Organization → Instance → Cluster → Tenant → Namespace → Topic
. For example, a principal with the org-admin role can manage all resources within that organization, while a tenant-owner can only manage the specific tenant they are bound to and its sub-resources (like namespaces and topics).Role Name | Scope | Summary of Responsibilities |
---|---|---|
org-admin | Organization | Full administrative control over all resources in the organization. |
org-readonly | Organization | View all resources and settings in the organization without modification rights. |
org-operator | Organization | Perform organization-wide operational tasks like monitoring and basic troubleshooting. |
metrics-viewer | Organization | Access metrics endpoints for monitoring and observability. |
account-admin | Organization | Manage user and service accounts, including invitations, deletions, and role assignments. |
billing-admin | Organization | View and manage billing and subscription information. |
instance-owner | Instance | Full administrative control over one or more specified instances and all resources within them. |
instance-readonly | Instance | View a specific instance and all its resources without modification rights. |
instance-operator | Instance | Perform operational tasks within a specific instance. |
cluster-owner | Cluster | Full administrative control over one or more specified clusters and all resources within them. |
cluster-readonly | Cluster | View specified clusters and all their resources without modification rights. |
cluster-operator | Cluster | Perform operational tasks within specified clusters. |
schema-owner | Cluster/Schema Registry | Full administrative control over the Schema Registry for one or more specified subjects. |
schema-manager | Cluster/Schema Registry | Manage schema evolution and compatibility policies for the Schema Registry in one or more specified subjects. |
schema-reader | Cluster/Schema Registry | Read schema definitions from the Schema Registry in one or more specified subjects. |
schema-writer | Cluster/Schema Registry | Create and update schemas in the Schema Registry for one or more specified subjects. |
consumer-group-owner | Cluster/Kafka Consumer Group | Full administrative control over one or more specified Kafka consumer groups. |
consumer-group-reader | Cluster/Kafka Consumer Group | Perform operational tasks like resetting offsets on one or more specified Kafka consumer groups. |
transactional-id-owner | Cluster/Kafka TransactionId | Full administrative control over one or more specified Kafka transaction IDs. |
tenant-owner | Tenant | Full administrative control over one or more specified tenants and their namespaces/topics. |
tenant-readonly | Tenant | View one or more specified tenants and all their resources without modification rights. |
tenant-operator | Tenant | Perform operational tasks within one or more specified tenants. |
namespace-owner | Namespace | Full administrative control over one or more specified namespaces and their topics. |
namespace-readonly | Namespace | View one or more specified namespaces and all their resources without modification rights. |
namespace-operator | Namespace | Perform operational tasks within one or more specified namespaces. |
namespace-topic-producer | Namespace | Produce messages to all topics within one or more specific namespace. |
namespace-topic-consumer | Namespace | Consume messages from all topics within one or more specific namespace. |
topic-owner | Topic | Full administrative control over one or more specified topics. |
topic-readonly | Topic | View the configuration and stats for one or more specified topics, without data access. |
topic-producer | Topic | Produce messages to one or more specified topics. |
topic-consumer | Topic | Consume messages from one or more specified topics. |
snctl get clusterroles
snctl get clusterrole <name> -o yaml
--user
with --serviceaccount
.--user
with --identitypool
.org-admin
role. To bind a different organization role, replace org-admin
in the --clusterrole
argument and in the role binding’s name.--user
with --serviceaccount
.--user
with --identitypool
.instance-owner
role. To bind a different instance role, replace instance-owner
in the --clusterrole
argument and in the role binding’s name.--user
with --serviceaccount
.--user
with --identitypool
.cluster-owner
role. To bind a different cluster role, replace cluster-owner
in the --clusterrole
argument and in the role binding’s name.--condition-cluster
