Managing Permissions / RBAC
Allow/Deny access to specific features of Conduktor Desktop for sensitive production clusters.
This feature is available only for Enterprises.
To be in control of what features your users can use on your clusters when using Conduktor Desktop, considering limiting their permissions. This is available on your account at https://account.conduktor.io.

Scope

Today, you can control this on a per-cluster basis.

Example

You want to ensure that all your users cannot write into your production clusters: you want to provide read-only access. You also want them to have all the permissions on your development clusters: this is the default (when no restrictions are put in place).

How to control the permissions of an Apache Kafka cluster?

  • On the Account Management Portal, click on the Manage button under Subscription Details > Cluster Permissions to get to the Cluster Permission page :
  • You will be able to declare your clusters or change the permission of an existing cluster :
  • Click Manage a new cluster to declare a new cluster, you need to provide:
    • the Cluster ID: provides by your Apache Kafka administrators / your Ops team / Also available within Conduktor in the "Brokers" view
    • a short name
    • a longer description.
A cluster ID uniquely identifies your clusters. It is a unique identifier assigned automatically to an Apache Kafka cluster.

How to setup the permissions of a cluster?

Once you've added a cluster, you will be able to allow or deny access to specific features of Conduktor Desktop. Click on button Access Control on the right of your created cluster.
By default, there is any restriction on what your users can do on your clusters. The access control is disabled :
You can enable access control and choose the base role Viewer to set predefined permissions to prevent any modifications to your cluster by your users (eg: disallowing producing to topics, broker config modifications, topic creation/deletion, altering schemas in schema registry, ...)​

How to set a role for a specific user?

You can provide different permissions set for your users by assigning them different roles. You have to enter the user mail, click on the button Add user, and assign to him the desired role(s) :
The base role will give its permissions access to every users of the subscription. You can't give less access right for a single user. We advise you to not give a too powerful base role on your cluster.

Could I define my own role?

We predefined three roles to help you restrict access :
  • Viewer : You can only read data on the cluster.
  • Editor : You can write data on the cluster.
  • Owner : You have access to all the features available.
But you can define your own role on the Roles tab with the Add a custom role button :

How does this affect Conduktor Desktop?

When a permission is denied, the corresponding button or menu entry will not appear in Conduktor Desktop.
For instance, if we disabled "Produce Into Topics" on a cluster, users connected to this cluster won't be able to Produce any data (no "Producer" button):
Notice the lack of some buttons (⊕ producer , import data, ...)
Same view with all permissions enabled
Removing the specific permission "Allow Users to Connect" will entirely prevent the connection to the cluster.

Additional Remarks

  • This does not persist any ACLs into your Apache Kafka clusters, this controls only Conduktor
  • Clusters that are not declared in the portal get all permissions by default.