Predefined Roles on StreamNative Cloud

Role-Based Access Control (RBAC) is the core mechanism for managing permissions in StreamNative Cloud. It allows administrators to grant specific permissions to principals to perform actions on specific resources. This feature is enabled by default for all cluster types (Serverless, Dedicated, and BYOC) and all organizations, offering a standardized way to secure your resources. Note the following:

• Multiple Role Assignments: A principal can be assigned multiple roles. When a principal attempts to access a resource, the request is allowed if any of their assigned roles grant the necessary permission.
• Resource Visibility: If a principal lacks read permission for a resource, that resource will not be visible to them in list commands or in the Cloud Console.
• Console Access: To use the StreamNative Cloud Console, a user must be assigned at least one read-only role, such as org-readonly, cluster-readonly, or tenant-readonly.
• Permissions are inherited down the resource hierarchy: Organization → Instance → Cluster → Tenant → Namespace → Topic. For example, a principal with the org-admin role can manage all resources within that organization, while a tenant-owner can only manage the specific tenant they are bound to and its sub-resources (like namespaces and topics).

​

Quick Reference

The following table summarizes all available predefined roles to help you quickly find the right one for your needs.

You can use snctl to list and get predefined roles.

• Get list of predefined roles: snctl get clusterroles
• Get details of a predefined role: snctl get clusterrole <name> -o yaml

​

Organization

These are the highest-level roles, granting broad permissions across your entire StreamNative Cloud organization. The roles available at this scope are:

• org-admin
• org-readonly
• org-operator
• metrics-viewer
• billing-admin
• account-admin

Follow the instructions below to create a role binding for an organization role.

snctl create rolebinding org-admin-user1 \
  --clusterrole org-admin \
  --user user1@example.com

snctl create rolebinding org-admin-user1 \
  --clusterrole org-admin \
  --user user1@example.com

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "org_admin_user1_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "org-admin-user1"
  cluster_role_name = "org-admin"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
}

​

org-admin

The Organization Administrator. Grants complete and unrestricted control over all StreamNative Cloud and Pulsar/Kafka resources within the organization. This role is equivalent to a superuser or root administrator.

• Account Management: Manages all organization-level settings, including billing, subscriptions, users, service accounts, and security policies.
• Identity Management: Full lifecycle management of users and service accounts: invite, delete, and assign any role to any principal.
• Infrastructure Management: Full administrative control over all infrastructure, including creating, viewing, and deleting instances and clusters.
• Data Plane Management: Complete control over all Pulsar and Kafka resources across all clusters, including tenants, namespaces, topics, schemas, Pulsar Functions, and Connectors.

​

org-readonly

The Organization Read-Only Observer. Provides comprehensive, read-only visibility across all resources and configurations in the organization, ideal for auditing and monitoring.

• Global Visibility: Can view all organization-level settings, instances, clusters, tenants, namespaces, and topics.
• Monitoring: Can view resource statistics and health metrics across the entire organization.

Limitations:

• No Modification Rights: Cannot create, update, or delete any resource.
• No Sensitive Data Access: Cannot view sensitive resources such as secrets or service account credentials.
• No Data Access: Cannot produce and consume messages from any topic.

​

org-operator

The Organization Operator. Enables principals to perform organization-wide operational and troubleshooting tasks without granting full administrative or destructive permissions.

• Operational Monitoring: Includes all permissions of the org-readonly role for comprehensive visibility.
• Troubleshooting Actions: Can perform safe, non-destructive operational tasks such as unloading topics, change configuration, resetting subscription cursors, and restarting Pulsar Functions or Connector tasks across any cluster in the organization.

Limitations:

• No Destructive Actions: Cannot delete critical resources like clusters, tenants, namespaces, or topics.
• No Sensitive Data Access: Cannot view sensitive resources such as organization secrets or service account credentials.
• No Data Access: Cannot produce and consume messages from any topic.
• No Sensitive Configuration Changes: Cannot alter critical policies like data retention or manage user permissions.
• No Account Management: Cannot manage users, service accounts, or billing information.

Assign to a central Site Reliability Engineering (SRE) or platform operations team responsible for maintaining the day-to-day health and stability of the entire StreamNative Cloud deployment.

