IBM Event Streams and IBM Event Automation

 View Only

Setting up the Event Streams UI for developer-only use

By Dale Lane posted Fri December 09, 2022 09:25 AM

  

A quick tip for how to give a developer access to the IBM Event Streams UI only for the Kafka topics used by their application, and not everything else.

Imagine I'm a Kafka cluster admin. I'm running a cluster with a variety of topics on it.

Only viewing their own topics

One of my developers is responsible for the flight tracking app, and wants to use the Event Streams UI. But I don't want them to be able to access the other sensitive topics for other applications.

I can create them their own login for the UI, that only lets them see their own topics.

The permissions I want to give them are:
- operation: Read
  resource:
    name: FLIGHT.
    patternType: prefix
    type: topic

(Remember, managing my Kafka cluster through Kubernetes resources is a good fit with a CI/CD workflow.)

In context of a user definition, that looks like:

apiVersion: eventstreams.ibm.com/v1beta2
kind: KafkaUser
metadata:
  labels:
    eventstreams.ibm.com/cluster: es
  name: flight-topics
spec:
  authentication:
    type: scram-sha-512
  authorization:
    acls:
      - operation: Read
        resource:
          name: FLIGHT.
          patternType: prefix
          type: topic
      - operation: Read
        resource:
          name: '*'
          patternType: literal
          type: group
      - operation: Read
        resource:
          name: __schema_
          patternType: prefix
          type: topic
    type: simple

(I've also given them access to view schemas, and see the consumer applications as well.)

When they login with their flight-topics username and password, they only see the topics that have names starting with FLIGHT.

They can click into their topics to see the events:

Creating and viewing their own topics

I can do the same for the developer of the stock prices app. But that developer needs a bit more flexibility.

I still want them to only see topics relating to their application - with names that start with STOCK.PRICES., but I want them to be able to create new topics like that without needing to come and ask me to do it for them.

So I give them an extra Create permission:

- operation: Create
  resource:
    name: STOCK.PRICES.
    patternType: prefix
    type: topic
- operation: Read
  resource:
    name: STOCK.PRICES.
    patternType: prefix
    type: topic

In context of a whole user specification, that looks like:

apiVersion: eventstreams.ibm.com/v1beta2
kind: KafkaUser
metadata:
  labels:
    eventstreams.ibm.com/cluster: es
  name: stock-price-topics
spec:
  authentication:
    type: scram-sha-512
  authorization:
    acls:
      - operation: Create
        resource:
          name: STOCK.PRICES.
          patternType: prefix
          type: topic
      - operation: Read
        resource:
          name: STOCK.PRICES.
          patternType: prefix
          type: topic
      - operation: Read
        resource:
          name: '*'
          patternType: literal
          type: group
      - operation: Read
        resource:
          name: __schema_
          patternType: prefix
          type: topic
    type: simple

When they login with their stock-price-topics username and password, they access topics with names starting with STOCK.PRICES.

And they get the button for creating a new topic.

Importantly, they will only be allowed to create new topics with names starting with STOCK.PRICES. - as their Create permission only covers that.

If they try and create a topic with a name that doesn't match that prefix, that will fail.

Deleting their own topics

If I really want to give the stock price app developer control over these topics, I could also let them delete their own topics by adding another permission:

- operation: Delete
  resource:
    name: STOCK.PRICES.
    patternType: prefix
    type: topic

Enabling all of this

To do this, you need to switch the Event Streams UI to using SCRAM credentials as an authentication mechanism. In your EventStreams instance, you add:

spec:
  adminUI:
    authentication:
      - type: scram-sha-512

If you do that, the login page changes to look like this:

Then I just need to give myself an admin user that can see everything:

apiVersion: eventstreams.ibm.com/v1beta2
kind: KafkaUser
metadata:
  labels:
    eventstreams.ibm.com/cluster: es
  name: admin
spec:
  authentication:
    type: scram-sha-512
  authorization:
    acls:
      - operation: Delete
        resource:
          name: '*'
          patternType: literal
          type: topic
      - operation: Write
        resource:
          name: '*'
          patternType: literal
          type: topic
      - operation: Read
        resource:
          name: '*'
          patternType: literal
          type: topic
      - operation: Create
        resource:
          name: '*'
          patternType: literal
          type: topic
      - operation: Read
        resource:
          name: '*'
          patternType: literal
          type: group
      - operation: Read
        resource:
          name: __schema_
          patternType: prefix
          type: topic
      - operation: Alter
        resource:
          name: __schema_
          patternType: prefix
          type: topic
      - operation: Write
        resource:
          name: '*'
          patternType: literal
          type: transactionalId
    type: simple
0 comments
41 views

Permalink