metadata.updatedAt (read-only timestamp).
  • metadata.createdBy (read-only user identifier).
  • metadata.updatedBy (read-only user identifier).
  • metadata.attachedPolicies (read-only list of policies using this rule).

DataQualityPolicy

  • API key(s): AdminToken
  • Managed with: UI, CLI, API
  • Labels support: No
Create or update a data quality policy that applies rules to specific Kafka topics. 
---
apiVersion: v1
kind: DataQualityPolicy
metadata:
  name: user-data-validation-policy
spec:
  displayName: User data validation policy
  description: Validates all user data before it is produced to topics
  rules:
    - email-validation-rule
    - user-schema-rule
  targets:
    - cluster: main-cluster
      topic: users
      patternType: LITERAL
    - cluster: main-cluster
      topic: user-events-
      patternType: PREFIXED
  actions:
    block:
      enabled: true
    mark:
      enabled: false
DataQualityPolicy checks:
  • metadata.name is mandatory and must be unique.
  • spec.displayName is mandatory and is shown in the Console UI.
  • spec.description is optional but recommended to explain the policy’s purpose.
  • spec.rules is a list of DataQualityRule names to apply (references to rules created separately).
  • spec.targets is mandatory and defines which topics the policy applies to:
    • cluster is a valid Kafka cluster technical ID.
    • topic is the topic name or prefix.
    • patternType has to be either LITERAL (exact match) or PREFIXED (prefix match).
  • spec.actions defines what happens when a rule violation occurs:
    • block.enabled (optional, defaults to false) - when true, blocks messages that violate rules from being produced. Only available if the configured cluster is a Conduktor Gateway cluster with the appropriate license.
    • mark.enabled (optional, defaults to false) - when true, marks messages that violate rules with a header but allows production.
Side effects in Console and Kafka: Once created or updated, the following fields will be made available:
  • metadata.nameForMetrics (read-only identifier used in metrics).
  • metadata.group (read-only group identifier).
  • metadata.createdAt (read-only timestamp).
  • metadata.updatedAt (read-only timestamp).
  • metadata.createdBy (read-only user identifier).
  • metadata.updatedBy (read-only user identifier).
  • metadata.status (read-only status: failed, pending, or ready).
  • metadata.statuses (read-only per-cluster deployment status).
  • metadata.metrics (read-only metrics showing evaluation and violation counts).
  • metadata.attachedRules (read-only list of rules attached to this policy).
  • Data quality rules are enforced on the specified topics.
  • Messages violating rules are blocked or marked based on the configured actions.

HTTP security properties

HTTP security properties are used in KafkaCluster (schema registry), KafkaConnect and KsqlDBCluster.

Basic authentication

  security:
    type: "BasicAuth"
    username: "toto"
    password: "my-secret"

Bearer token

  security:
    type: "BearerToken"
    token: "toto"

mTLS/client certificate

  security:
    type: "SSLAuth"
    key: |
      -----BEGIN PRIVATE KEY-----
      MIIOXzCCDUegAwIBAgIRAPRytMVYJNUgCbhnA+eYumgwDQYJKoZIhvcNAQELBQAw
      ...
      IFyCs+xkcgvHFtBjjel4pnIET0agtbGJbGDEQBNxX+i4MDA=
      -----END PRIVATE KEY-----
    certificateChain: |
      -----BEGIN CERTIFICATE-----
      MIIOXzCCDUegAwIBAgIRAPRytMVYJNUgCbhnA+eYumgwDQYJKoZIhvcNAQELBQAw
      RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
      ...
      8/s+YDKveNdoeQoAmGQpUmxhvJ9rbNYj+4jiaujkfxT/6WtFN8N95r+k3W/1K4hs
      IFyCs+xkcgvHFtBjjel4pnIET0agtbGJbGDEQBNxX+i4MDA=
      -----END CERTIFICATE-----

Permissions

Permissions are used in groups and users and lets you configure access to any Kafka resource or Console feature. A permission applies to a certain resourceType which affects the required fields.

Topic permissions

# Grants consume, produce and view config to all topics toto-* on shadow-it cluster
- resourceType: TOPIC
  cluster: shadow-it
  patternType: PREFIXED
  name: toto-
  permissions:
    - topicViewConfig
    - topicConsume
    - topicProduce
  • resourceType: TOPIC
  • cluster is a valid Kafka cluster
  • patternType is either PREFIXED or LITERAL
  • name is the name of the topic or topic prefix to apply the permissions to
  • permissions is a list of valid topic permissions
Available topic permissionsDescription
topicConsumePermission to consume messages from the topic.
topicProducePermission to produce (write) messages to the topic.
topicViewConfigPermission to view the topic configuration.
topicEditConfigPermission to edit the topic configuration.
topicCreatePermission to create a new topic.
topicDeletePermission to delete the topic.
topicAddPartitionPermission to add partitions to the topic.
topicEmptyPermission to empty (delete all messages from) the topic.
topicDataQualityManagePermission to manage data quality policies for the topic.