​

metrics-viewer

The Metrics Viewer. This role is specifically designed to grant access to the metrics API, such as those compatible with Prometheus.

Assign exclusively to a service account used by an external monitoring or observability platform (for example, Prometheus, Grafana, Datadog) to collect performance metrics, adhering to the principle of least privilege.

​

account-admin

The Account Administrator. Delegates the management of users and service accounts, separating identity management from infrastructure and data plane administration.

• User Management: Can invite new users to the organization, remove existing users, and manage their role assignments.
• Service Account Management: Full lifecycle control over service accounts, including creation, deletion, and API key management.
• Role Assignment: Can bind any role to users or service accounts.

Assign to an IT security or identity management team responsible for controlling access to the platform, allowing them to manage principals without granting them permissions over the data infrastructure itself.

​

billing-admin

The Billing Administrator. A specialized role that provides exclusive access to manage the financial aspects of the organization’s account.

• Payment Management: Can view and manage payment methods and billing information.
• Invoice Access: Can view and download billing history and invoices.

Assign to members of the finance department or budget owners who need to manage the organization’s cloud spending without needing access to the underlying technical platform.

​

Instance

These roles are scoped to a specific StreamNative Cloud Instance. The roles available at this scope are:

• instance-owner
• instance-readonly
• instance-operator

Follow the instructions below to create a role binding for an instance role.

snctl create rolebinding instance-owner-user1 \
  --clusterrole instance-owner \
  --user user1@example.com \
  --condition-instance ${instance_name}

snctl create rolebinding instance-owner-user1 \
  --clusterrole instance-owner \
  --user user1@example.com \
  --condition-instance ${instance_name}

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "instance_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "instance-owner-user1"
  cluster_role_name = "instance-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_resource_names {
    instance = "${instance_name}"
  }
}

​

instance-owner

The Instance Administrator. Grants full administrative control over all resources within a specific instance, including the clusters it contains.

• Cluster Lifecycle Management: Can create, view, update, and delete Pulsar and Kafka clusters within the specified instance.
• Inherited Permissions: Inherits all permissions of cluster-owner for every cluster within the instance.

Assign to an environment owner (for example dev-admin, prod-admin) who is responsible for managing all clusters and resources within a specific instance.

​

instance-readonly

The Instance Read-Only Observer. Provides read-only visibility into a specific instance and all of its resources.

• View All Resources: Can view all clusters, tenants, namespaces, and topics within the specified instance.
• Inspect Configuration: Can view the configuration of the instance and all its sub-resources.

Limitations:

• No Data Access: Cannot produce and consume messages from any topic within the binding instance.

​

instance-operator

The Instance Operator. Permits operational tasks across all clusters within a specific instance.

• Instance-Wide Operations: Includes all instance-readonly permissions, plus the ability to perform operational tasks (for example, unload topics, restart connectors) on any cluster within the instance.

Limitations:

• No Destructive Actions: Cannot create or delete clusters or modify critical configurations within the instance.
• No Data Access: Cannot produce and consume messages from any topic within the binding cluster.

Assign to an SRE team responsible for a specific environment (for example, the production instance) to enable troubleshooting and maintenance.

​

Cluster

These roles are scoped to a specific Pulsar or Kafka cluster within an cluster. The roles available at this scope are:

• cluster-owner
• cluster-readonly
• cluster-operator

Follow the instructions below to create a role binding for a cluster role.

snctl create rolebinding cluster-owner-user1 \
  --clusterrole cluster-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id}

snctl create rolebinding cluster-owner-user1 \
  --clusterrole cluster-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id}

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "cluster_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "cluster-owner-user1"
  cluster_role_name = "cluster-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_resource_names {
    instance = "${instance_name}"
    cluster  = "${cluster_id}"
  }
}

​

cluster-owner

The Cluster Administrator. Grants full administrative control over all resources within a specific cluster, enabling multi-tenancy management.

• Tenant Lifecycle Management: Can create, view, update, and delete tenants within the specified cluster. This is the key permission that distinguishes it from tenant-owner.
• Cluster-Level Policies: Manages cluster-wide configurations and policies.
• Inherited Permissions: Inherits all permissions of tenant-owner for every tenant within the cluster.

