- Manage Security
- Control Access
- Role-Based Access Control
Role-Based Access Control (RBAC) on StreamNative Cloud
Note
This documentation covers RBAC Version 2. For information about the previous version (RBAC Version 1), see RBAC (V1).
Role-based access control (RBAC) allows you to control what level of access users have to your organization's resources, including but not limited to instances, clusters, tenants, namespaces, topics, schemas, service accounts, and more. Use RBAC to protect your StreamNative Cloud resources and data by authorizing and restricting access to principals and by delegating access authorization to the appropriate business units and teams in your organization.
Prerequisites
Before using RBAC, it is important to understand the following concepts:
- Resources on StreamNative Cloud
- Organizations
- Instances
- Infrastructure Pools
- User Accounts
- Service Accounts
- Identity Pools
Concepts
In RBAC, there are a few key concepts:
Principal
A principal is an entity that can be granted access to resources. Principals can be users, service accounts, or identity pools.
Permission
A permission is an action that can be performed on a resource. For example, producing to a topic, consuming from a topic, creating a namespace, deleting a namespace, and so on. It is described in the following format: path.to.resource.action. For example, cloud.serviceaccount.describe represents the permission to describe a service account which is a cloud resource.
Role
A role is a named collection of permissions. Roles are used to group permissions and can be assigned to principals.
Role binding
A role binding assigns a role to a principal. Role bindings are used to grant permissions to principals.
RBAC Workflow
The RBAC workflow consists of two main parts:
RBAC Management
Users can manage (create, update, or delete) RBAC roles and role bindings using:
- Terraform
snctl- Cloud API
- Cloud Console
Once resources are created, the StreamNative Cloud control plane automatically monitors them and propagates any changes to different components and resources for validation.
RBAC Validation
Each component in both the control plane and data plane receives the RBAC settings (roles and bindings) and uses them for validation. For example, when a user attempts to produce to a topic, the action is validated against the RBAC settings. If the user does not have the necessary permissions, the action is rejected.