flag requires the Cluster ID, not the Cluster Name. The Cluster ID is a unique, randomly generated string (for example, pc-y7bti
, c-6mhjbx2
) and can be found on the cluster overview page in the StreamNative Cloud Console.--user
with --serviceaccount
.--user
with --identitypool
.tenant-owner
role. To bind a different tenant role, replace tenant-owner
in the --clusterrole
argument and in the role binding’s name.tenant-owner
role to all tenants that start with the prefix ${tenant_prefix}
.srn.tenant
from the condition-cel to bind the role to all tenants in the specified cluster:--condition-cluster
flag requires the Cluster ID, not the Cluster Name. The Cluster ID is a unique, randomly generated string (for example, pc-y7bti
, c-6mhjbx2
) and can be found on the cluster overview page in the StreamNative Cloud Console.test-tenant_
, you can create test-tenant_x
test-tenant_
, you can create test-tenant_x
--user
with --serviceaccount
.--user
with --identitypool
.namespace-owner
role. To bind a different namespace role, replace namespace-owner
in the --clusterrole
argument and in the role binding’s name.namespace-owner
role to all namespaces that start with the prefix ${namespace_prefix}
.srn.namespace
from the condition-cel to bind the role to all namespaces in the specified tenant:--condition-cluster
flag requires the Cluster ID, not the Cluster Name. The Cluster ID is a unique, randomly generated string (for example, pc-y7bti
, c-6mhjbx2
) and can be found on the cluster overview page in the StreamNative Cloud Console.test-namepsace_
, you can create test-namespace_x
test-namepsace_
, you can create test-namespace_x
consumer-group-reader
role to the principal to consume messages from a kafka topic.--user
with --serviceaccount
.--user
with --identitypool
.topic-owner
role. To bind a different topic role, replace topic-owner
in the --clusterrole
argument and in the role binding’s name.topic-owner
role to all topics that start with the prefix ${topic_prefix}
.srn.topic_name
from the condition-cel to bind the role to all topics in the specified namespace:--condition-cluster
flag requires the Cluster ID, not the Cluster Name. The Cluster ID is a unique, randomly generated string (for example, pc-y7bti
, c-6mhjbx2
) and can be found on the cluster overview page in the StreamNative Cloud Console.consumer-group-reader
role to the principal to consume messages from a kafka topic.subject
, which are resources under the cluster
. Follow the instructions below to create a role binding for a schema subject role.
--user
with --serviceaccount
.--user
with --identitypool
.schema-owner
role. To bind a different schema role, replace schema-owner
in the --clusterrole
argument and in the role binding’s name.schema-owner
role to all subjects that start with the prefix ${subject_prefix}
.schema.subject
from the condition-cel to bind the role to all subjects in the specified cluster schema registry:srn.cluster
flag requires the Cluster ID, not the Cluster Name. The Cluster ID is a unique, randomly generated string (for example, pc-y7bti
, c-6mhjbx2
) and can be found on the cluster overview page in the StreamNative Cloud Console.--user
with --serviceaccount
.--user
with --identitypool
.consumer-group-owner
role. To bind a different consumer group role, replace consumer-group-owner
in the --clusterrole
argument and in the role binding’s name.consumer-group-owner
role to all consumer group that start with the prefix ${group_name_prefix}
.kafka.group
from the condition-cel to bind the role to all consumer group in the specified cluster:srn.cluster
flag requires the Cluster ID, not the Cluster Name. The Cluster ID is a unique, randomly generated string (for example, pc-y7bti
, c-6mhjbx2
) and can be found on the cluster overview page in the StreamNative Cloud Console.--user
with --serviceaccount
.--user
with --identitypool
.transactional-id-owner
role. To bind a different transactional role, replace transactional-id-owner
in the --clusterrole
argument and in the role binding’s name.transactional-id-owner
role to all transactional ID that start with the prefix ${transactional_id_prefix}
.kafka.transactional_id
from the condition-cel to bind the role to all transactional ID in the specified cluster:srn.cluster
flag requires the Cluster ID, not the Cluster Name. The Cluster ID is a unique, randomly generated string (for example, pc-y7bti
, c-6mhjbx2
) and can be found on the cluster overview page in the StreamNative Cloud Console.