Limitations:

• Scoped to Cluster: Cannot manage other clusters or instance-level configurations.
• No Org-Level Access: Cannot manage users, service accounts, or billing.

Assign to a platform administrator or team responsible for managing a shared, multi-tenant cluster and onboarding new teams by provisioning tenants for them.

​

cluster-readonly

The Cluster Read-Only Observer. Provides read-only visibility into a specific cluster and all of its tenants and resources.

• View All Resources: Can view all tenants, namespaces, topics, and their configurations within the specified cluster.

Limitations:

• No Modification Rights: Cannot make any changes to the cluster or any resources within it.
• No Data Access: Cannot produce and consume messages from any topic within the binding cluster.

Assign to any user who needs to understand the structure and status of a specific cluster without having permission to alter it.

​

cluster-operator

The Cluster Operator. Permits operational tasks across all tenants within a specific cluster.

• Cluster-Wide Operations: Includes all cluster-readonly permissions, plus the ability to perform operational tasks (for example, clear backlogs, reset subscriptions, manage function/connector) on any tenant or namespace within the cluster.

Limitations:

• No Destructive Actions: Cannot create or delete tenants or modify critical cluster configurations.
• No Data Access: Cannot produce and consume messages from any topic within the binding cluster.

Assign to an SRE or operations team focused on a single cluster, enabling them to perform maintenance and troubleshooting for all teams using that cluster.

​

Tenant

These roles are scoped to a specific Pulsar or Kafka cluster within a tenant. The roles available at this scope are:

• tenant-owner
• tenant-readonly
• tenant-operator

Follow the instructions below to create a role binding for a tenant role.

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id} \
  --condition-tenant ${tenant_name}

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant.startsWith('${tenant_prefix}'))"

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id} \
  --condition-tenant ${tenant_name}

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant.startsWith('${tenant_prefix}'))"

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "tenant_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "tenant-owner-user1"
  cluster_role_name = "tenant-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_resource_names {
    instance = "${instance_name}"
    cluster  = "${cluster_id}"
    tenant   = "${tenant_name}"
  }
}

#... terraform streamnative basic configuration

resource "streamnative_rolebinding" "tenant_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "tenant-owner-user1"
  cluster_role_name = "tenant-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  # To bind to multiple tenants, use a Common Expression Language (CEL) expression
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant.startsWith('${tenant_prefix}'))"
}

​

tenant-owner

The Tenant Administrator. Grants full administrative control over a specific tenant and all its sub-resources, enabling self-service for application teams.

• Namespace Management: Full lifecycle management (create, read, update, delete) of namespaces within the assigned tenant.
• Topic and Policy Management: Manages all topics and namespace-level policies, such as retention, message TTL, and backlog quotas.
• Functions and Connectors: Full lifecycle management of Pulsar Functions and Connectors (Sources/Sinks) within the tenant’s namespaces.
• Allows creating tenants bound by the role. For example, if you bind resources prefixed with test-tenant_, you can create test-tenant_x
• Data Access: Can produce and consume messages from any topic within the binding tenant.

Limitations:

• Cannot Manage Other Tenants: Creating or deleting tenants that you haven’t bound is not allowed.

Assign to a team lead or a team’s primary service account to give them full control over their application’s resources in a shared cluster, promoting a multi-tenant, self-service model.

​

tenant-readonly

The Tenant Read-Only Observer. Can view the configuration and status of a specific tenant and all its resources without modification rights.

• View Tenant Resources: Can view all namespaces, topics, subscriptions, functions, and connectors within the tenant.
• Inspect Policies: Can view namespace-level policies and topic configurations.
• View Statistics: Can retrieve statistics for topics and subscriptions.

Limitations:

• No Modification Rights: Cannot create, update, or delete any resource within the tenant.
• No Data Access: Cannot produce and consume messages from any topic within the binding tenant.

Assign to developers who need to view the state and configuration of their team’s applications and resources without being able to modify them.

​

tenant-operator

The Tenant Operator. Can perform operational tasks within a specific tenant, such as troubleshooting and routine maintenance.

