This feature is currently in Private Preview. In order to use this feature your Pulsar Clusters must be on the rapid channel and be on version 3.3.2.5, 4.0.0.9 or greater. Contact StreamNative for it to be enabled.

Role-based access control (RBAC) allows you to control what level of access users have to your organization’s resources, including but not limited to instances, clusters, tenants, namespaces, topics, schemas, service accounts, and more. Use RBAC to protect your StreamNative Cloud resources and data by authorizing and restricting access to principals and by delegating access authorization to the appropriate business units and teams in your organization.

Prerequisites

Before using RBAC, it is important to understand the following concepts:

Concepts

In RBAC, there are a few key concepts:

Principal

A principal is an entity that can be granted access to resources. Principals can be users, service accounts, or identity pools.

Permission

A permission is an action that can be performed on a resource. For example, producing to a topic, consuming from a topic, creating a namespace, deleting a namespace, and so on. It is described in the following format: path.to.resource.action. For example, cloud.serviceaccount.describe represents the permission to describe a service account which is a cloud resource.

Role

A role is a named collection of permissions. Roles are used to group permissions and can be assigned to principals.

Role binding

A role binding assigns a role to a principal. Role bindings are used to grant permissions to principals.

RBAC Workflow

The RBAC workflow consists of two main parts:

RBAC Management

Users can manage (create, update, or delete) RBAC roles and role bindings using:

Once resources are created, the StreamNative Cloud control plane automatically monitors them and propagates any changes to different components and resources for validation.

RBAC Validation

Each component in both the control plane and data plane receives the RBAC settings (roles and bindings) and uses them for validation. For example, when a user attempts to produce to a topic, the action is validated against the RBAC settings. If the user does not have the necessary permissions, the action is rejected.