- Manage Security
- Control Access
- Role-Based Access Control
Use Pulsar ACLs with RBAC on StreamNative Cloud
Note
This documentation covers RBAC Version 2. For information about the previous version (RBAC Version 1), see RBAC (V1).
You can use RBAC role bindings together with Pulsar ACLs to control access to Pulsar resources. Principals (users and service accounts) can be granted ACLs, RBAC role bindings, or both. The system considers all granted permissions when determining whether a principal can perform a specific action.
When RBAC is enabled, the following changes apply:
- Users no longer have implicit Super Admin (Super User) access to Pulsar clusters. They only have permissions that are explicitly granted.
- You can grant granular permissions to resources by applying ACLs or RBAC role bindings to principals.
- Both ACLs and RBAC role bindings can be used with users and service accounts to grant fine-grained access to resources.
ACLs vs RBAC
The following table summarizes which principals can be granted each type of access control:
| Principal Type | ACLs | RBAC Role Bindings |
|---|---|---|
| User | Yes | Yes |
| Service Account | Yes | Yes |
| Identity Pool | No | Yes |
ACLs + RBAC Role Bindings
When used together, ACLs and RBAC role bindings are combined using a logical AND operation:
- ACLs evaluate whether a principal has permission to perform a specific action
- RBAC role bindings evaluate whether a principal has a role that grants permission for an action
For example, if a user has:
- An ACL that allows them to produce to a topic
- An RBAC role binding that allows them to consume from that topic
Then that user will be able to both produce to and consume from the topic, since they have both permissions explicitly granted through the different mechanisms.