ksqlDB Cluster Authentication and Authorization Auditable Event Methods on Confluent Cloud¶
Expand all examples | Collapse all examples
Confluent Cloud audit logs contain records of auditable events for authentication and authorization actions on ksqlDB clusters. When an auditable event occurs, a message is sent to the audit log and is stored as an audit log record.
Note
When group mapping is enabled, additional properties
are included in authenticationInfo (identity))
and in authorizationInfo (assignedPrincipals and actingPrincipal).
Authentication Auditable Event Methods¶
Included here are the actions or operations for authentication to a ksqlDB
cluster resource that generate auditable event messages for the
io.confluent.ksql.server/authentication event type.
| Method name | Action triggering an auditable event message |
|---|---|
| ksql.Authenticate | A request for authentication to a ksqlDB cluster. |
Examples¶
ksql.Authenticate¶
The ksql.Authenticate event method is triggered by a request for authentication
to a ksqlDB cluster.
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "ksql.Authenticate",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-kk1ndv"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-9g7o8y"
}
]
},
"resource": {
"type": "KSQL",
"resourceId": "ksqlDB_cluster_0"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-8k9y9q"
}
},
"result": "SUCCESS",
"credentials": {
"idTokenCredentials": {
"type": "JWT",
"issuer": "Confluent",
"subject": "2927000"
},
"mechanism": "HTTP_BEARER"
}
},
"requestMetadata": {
"requestId": [
"47f7dcf4-9326-11ed-b79b-8de1d6035cf7"
]
},
"resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
},
"subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
"specversion": "1.0",
"id": "310be38c-17a4-43bb-912c-3b6fd1aa43f2",
"source": "crn://confluent.cloud/",
"time": "2023-01-13T09:40:14.383Z",
"type": "io.confluent.ksql.server/authentication"
}
Authorization Auditable Event Methods¶
Included here are the actions or operations on authorization of a ksqlDB
cluster resource that generate auditable event messages for the
io.confluent.ksql.server/authorization event type.
| Method name | Action triggering an auditable event message |
|---|---|
| ksql.Authorize | A request for authorization on a ksqlDB clustter. |
Examples¶
ksql.Authorize¶
The ksql.Authorize event method is triggered by a request for authorization
on a ksqlDB cluster.
SUCCESS
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "ksql.Authorize",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-kk1ndv"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-9g7o8y"
}
]
},
"resource": {
"type": "KSQL",
"resourceId": "ksqlDB_cluster_0"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-8k9y9q"
}
},
"result": "SUCCESS"
},
"authorizationInfo": {
"result": "ALLOW",
"operation": "Contribute",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"cloudScope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
}
]
},
"resourceType": "KsqlCluster",
"patternType": "LITERAL",
"patternName": "*",
"operation": "All"
},
"resourceName": "ksqlDB_cluster_0",
"resourceType": "KsqlCluster"
},
"requestMetadata": {
"requestId": [
"94554576-9326-11ed-b79b-8de1d6035cf7"
]
},
"request": {
"accessType": "READ_ONLY"
},
"resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
},
"subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
"specversion": "1.0",
"id": "218a08c0-267e-46b4-84ed-344071bcd12e",
"source": "crn://confluent.cloud/",
"time": "2023-01-13T09:42:22.515Z",
"type": "io.confluent.ksql.server/authorization"
}
SUCCESS (group mapping enabled)
{
"datacontenttype":"application/json",
"data":{
"serviceName":"crn://confluent.cloud/",
"methodName":"ksql.Authorize",
"cloudResources":[
{
"scope":{
"resources":[
{
"type":"ORGANIZATION",
"resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type":"ENVIRONMENT",
"resourceId":"env-kk1ndv"
},
{
"type":"CLOUD_CLUSTER",
"resourceId":"lkc-9g7o8y"
}
]
},
"resource":{
"type":"KSQL",
"resourceId":"ksqlDB_cluster_0"
}
}
],
"authenticationInfo":{
"principal":{
"confluentUser":{
"resourceId":"u-8k9y9q"
}
},
"result":"SUCCESS",
"identity":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/sso-connection=aupm-connection/identity=user@confluent.io"
},
"authorizationInfo":{
"result":"ALLOW",
"operation":"Contribute",
"rbacAuthorization":{
"role":"OrganizationAdmin",
"cloudScope":{
"resources":[
{
"type":"ORGANIZATION",
"resourceId":"3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
}
]
},
"resourceType":"KsqlCluster",
"patternType":"LITERAL",
"patternName":"*",
"operation":"All",
"actingPrincipal":"User:u-123"
},
"resourceName":"ksqlDB_cluster_0",
"resourceType":"KsqlCluster",
"assignedPrincipals":[
"u-123",
"group-123"
]
},
"requestMetadata":{
"requestId":[
"94554576-9326-11ed-b79b-8de1d6035cf7"
]
},
"request":{
"accessType":"READ_ONLY"
},
"resourceName":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0"
},
"subject":"crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_0",
"specversion":"1.0",
"id":"218a08c0-267e-46b4-84ed-344071bcd12e",
"source":"crn://confluent.cloud/",
"time":"2023-01-13T09:42:22.515Z",
"type":"io.confluent.ksql.server/authorization"
}
FAILURE - Denied access based on authorization permissions
{
"datacontenttype": "application/json",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "ksql.Authorize",
"cloudResources": [
{
"scope": {
"resources": [
{
"type": "ORGANIZATION",
"resourceId": "3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09"
},
{
"type": "ENVIRONMENT",
"resourceId": "env-kk1ndv"
},
{
"type": "CLOUD_CLUSTER",
"resourceId": "lkc-9g7o8y"
}
]
},
"resource": {
"type": "KSQL",
"resourceId": "ksqlDB_cluster_1"
}
}
],
"authenticationInfo": {
"principal": {
"confluentUser": {
"resourceId": "u-znvyny"
}
},
"result": "SUCCESS"
},
"authorizationInfo": {
"result": "DENY",
"operation": "Contribute",
"resourceName": "ksqlDB_cluster_1",
"resourceType": "KsqlCluster"
},
"requestMetadata": {
"requestId": [
"08e66344-9680-11ed-a1d4-e30e47852d27"
]
},
"request": {
"accessType": "READ_ONLY"
},
"resourceName": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1"
},
"subject": "crn://confluent.cloud/organization=3f4146f5-7635-4cd7-8c4c-87f5b9cb9e09/environment=env-kk1ndv/cloud-cluster=lkc-9g7o8y/ksql=ksqlDB_cluster_1",
"specversion": "1.0",
"id": "7a3a7d7a-7194-4895-b8be-9951380aac47",
"source": "crn://confluent.cloud/",
"time": "2023-01-17T16:00:16.771Z",
"type": "io.confluent.ksql.server/authorization"
}