Manage Role Bindings on StreamNative Cloud

This guide covers both basic and advanced techniques for managing role bindings. Recommend to reviewing the Predefined Role for a complete list of available roles and for examples of how to binding them.

You can manage role bindings by using snctl or StreamNative Terraform Provider. Support for the Cloud Console will be available soon.

Role Bindings

Role bindings are used to bind roles to principals. They are defined as RoleBinding resources in the Cloud API. The schema is as follows:

apiVersion: cloud.streamnative.io/v1alpha1
kind: RoleBinding
metadata:
  name: <name>
  namespace: <namespace>
spec:
  roleRef:
    apiGroup: cloud.streamnative.io
    kind: ClusterRole
    name: <roleName>
  subjects:
    - apiGroup: cloud.streamnative.io
      kind: <subject type> # User, ServiceAccount, Identity Pool
      name: <subject name>

roleRef: Reference to the Predefined Role.
subjects: List of subjects (also known as principals) to be bound to the role. It can be a [User Account]](/cloud/security/authentication/user-accounts), a ServiceAccount, or an IdentityPool.

Create Role Bindings

You can create a role binding by using the following methods:

You can create a role binding by running the following command to bind a predefined role <predefined-role-name> to a service account <service-account-name>.

snctl create rolebinding <role-binding-name> \
  --clusterrole <predefined-role-name> \
  --serviceaccount <service-account-name>

Alternatively, you can prepare the manifest file rolebinding.yaml to bind a predefined role to a service account.

apiVersion: cloud.streamnative.io/v1alpha1
kind: RoleBinding
metadata:
  name: <name>
  namespace: <namespace>
spec:
  roleRef:
    apiGroup: cloud.streamnative.io
    kind: ClusterRole
    name: <predefined-role-name>
  subjects:
    - apiGroup: cloud.streamnative.io
      kind: ServiceAccount
      name: <service-account-name>

Then apply it using snctl apply.

snctl apply -f rolebinding.yaml

After creating the role binding, you can verify it by running the following command:

snctl get rolebinding <name>

You should be able to see the role binding is in the Ready state.

You can create a role binding by running the following command to bind a predefined role <predefined-role-name> to a service account <service-account-name>.

snctl create rolebinding <role-binding-name> \
  --clusterrole <predefined-role-name> \
  --serviceaccount <service-account-name>

Alternatively, you can prepare the manifest file rolebinding.yaml to bind a predefined role to a service account.

apiVersion: cloud.streamnative.io/v1alpha1
kind: RoleBinding
metadata:
  name: <name>
  namespace: <namespace>
spec:
  roleRef:
    apiGroup: cloud.streamnative.io
    kind: ClusterRole
    name: <predefined-role-name>
  subjects:
    - apiGroup: cloud.streamnative.io
      kind: ServiceAccount
      name: <service-account-name>

Then apply it using snctl apply.

snctl apply -f rolebinding.yaml

After creating the role binding, you can verify it by running the following command:

snctl get rolebinding <name>

You should be able to see the role binding is in the Ready state.

You can create a role binding by preparing the role binding definition in the Terraform configuration and applying the changes. Below is an example of binding a predefined role to a service account.

terraform {
  required_providers {
    streamnative = {
      source = "streamnative/streamnative"
    }
  }
}


provider "streamnative" {
    # Please replace path use your own key file path
    key_file_path = "/path/to/your/service/account/key.json"
}


resource "streamnative_service_account" "metrics-account" {
  organization = "<organization-id>"
  name = "<service-account-name>"
  admin = false
}


resource "streamnative_role_binding" "metrics-viewer" {
	organization = "<organization-id>"
  name         = "metrics-viewer"
  cluster_role_name = "<predefined-role-name>"
  service_account_names = ["<service-account-name>"]
}

Please replace the placeholders with your actual values.

<organization-id>: The ID of your organization.
<predefined-role-name>: The name of the predefined role.
<service-account-name>: The name of the service account.

After preparing the Terraform configuration, you can apply the changes using the following command:

terraform init
terraform validate
terraform plan
terraform apply

Update Role Bindings

You can update a role binding by using the following methods:

You can use snctl edit to update a role binding directly.

snctl edit rolebinding <name>

Alternatively, you can update the file rolebinding.yaml and apply it using snctl apply.

snctl apply -f rolebinding.yaml

You can use snctl edit to update a role binding directly.

snctl edit rolebinding <name>

Alternatively, you can update the file rolebinding.yaml and apply it using snctl apply.

snctl apply -f rolebinding.yaml

You can update the role binding definition in the Terraform configuration and apply the changes.

Delete Role Bindings

You can delete a role binding by using the following methods:

Delete a role binding:

snctl delete rolebinding <name>

Query Role Bindings

Search Role Bindings By Role Name

A simple method for searching Role Bindings by roleName is provided, with efficient query support coming soon.

${role_name} refers to a predefined role

snctl get rolebinding -o json | jq -r '.items[] | select(.spec.roleRef.name == "${role_name}") |.metadata.name'

Search Role Bindings By Account Name

A simple method for searching Role Bindings by accountName is provided, with efficient query support coming soon.

${account_name} is the name of the user account or service account.

snctl get rolebinding -o json | jq -r '.items[] | select(any(.spec.subjects[]; .name == "${account_name}")) | .metadata.name'

Conditional Role Bindings

While basic role bindings simply associate a role with a user or service account, conditional role bindings provide more granular control by scoping permissions based on resource attributes.

For example, you may want to restrict a topic-producer role to only work within a specific namespace. StreamNative Cloud allows you to express these conditions using below ways:

Resource Name.
Common Expression Language (CEL) for complex restriction.

