Manage Roles on StreamNative Cloud

Roles

Roles are the building blocks of RBAC. They are used to group permissions that can be assigned to principals. There are two types of roles in RBAC:

• Predefined Roles: Built-in roles with predefined permissions that are available to all organizations. These roles are managed by StreamNative and are immutable. They are available as ClusterRole.cloud.streamnative.io resources in the Cloud API.
• Custom Roles: Organization-scoped roles designed to meet your organization's specific needs. They are available as Role.cloud.streamnative.io resources in the Cloud API. However, custom roles are currently not exposed to end-users for creation and management.

Predefined roles meet most use cases and can be used to manage your organization's resources. If you are interested in using custom roles, you can join our Early Access Program. We welcome the opportunity to evaluate your use cases and improve the feature based on your feedback.

Predefined Roles

Predefined roles are available to all organizations. They are defined as ClusterRole resources in Cloud API, the schema is as follows:

apiVersion: cloud.streamnative.io/v1alpha1
kind: ClusterRole
metadata:
  name: <name>
spec:
  permissions:
    - cloud.serviceaccounts.describe
    - pulsar.namespaces.describe
    - ... # the list of permissions

You can use snctl to list and get predefined roles.

• Get list of predefined roles: snctl get clusterroles
• Get details of a predefined role: snctl get clusterrole <name> -o yaml

Custom Roles

Custom roles are organization-scoped roles that is designed to meet the specific needs of your organization. They are defined as Role resources in Cloud API, the schema is as follows:

apiVersion: cloud.streamnative.io/v1alpha1
kind: Role
metadata:
  name: <name>
  namespace: <organization-id>
spec:
  permissions:
    - cloud.serviceaccounts.describe
    - pulsar.namespaces.describe
    - ... # the list of permissions

You can use snctl to list and get custom roles.

• Get list of custom roles: snctl get roles -n <organization-id>
• Get details of a custom role: snctl get role <name> -n <organization-id> -o yaml

Available Predefined Roles

The following predefined roles are available in RBAC (Version 2). You can use snctl get clusterroles to list all predefined roles at any time.

Org Admin

An org-admin role provides full access to all the resources in your organization. It is the equivalent of the Super Admin role prior to RBAC.

Org ReadOnly

An org-readonly role provides read-only access to all the resources in your organization. Comparing to the org-admin role, it has all the permissions but without the ability to create or delete resources.

Tenant Admin

A tenant-admin role provides full access to all resources within a tenant. It has the ability to describe the instance and cluster where the tenant belongs, as well as describe brokers and clusters using the Pulsar admin API.

However, tenant admins cannot access Service Accounts and API Keys resources. Only Org Admin users can create, modify, or delete service accounts and API keys.

Tenant ReadOnly

A tenant-readonly role provides read-only access to all resources within a tenant, similar to the tenant-admin role but with more limited permissions. Users with this role can view and describe resources such as namespaces, topics, subscriptions, and retrieve policies. However, they cannot retrieve actual data from topics since they lack the consume permission. This role is ideal for users who need to monitor and audit tenant resources without modifying them or accessing the data within.

Topic Producer

A topic-producer role provides the ability to produce messages to a specific topic. If the cluster is configured with topic auto-creation enabled, producing messages to a non-existent topic will automatically create that topic, even though the topic-producer role does not have explicit create permission.

Topic Consumer

A topic-consumer role provides the ability to consume messages from a specific topic. If the cluster is configured with topic auto-creation enabled, consuming messages from a non-existent topic will automatically create that topic, even though the topic-consumer role does not have explicit create permission.

MetricsViewer

A metrics-viewer role provides read-only access to all the metrics data for your organization.

Below is a definition of the metrics-viewer role:

apiVersion: cloud.streamnative.io/v1alpha1
kind: ClusterRole
metadata:
  name: metrics-viewer
spec:
  permissions:
    - cloudMetrics.pulsar.query
    - cloudMetrics.pulsar.export
    - cloudMetrics.function.export
    - cloudMetrics.source.export
    - cloudMetrics.sink.export
    - cloudMetrics.kafkaConnect.export
    - cloudMetrics.health.export
    - cloudMetrics.billing.query
    - cloudMetrics.subscriptionStripe.query
    - cloudMetrics.usageStrip.query
    - cloudMetrics.consumptionStripe.query
    - cloudMetrics.consumptionSuger.query
    - cloudMetrics.costStripe.query
    - cloudMetrics.costSuger.query
    - cloudMetrics.termSuger.query

This role provides the following permissions: