Access Control for Confluent Manager for Apache Flink¶
Confluent Manager for Apache Flink® models its access control around two central resources to which different types of users have access.
- FlinkApplication: This defines your Flink application, which starts the Flink Cluster in Application mode. Depending on their assigned role, developers have access to their Flink environment to create, update, and view Flink applications.
- FlinkEnvironment: The environment contains where and how to deploy the application, such as the Kubernetes namespace or central configurations that cannot be overridden. You can use Flink environments to separate the privileges of different teams or organizations. System administrators are responsible for managing the Flink environments and provisioning them correctly.
Understand user roles for Flink resources¶
You grant a user access to CMF resources.
The following table shows roles and the operations the role is allowed for CMF resources.
| Role Name: Role Scope | View FlinkEnvironment | Create new FlinkEnvironment | Update FlinkEnvironment | Create/Update FlinkApplication in FlinkEnvironment | View FlinkApplication and access the Flink Web UI in FlinkEnvironment | Add new role-bindings |
|---|---|---|---|---|---|---|
| super.user: Cluster-level | Yes | Yes | Yes | Yes | Yes | Yes |
| SystemAdmin: Cluster-level | Yes | Yes | Yes | Yes | Yes | Yes |
| ClusterAdmin: Cluster-level | Yes | Yes | Yes | Yes | Yes | No |
| UserAdmin: Cluster-level | No | No | No | No | No | Yes |
| ResourceOwner: Resource-level | No | No | No | Yes | Yes | Yes |
| DeveloperRead: Resource-level | Yes | No | No | No | Yes | No |
| DeveloperManage: Resource-level | Yes | No | No | Yes | Yes | No |
- Role Scope has the following meanings:
- Cluster-level: The role has access to all resources in CMF.
- Resource-level: The role has access to specific (by exact name or name prefix) resources in CMF.
For Cluster-level roles: When defining the role binding without an FlinkEnvironment name, the user will have access to all environments, but not to the FlinkApplication resources inside the environments.
If you want to grant a Cluster-level role access to FlinkApplication resources in an FlinkEnvironment, you need
to create role bindings for each FlinkEnvironment. This means when you create a new FlinkEnvironment,
you will also have to create new role bindings.
Resource-level roles can only create a resource, if the name (or prefix of the name) of the resources they want to create has been specified in the role binding beforehand.
The following roles do not have access to the CMF resources:
- SecurityAdmin
- AuditAdmin
- Operator
- DeveloperWrite
Cluster identifiers¶
To create role bindings, you need the cluster identifiers for the components in your CMF deployment. For CMF, you use the following cluster identifiers:
cmf: Always set to theCMF-id, which is the identifier for the CMF cluster. Currently, changing this ID is not supported, it is a hardcoded value.flinkEnvironment: your environment name
Important
Currently, only a single instance of CMF is supported per MDS installation.
The following example command shows how to create a role binding with the identifiers for your cluster.
Example:
confluent iam rbac role-binding create \
--principal User:<user> \
--role DeveloperRead \
--cmf CMF-id \
--flinkEnvironment <flink-environment-name>
--resource FlinkApplication:<flink-application-name>