- Manage Security
- Control Access
- Role-Based Access Control
Manage Roles on StreamNative Cloud
Note
This documentation covers RBAC Version 2. For information about the previous version (RBAC Version 1), see RBAC (V1).
Roles
Roles are the building blocks of RBAC. They are used to group permissions that can be assigned to principals. There are two types of roles in RBAC:
- Predefined Roles: Built-in roles with predefined permissions that are available to all organizations. These roles are managed by StreamNative and are immutable. They are available as
ClusterRole.cloud.streamnative.io
resources in the Cloud API. - Custom Roles: Organization-scoped roles designed to meet your organization's specific needs. They are available as
Role.cloud.streamnative.io
resources in the Cloud API. However, custom roles are currently not exposed to end-users for creation and management.
Predefined roles meet most use cases and can be used to manage your organization's resources. If you are interested in using custom roles, you can join our Early Access Program. We welcome the opportunity to evaluate your use cases and improve the feature based on your feedback.
Predefined Roles
Predefined roles are available to all organizations. They are defined as ClusterRole
resources in Cloud API, the schema is as follows:
apiVersion: cloud.streamnative.io/v1alpha1
kind: ClusterRole
metadata:
name: <name>
spec:
permissions:
- cloud.serviceaccounts.describe
- pulsar.namespaces.describe
- ... # the list of permissions
You can use snctl
to list and get predefined roles.
- Get list of predefined roles:
snctl get clusterroles
- Get details of a predefined role:
snctl get clusterrole <name> -o yaml
Custom Roles
Custom roles are organization-scoped roles that is designed to meet the specific needs of your organization. They are defined as Role
resources in Cloud API, the schema is as follows:
apiVersion: cloud.streamnative.io/v1alpha1
kind: Role
metadata:
name: <name>
namespace: <organization-id>
spec:
permissions:
- cloud.serviceaccounts.describe
- pulsar.namespaces.describe
- ... # the list of permissions
You can use snctl
to list and get custom roles.
- Get list of custom roles:
snctl get roles -n <organization-id>
- Get details of a custom role:
snctl get role <name> -n <organization-id> -o yaml
Available Predefined Roles
The following predefined roles are available in RBAC (Version 2). You can use snctl get clusterroles
to list all predefined roles at any time.
MetricsViewer
A metrics-viewer role provides read-only access to all the metrics data for your organization.
Below is a definition of the metrics-viewer role:
apiVersion: cloud.streamnative.io/v1alpha1
kind: ClusterRole
metadata:
name: metrics-viewer
spec:
permissions:
- cloudMetrics.pulsar.query
- cloudMetrics.pulsar.export
- cloudMetrics.function.export
- cloudMetrics.source.export
- cloudMetrics.sink.export
- cloudMetrics.kafkaConnect.export
- cloudMetrics.health.export
- cloudMetrics.billing.query
- cloudMetrics.subscriptionStripe.query
- cloudMetrics.usageStrip.query
- cloudMetrics.consumptionStripe.query
- cloudMetrics.consumptionSuger.query
- cloudMetrics.costStripe.query
- cloudMetrics.costSuger.query
- cloudMetrics.termSuger.query
This role provides the following permissions:
Permission | protocol | verb | path |
---|---|---|---|
cloudMetrics.pulsar.query | HTTPS | GET | /cloud/metrics/query |
cloudMetrics.pulsar.export | HTTPS | GET | /cloud/metrics/export |
cloudMetrics.function.export | HTTPS | GET | /v1/cloud/metrics/function/export |
cloudMetrics.source.export | HTTPS | GET | /v1/cloud/metrics/source/export |
cloudMetrics.sink.export | HTTPS | GET | /v1/cloud/metrics/sink/export |
cloudMetrics.kafkaConnect.export | HTTPS | GET | /v1/cloud/metrics/kafkaconnect/export |
cloudMetrics.health.export | HTTPS | GET | /v1/cloud/metrics/health/export |
cloudMetrics.billing.query | HTTPS | GET | /cloud/metrics/billing |
cloudMetrics.subscriptionStripe.query | HTTPS | GET | /cloud/subscription/stripe |
cloudMetrics.usageStrip.query | HTTPS | GET | /cloud/usage/stripe |
cloudMetrics.consumptionStripe.query | HTTPS | GET | /cloud/consumption/stripe |
cloudMetrics.consumptionSuger.query | HTTPS | GET | /cloud/consumption/suger |
cloudMetrics.costStripe.query | HTTPS | GET | /cloud/cost/stripe |
cloudMetrics.costSuger.query | HTTPS | GET | /cloud/cost/suger |
cloudMetrics.termSuger.query | HTTPS | GET | /cloud/terms/suger |