• Operational Control: Includes all tenant-readonly permissions, plus the ability to perform tasks like clearing backlogs, resetting subscription cursors, unloading topics, and restarting functions/connectors within the tenant.
• Policy Changes: Can alter namespace policies like data retention.
• Allows creating tenants bound by the role. For example, if you bind resources prefixed with test-tenant_, you can create test-tenant_x

Limitations:

• No Destructive Actions: Cannot delete namespaces, topics, or other critical resources.
• No Data Access: Cannot produce and consume messages from any topic within the binding tenant.

Assign to a DevOps engineer or an automated operational tool responsible for maintaining the health of applications within a specific tenant.

​

Namespace

These roles are scoped to a specific Pulsar or Kafka cluster within a namespace. The roles available at this scope are:

• namespace-owner
• namespace-readonly
• namespace-operator
• namespace-topic-producer
• namespace-topic-consumer

Follow the instructions below to create a role binding for a namespace role.

snctl create rolebinding namespace-owner-user1 \
  --clusterrole namespace-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id} \
  --condition-tenant ${tenant_name} \
  --condition-namespace ${namespace_name}

snctl create rolebinding namespace-owner-user1 \
  --clusterrole namespace-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace.startsWith('${namespace_prefix}'))"

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}')"

snctl create rolebinding namespace-owner-user1 \
  --clusterrole namespace-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id} \
  --condition-tenant ${tenant_name} \
  --condition-namespace ${namespace_name}

snctl create rolebinding namespace-owner-user1 \
  --clusterrole namespace-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace.startsWith('${namespace_prefix}'))"

snctl create rolebinding tenant-owner-user1 \
  --clusterrole tenant-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}')"

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "namespace_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "namespace-owner-user1"
  cluster_role_name = "namespace-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_resource_names {
    instance  = "${instance_name}"
    cluster   = "${cluster_id}"
    tenant    = "${tenant_name}"
    namespace = "${namespace_name}"
  }
}

#... terraform streamnative basic configuration

resource "streamnative_rolebinding" "namespace_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "namespace-owner-user1"
  cluster_role_name = "namespace-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  # To bind to multiple namespaces, use a Common Expression Language (CEL) expression
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace.startsWith('${namespace_prefix}'))"
}

​

namespace-owner

The Namespace Administrator. Grants full administrative control over a specific namespace and all topics and functions within it.

• Topic Management: Full lifecycle management of topics within the namespace.
• Policy Control: Manages all policies for the namespace, such as retention and backlog quotas.
• Functions and Connectors: Full lifecycle management of Pulsar Functions and Connectors deployed to the namespace.
• Data Access: Can produce and consume messages from any topic within the binding tenant.
• Allows creating namespaces bound by the role. For example, if you bind resources prefixed with test-namepsace_, you can create test-namespace_x

Limitations:

• Cannot Manage Other Namespace: Creating or deleting namespace that you haven’t bound is not allowed.

Assign to an application owner or lead developer to provide full control over all resources related to a specific microservice or application component.

​

namespace-readonly

The Namespace Read-Only Observer. Can view the configuration and status of a specific namespace and all its

• View Namespace Resources: Can view all topics, subscriptions, functions, and connectors within the namespace.
• Inspect Configuration: Can view namespace policies and topic configurations.

Limitations:

• No Modification Rights: Cannot create, update, or delete any resource.
• No Data Access: Cannot produce and consume messages from any topic within the binding namespace.

Assign to a developer who needs visibility into a specific application’s resources for debugging or understanding its configuration.

​

namespace-operator

The Namespace Operator. Can perform operational tasks within a specific namespace.

• Operational Control: Includes all namespace-readonly permissions, plus the ability to perform operational tasks like clearing backlogs, resetting subscriptions, and restarting functions/connectors within the namespace.
• Allows creating namespaces bound by the role. For example, if you bind resources prefixed with test-namepsace_, you can create test-namespace_x

Limitations:

• No Destructive Actions: Cannot delete topics or other resources.
• No Data Access: Cannot produce and consume messages from any topic within the binding namespace.

