1. Manage Security
  2. Control Access
  3. Role-Based Access Control

Manage Roles on StreamNative Cloud

Note

This documentation covers RBAC Version 2. For information about the previous version (RBAC Version 1), see RBAC (V1).

Roles

Roles are the building blocks of RBAC. They are used to group permissions that can be assigned to principals. There are two types of roles in RBAC:

  • Predefined Roles: Built-in roles with predefined permissions that are available to all organizations. These roles are managed by StreamNative and are immutable. They are available as ClusterRole.cloud.streamnative.io resources in the Cloud API.
  • Custom Roles: Organization-scoped roles designed to meet your organization's specific needs. They are available as Role.cloud.streamnative.io resources in the Cloud API. However, custom roles are currently not exposed to end-users for creation and management.

Predefined roles meet most use cases and can be used to manage your organization's resources. If you are interested in using custom roles, you can join our Early Access Program. We welcome the opportunity to evaluate your use cases and improve the feature based on your feedback.

Predefined Roles

Predefined roles are available to all organizations. They are defined as ClusterRole resources in Cloud API, the schema is as follows:

apiVersion: cloud.streamnative.io/v1alpha1
kind: ClusterRole
metadata:
  name: <name>
spec:
  permissions:
    - cloud.serviceaccounts.describe
    - pulsar.namespaces.describe
    - ... # the list of permissions

You can use snctl to list and get predefined roles.

  • Get list of predefined roles: snctl get clusterroles
  • Get details of a predefined role: snctl get clusterrole <name> -o yaml

Custom Roles

Custom roles are organization-scoped roles that is designed to meet the specific needs of your organization. They are defined as Role resources in Cloud API, the schema is as follows:

apiVersion: cloud.streamnative.io/v1alpha1
kind: Role
metadata:
  name: <name>
  namespace: <organization-id>
spec:
  permissions:
    - cloud.serviceaccounts.describe
    - pulsar.namespaces.describe
    - ... # the list of permissions

You can use snctl to list and get custom roles.

  • Get list of custom roles: snctl get roles -n <organization-id>
  • Get details of a custom role: snctl get role <name> -n <organization-id> -o yaml

Available Predefined Roles

The following predefined roles are available in RBAC (Version 2). You can use snctl get clusterroles to list all predefined roles at any time.

MetricsViewer

A metrics-viewer role provides read-only access to all the metrics data for your organization.

Below is a definition of the metrics-viewer role:

apiVersion: cloud.streamnative.io/v1alpha1
kind: ClusterRole
metadata:
  name: metrics-viewer
spec:
  permissions:
    - cloudMetrics.pulsar.query
    - cloudMetrics.pulsar.export
    - cloudMetrics.function.export
    - cloudMetrics.source.export
    - cloudMetrics.sink.export
    - cloudMetrics.kafkaConnect.export
    - cloudMetrics.health.export
    - cloudMetrics.billing.query
    - cloudMetrics.subscriptionStripe.query
    - cloudMetrics.usageStrip.query
    - cloudMetrics.consumptionStripe.query
    - cloudMetrics.consumptionSuger.query
    - cloudMetrics.costStripe.query
    - cloudMetrics.costSuger.query
    - cloudMetrics.termSuger.query

This role provides the following permissions:

Permissionprotocolverbpath
cloudMetrics.pulsar.queryHTTPSGET/cloud/metrics/query
cloudMetrics.pulsar.exportHTTPSGET/cloud/metrics/export
cloudMetrics.function.exportHTTPSGET/v1/cloud/metrics/function/export
cloudMetrics.source.exportHTTPSGET/v1/cloud/metrics/source/export
cloudMetrics.sink.exportHTTPSGET/v1/cloud/metrics/sink/export
cloudMetrics.kafkaConnect.exportHTTPSGET/v1/cloud/metrics/kafkaconnect/export
cloudMetrics.health.exportHTTPSGET/v1/cloud/metrics/health/export
cloudMetrics.billing.queryHTTPSGET/cloud/metrics/billing
cloudMetrics.subscriptionStripe.queryHTTPSGET/cloud/subscription/stripe
cloudMetrics.usageStrip.queryHTTPSGET/cloud/usage/stripe
cloudMetrics.consumptionStripe.queryHTTPSGET/cloud/consumption/stripe
cloudMetrics.consumptionSuger.queryHTTPSGET/cloud/consumption/suger
cloudMetrics.costStripe.queryHTTPSGET/cloud/cost/stripe
cloudMetrics.costSuger.queryHTTPSGET/cloud/cost/suger
cloudMetrics.termSuger.queryHTTPSGET/cloud/terms/suger
Previous
Overview