Subject permissions

# Grants view and edit compatibility to all subjects starting with sub-* on shadow-it cluster
- resourceType: SUBJECT
  cluster: shadow-it
  patternType: PREFIXED
  name: sub-
  permissions:
    - subjectView
    - subjectEditCompatibility
  • resourceType: SUBJECT
  • cluster is a valid Kafka cluster
  • patternType is either PREFIXED or LITERAL
  • name is the name of the subject or subject prefix to apply the permissions to
  • permissions is a list of valid subject permissions
Available subject permissionsDescription
subjectCreateUpdatePermission to create or update the subject.
subjectDeletePermission to delete the subject.
subjectEditCompatibilityPermission to edit the subject compatibility settings.
subjectViewPermission to view the subject details.

ConsumerGroup permissions

# Grants view and reset on all consumer groups starting with group-* on shadow-it cluster
- resourceType: CONSUMER_GROUP
  cluster: shadow-it
  patternType: PREFIXED
  name: group-
  permissions:
    - consumerGroupView
    - consumerGroupReset
  • resourceType: CONSUMER_GROUP
  • cluster is a valid Kafka cluster
  • patternType is either PREFIXED or LITERAL
  • name is the name of the consumer group or consumer group prefix to apply the permissions to
  • permissions is a list of valid consumer group permissions
Available ConsumerGroup permissionsDescription
consumerGroupCreatePermission to create a new consumer group.
consumerGroupResetPermission to reset the consumer group.
consumerGroupDeletePermission to delete the consumer group.
consumerGroupViewPermission to view the consumer group details.

Cluster permissions

# Grants view and edit broker, edit schema registry compatibility, view ACL and manage ACL on shadow-it cluster
- resourceType: CLUSTER
  name: shadow-it
  permissions:
    - clusterViewBroker
    - clusterEditSRCompatibility
    - clusterEditBroker
    - clusterViewACL
    - clusterManageACL
  • resourceType: CLUSTER
  • name is the name of the cluster to apply the permissions to
    • Use * for all clusters
  • permissions is a list of valid cluster permissions
Available cluster permissionsDescription
clusterViewBrokerPermission to view broker details.
clusterEditSRCompatibilityPermission to edit schema registry compatibility settings.
clusterEditBrokerPermission to edit broker configuration.
clusterViewACLPermission to view (ACLs) for the cluster.
clusterManageACLPermission to manage (ACLs) for the cluster.

KafkaConnect permissions

# Grants create and delete on all connectors starting with connector-* on shadow-it cluster and kafka-connect-cluster
- resourceType: KAFKA_CONNECT
  cluster: shadow-it
  kafkaConnect: kafka-connect-cluster
  patternType: PREFIXED
  name: connector-
  permissions:
    - kafkaConnectorCreate
    - kafkaConnectorDelete
  • resourceType: KAFKA_CONNECT
  • cluster is a valid Kafka cluster
  • kafkaConnect is a valid Kafka Connect cluster
  • patternType is either PREFIXED or LITERAL
  • name is the name of the connector or connector prefix to apply the permissions to
  • permissions is a list of valid Kafka Connect permissions
Available KafkaConnect permissionDescription
kafkaConnectorViewConfigPermission to view the Kafka Connect configuration.
kafkaConnectorStatusPermission to view the status of Kafka Connect connectors.
kafkaConnectorEditConfigPermission to edit the Kafka Connect configuration.
kafkaConnectorDeletePermission to delete connectors.
kafkaConnectorCreatePermission to create new connectors.
kafkaConnectPauseResumePermission to pause and resume connectors.
kafkaConnectRestartPermission to restart connectors.

KsqlDB permissions

# Grants all permissions on KsqlDB cluster ksql-cluster
- resourceType: KSQLDB
  cluster: shadow-it
  ksqlDB: ksql-cluster
  permissions:
    - ksqldbAccess
  • resourceType: KSQLDB
  • cluster is a valid Kafka cluster
  • ksqlDB is a valid Kafka Connect cluster
  • permissions is a list of valid KsqlDB permissions
Available KafkaConnect permissionsDescription
ksqldbAccessGrants all permissions on the KsqlDB cluster.

Console permissions

# Grants Console permissions
- resourceType: PLATFORM
  permissions:
    - userView
    - datamaskingView
  • resourceType: PLATFORM
  • permissions is a list of valid Console permissions
Available Console permissionsDescription
clusterConnectionsManagePermission to add / edit / remove Kafka clusters on Console.
certificateManagePermission to add / edit / remove TLS certificates on Console.
userManagePermission to manage Console users, groups and permissions.
userViewPermission to view Console users, groups and permissions.
datamaskingManagePermission to manage data policies (masking rules).
datamaskingViewPermission to view data policies.
notificationChannelManagePermission to manage integration channels.
auditLogViewPermission to browse audit log.
taasViewPermission to view Application Catalog.
chargebackManagePermission to view Chargeback and manage its settings.
sqlManagePermission to view indexed topics and create SQL queries.