Assign to a service account for an automated CI/CD pipeline that needs to perform operational tasks like restarting a function after a deployment.

​

namespace-topic-producer

The Namespace Producer. Allows a principal to produce messages to all topics(kafka/pulsar) within a specific namespace.

Limitations:

• No Administrative Rights: Cannot manage topics, policies, or any other resources.
• No Consume Rights: Cannot consume messages.

Assign to a service account for a producer application that needs to write to multiple topics within a single namespace, simplifying permission management.

​

namespace-topic-consumer

The Namespace Consumer. Allows a principal to consume messages from all topics(kafka/pulsar) within a specific namespace.

• Consume Data: Can create subscriptions and consume messages from any existing or future topic within the specified namespace.

Limitations:

• No Administrative Rights: Cannot manage topics, policies, or any other resources.
• No Produce Rights: Cannot produce messages.
• For kafka consumer, need grant consumer-group-reader role to the principal to consume messages from a kafka topic.

Assign to a service account for a consumer application or stream processing job that needs to read from all topics within a namespace.

​

Topic

These roles are scoped to a specific Pulsar or Kafka cluster within a topic. The roles available at this scope are:

• topic-owner
• topic-readonly
• topic-producer
• topic-consumer

Follow the instructions below to create a role binding for a topic role.

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id} \
  --condition-tenant ${tenant_name} \
  --condition-namespace ${namespace_name} \
  --condition-topic-name ${topic_name}

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace == '${namespace_name}') && (srn.topic_name == '' || srn.topic_name.startsWith('${topic_prefix}'))"

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace == '${namespace_name}')"

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-instance ${instance_name} \
  --condition-cluster ${cluster_id} \
  --condition-tenant ${tenant_name} \
  --condition-namespace ${namespace_name} \
  --condition-topic-name ${topic_name}

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace == '${namespace_name}') && (srn.topic_name == '' || srn.topic_name.startsWith('${topic_prefix}'))"

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace == '${namespace_name}')"

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "topic_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "topic-owner-user1"
  cluster_role_name = "topic-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_resource_names {
    instance  = "${instance_name}"
    cluster   = "${cluster_id}"
    tenant    = "${tenant_name}"
    namespace = "${namespace_name}"
    topic = "${topic_name}"
  }
}

#... terraform streamnative basic configuration

resource "streamnative_rolebinding" "topic_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "topic-owner-user1"
  cluster_role_name = "topic-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  # To bind to multiple topics, use a Common Expression Language (CEL) expression
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (srn.tenant == '' || srn.tenant == '${tenant_name}') && (srn.namespace == '' || srn.namespace == '${namespace_name}') && (srn.topic_name == '' || srn.topic_name.startsWith('${topic_prefix}'))"
}

​

topic-owner

The Topic Administrator. Grants administrative control over a specific topic’s configuration and lifecycle, but does not include data access.

​

topic-readonly

The Topic Read-Only Observer. Allows viewing the configuration and statistics of a specific topic without modification rights or data access.

​

topic-producer

The Topic Producer. Allows a principal to produce messages to all topics(kafka/pulsar) within a specific topic.

Limitations:

• No Administrative Rights: Cannot manage topics, policies, or any other resources.
• No Consume Rights: Cannot consume messages.

Assign to a service account for a producer application that needs to write to multiple topics within a single namespace, simplifying permission management.

​

topic-consumer

The Topic Consumer. Allows a principal to consume messages from all topics(kafka/pulsar) within a specific topic.

• Consume Data: Can create subscriptions and consume messages from any existing or future topic within the specified topic.

Limitations:

• No Administrative Rights: Cannot manage topics, policies, or any other resources.
• No Produce Rights: Cannot produce messages.
• For kafka consumer, need grant consumer-group-reader role to the principal to consume messages from a kafka topic.

Assign to a service account for a consumer application or stream processing job that needs to read from all topics within a namespace.