The following example shows how to bind the topic-producer role to a service account named service-account-1 with conditions that limit its access to:

Instance: ins-a
Cluster: cluster-a
Tenant: tenant-a
Namespace: ns-a

With these conditions, service-account-1 can only produce messages to topics within the specified namespace (tenant-a/ns-a) on that particular instance and cluster.

Using resource name:

snctl create rolebinding <role-binding-name> \
   --clusterrole topic-producer \
   --serviceaccount service-account-1 \
   --condition-instance ins-a --condition-cluster cluster-a --condition-tenant tenant-a --condition-namespace ns-a

snctl create rolebinding <role-binding-name> \
   --clusterrole topic-producer \
   --serviceaccount service-account-1 \
   --condition-instance ins-a --condition-cluster cluster-a --condition-tenant tenant-a --condition-namespace ns-a

resource "streamnative_role_binding" "user-a-topic-xxx-producer" {
   organization = "<organization-id>"
   name = "<role-binding-name>"
   cluster_role_name = "topic-producer"
   service_account_names = ["service-account-1"]
   condition_resource_names {
      instance  = "ins-a"
      cluster   = "cluster-a"
      tenant    = "tenant-a"
      namespace = "ns-a"
   }
}

Using CEL expression:

snctl create rolebinding <role-binding-name> \
   --clusterrole topic-producer \
   --serviceaccount service-account-1 \
   --condition-cel "srn.instance == 'ins-a' && srn.cluster == 'cluster-a' && srn.tenant == 'tenant-a' && srn.namespace == 'ns-a'"

snctl create rolebinding <role-binding-name> \
   --clusterrole topic-producer \
   --serviceaccount service-account-1 \
   --condition-cel "srn.instance == 'ins-a' && srn.cluster == 'cluster-a' && srn.tenant == 'tenant-a' && srn.namespace == 'ns-a'"

resource "streamnative_role_binding" "user-a-topic-xxx-producer" {
   organization = "<organization-id>"
   name = "<role-binding-name>"
   cluster_role_name = "topic-producer"
   service_account_names = ["service-account-1"]
   cel = "srn.instance == 'ins-a' && srn.cluster == 'cluster-a' && srn.tenant == 'tenant-a' && srn.namespace == 'ns-a'"
}

Please use latest version of snctl and streamnative provider for Terraform when creating RoleBindings.

The Resource Name and CEL expression supports accessing resources through the following variable:

StreamNative Resource Name (SRN): Provides access to all resources within the hierarchy, from instance and cluster down to individual resources like tenants, namespaces, topics, and subscriptions.

StreamNative Resource Name (SRN)

A StreamNative Resource Name (SRN) uniquely identifies resources in StreamNative Cloud using a hierarchical structure. The SRN is accessed through the srn variable in CEL expressions and contains the following fields:

instance: The StreamNative Cloud instance
cluster: The Pulsar cluster
tenant: The tenant
namespace: The namespace
topic_domain: The topic domain (persistent or non-persistent)
topic_name: The name of the topic
subscription: The subscription name
servie_account: The service account name (used for “service-account-admin” role)
secret: The secret name (used for “secret” role)

For example, to scope a role binding to specific resources, you can create it with below arguments:

--condition-instance ins-a --condition-cluster cluster-a --condition-tenant tenant-a --condition-namespace ns-a --condition-topic-domain persistent --condition-topic-name topic-a --condition-subscription sub-a

Complex Conditional Role Bindings

CEL supports complex conditional role bindings that allow for more sophisticated access control patterns than using the resource name.

For example, to bind a user as tenant-admin for multi resources:

Tenant: tenant-a and tenant-b
Cluster: cluster-a and cluster-b
Instance: ins-1 and ins-2

The CEL expression would be:

"(srn.instance == '' || srn.instance == 'ins-1' || srn.instance == 'ins-2') && (srn.cluster == '' || srn.cluster == 'cluster-a' || srn.cluster == 'cluster-b') && (srn.tenant == '' || srn.tenant == 'tenant-a' || srn.tenant == 'tenant-b')"

Predefined RBAC Roles Use Pulsar ACLs with RBAC

On this page

Role Bindings
Create Role Bindings
Update Role Bindings
Delete Role Bindings
Query Role Bindings
Search Role Bindings By Role Name
Search Role Bindings By Account Name
Conditional Role Bindings
Using resource name:
Using CEL expression:
StreamNative Resource Name (SRN)
Complex Conditional Role Bindings

Introduction

Get Started

Clusters

Data Streams

Security

Governance

Connect

Lakehouse

Process

Networking

Log And Monitor

Universal Linking

Billing

References

Role Bindings

Create Role Bindings

Update Role Bindings

Delete Role Bindings

Query Role Bindings

Search Role Bindings By Role Name

Search Role Bindings By Account Name

Conditional Role Bindings

Using resource name:

Using CEL expression:

StreamNative Resource Name (SRN)

Complex Conditional Role Bindings

Introduction

Get Started

Clusters

Data Streams

Security

Governance

Connect

Lakehouse

Process

Networking

Log And Monitor

Universal Linking

Billing

References

​Role Bindings

​Create Role Bindings

​Update Role Bindings

​Delete Role Bindings

​Query Role Bindings

​Search Role Bindings By Role Name

​Search Role Bindings By Account Name

​Conditional Role Bindings

​Using resource name:

​Using CEL expression:

​StreamNative Resource Name (SRN)

​Complex Conditional Role Bindings

Role Bindings

Create Role Bindings

Update Role Bindings

Delete Role Bindings

Query Role Bindings

Search Role Bindings By Role Name

Search Role Bindings By Account Name

Conditional Role Bindings

Using resource name:

Using CEL expression:

StreamNative Resource Name (SRN)

Complex Conditional Role Bindings