​

Schema Registry

These roles are used to manage Pulsar Schemas, ensuring data governance and type safety. The roles available at this scope are:

• schema-owner
• schema-manager
• schema-reader
• schema-writer

The operational resource of the schema is subject, which are resources under the cluster. Follow the instructions below to create a role binding for a schema subject role.

snctl create rolebinding schema-owner-user1 \
  --clusterrole schema-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (schema.subject == '' || schema.subject == '${subject}')"

snctl create rolebinding schema-owner-user1 \
  --clusterrole schema-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (schema.subject == '' || schema.subject.startsWith('${subject_prefix}'))"

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

snctl create rolebinding schema-owner-user1 \
  --clusterrole schema-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (schema.subject == '' || schema.subject == '${subject}')"

snctl create rolebinding schema-owner-user1 \
  --clusterrole schema-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (schema.subject == '' || schema.subject.startsWith('${subject_prefix}'))"

snctl create rolebinding topic-owner-user1 \
  --clusterrole topic-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "schema_owner_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "schema-owner-user1"
  cluster_role_name = "schema-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (schema.subject == '' || schema.subject == '${subject}')"
}

#... terraform streamnative basic configuration

resource "streamnative_rolebinding" "schema_owner_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "schema-owner-user1"
  cluster_role_name = "schema-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  # To bind to multiple subjects, use a Common Expression Language (CEL) expression
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (schema.subject == '' || schema.subject.startsWith('${subject_prefix}'))"
}

​

schema-owner

The Schema Administrator. Grants full administrative control over specified schema subjects, including destructive actions.

• Full Lifecycle Management: Can create, update, and delete schemas and schema versions.
• Destructive Actions: Can delete entire schema subjects, which is an irreversible action.
• Policy Control: Includes all permissions of the schema-manager role, such as managing compatibility policies.

Limitations:

• Scoped to Subject: Permissions are limited to the specified schema subjects.

​

schema-manager

The Schema Manager. Allows for the management of schema evolution and compatibility policies for specified subjects.

• Compatibility Management: Can get and update the schema compatibility policy for a subject (for example, BACKWARD, FORWARD, FULL).
• Schema Evolution: Can test the compatibility of new schema versions.
• Includes Writer Permissions: Can create and update schemas, inheriting permissions from the schema-writer role.

Limitations:

• No Deletion: Cannot delete schemas or entire schema subjects.

​

schema-reader

The Schema Reader. Provides read-only access to view schema definitions for specified subjects.

• Read Schemas: Can fetch schema definitions and all their versions for a given subject.
• Check Compatibility: Can check if a schema is compatible with the latest version for a subject.

Limitations:

• No Modification Rights: Cannot post new schemas, update compatibility settings, or delete any schema information.

​

schema-writer

The Schema Writer. Allows for the creation and updating of schemas for specified subjects.

• Create and Update Schemas: Can post new schema versions for a subject.

Limitations:

• No Policy Management: Cannot change the compatibility mode for the subject.
• No Deletion: Cannot delete schemas or subjects.

​

Kafka Consumer Group

These roles are designed for managing Kafka consumer group resources on StreamNative Cloud, applicable to Kafka-on-Pulsar (KoP) use cases. The roles available at this scope are:

• consumer-group-owner
• consumer-group-reader

Follow the instructions below to create a role binding for a schema subject role.

snctl create rolebinding consumer-group-owner-user1 \
  --clusterrole consumer-group-owner \
  --user user1@example.com \
  --condition-cel  "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.group == '' || kafka.group == '${group_name}')"

snctl create rolebinding consumer-group-owner-user1 \
  --clusterrole consumer-group-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.group == '' || kafka.group.startsWith('${group_name_prefix}'))"

snctl create rolebinding consumer-group-owner-user1 \
  --clusterrole consumer-group-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

snctl create rolebinding consumer-group-owner-user1 \
  --clusterrole consumer-group-owner \
  --user user1@example.com \
  --condition-cel  "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.group == '' || kafka.group == '${group_name}')"

snctl create rolebinding consumer-group-owner-user1 \
  --clusterrole consumer-group-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.group == '' || kafka.group.startsWith('${group_name_prefix}'))"

snctl create rolebinding consumer-group-owner-user1 \
  --clusterrole consumer-group-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "consumer_group_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "consumer-group-ownerr-user1"
  cluster_role_name = "consumer-group-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.group == '' || kafka.group == '${group_name}')"
}

#... terraform streamnative basic configuration

resource "streamnative_rolebinding" "consumer_group_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "consumer-group-ownerr-user1"
  cluster_role_name = "consumer-group-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  # To bind to multiple subjects, use a Common Expression Language (CEL) expression
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.group == '' || kafka.group.startsWith('${group_name_prefix}'))"
}

​

consumer-group-owner

The Consumer Group Administrator. Grants full administrative control over specific Kafka consumer groups, including the ability to delete them.

• Delete Group: Can delete a consumer group, which removes its committed offsets.
• Alter Offsets: Can alter committed offsets for any partition.
• View Group: Can describe the consumer group, view its members, and monitor consumer lag.
• Includes Reader Permissions: Inherits all permissions from the consumer-group-reader role.

Limitations:

• Scoped to Group: Permissions are limited to the specified consumer groups.

​

consumer-group-reader

The Consumer Group Reader. Allows for monitoring and performing safe operational tasks on a specific Kafka consumer group.

• Reset Offsets: Can perform the common operational task of resetting consumer offsets to a specific point in time (for example, earliest, latest) to reprocess or skip messages.
• View Group: Can describe the consumer group, view its members, and monitor consumer lag.

Limitations:

• No Deletion: Cannot delete the consumer group.

​

Kafka Transactional

These roles are designed for managing Kafka transactional ID resources on StreamNative Cloud, applicable to Kafka-on-Pulsar (KoP) use cases. The roles available at this scope are:

• transactional-id-owner

Follow the instructions below to create a role binding for a schema subject role.

snctl create rolebinding transactional-id-owner-user1 \
  --clusterrole transactional-id-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.transactional_id == '' || kafka.transactional_id == '${transactional_id}')"

snctl create rolebinding transactional-id-owner-user1 \
  --clusterrole transactional-id-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.transactional_id == '' || kafka.transactional_id.startsWith('${transactional_id_prefix}'))"

snctl create rolebinding transactional-id-owner-user1 \
  --clusterrole transactional-id-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

snctl create rolebinding transactional-id-owner-user1 \
  --clusterrole transactional-id-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.transactional_id == '' || kafka.transactional_id == '${transactional_id}')"

snctl create rolebinding transactional-id-owner-user1 \
  --clusterrole transactional-id-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.transactional_id == '' || kafka.transactional_id.startsWith('${transactional_id_prefix}'))"

snctl create rolebinding transactional-id-owner-user1 \
  --clusterrole transactional-id-owner \
  --user user1@example.com \
  --condition-cel "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}')"

terraform {
  required_providers {
    streamnative = {
      version = "0.10.0"
      source  = "streamnative/streamnative"
    }
  }
}

provider "streamnative" {
  # Please replace path use your own key file path
  key_file_path = "/path/to/your/service/account/key.json"
}

resource "streamnative_rolebinding" "transactional_id_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "transactional-id-owner-user1"
  cluster_role_name = "transactional-id-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.transactional_id == '' || kafka.transactional_id == '${transactional_id}')"
}

#... terraform streamnative basic configuration

resource "streamnative_rolebinding" "transactional_id_admin_role_binding" {
  organization      = "${The ID of your organization}"
  name              = "transactional-id-owner-user1"
  cluster_role_name = "transactional-id-owner"
  # To bind to a service account, use 'service_account_names' instead
  user_names        = ["user1@example.com"]
  # To bind to multiple subjects, use a Common Expression Language (CEL) expression
  condition_cel     = "(srn.instance == '' || srn.instance == '${instance_name}') && (srn.cluster == '' || srn.cluster == '${cluster_id}') && (kafka.transactional_id == '' || kafka.transactional_id.startsWith('${transactional_id_prefix}'))"
}

​

transactional-id-owner

The Transactional ID Administrator. Grants administrative control over specific Kafka transactional IDs, which are persistent identities used for exactly once semantics.

• Describe Transactions: Can view the state of active transactions associated with a given transactional ID.
• Manage ID Lifecycle: Can manage the lifecycle of the transactional ID resource itself. This is an administrative function for platform health, not for application use.